[OSSA 2013-030] xenapi migrations don't apply security group filters (CVE-2013-4497)

Bug #1073306 reported by Chris Behrens on 2012-10-30
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
High
John Garbutt
Grizzly
High
John Garbutt
OpenStack Security Advisory
High
Jeremy Stanley

Bug Description

xenapi's finish_migration() is missing code to apply security group rules, etc. There's code in spawn() that appears we need to also use in finish_migration().

(Somewhat related, see: https://bugs.launchpad.net/bugs/1073303)

CVE References

Chris Behrens (cbehrens) on 2012-10-30
Changed in nova:
importance: Undecided → Medium
status: New → Triaged
tags: added: xenserver
Euan Harris (euanh) on 2013-06-24
Changed in nova:
assignee: nobody → Euan Harris (euanh)
Euan Harris (euanh) on 2013-07-15
Changed in nova:
status: Triaged → In Progress
John Garbutt (johngarbutt) wrote :

This seems to have got fixed by the work on:
https://bugs.launchpad.net/nova/+bug/1073303

Sorry for the clash, but would really appreciate you checking I have made the same changes.

Changed in nova:
assignee: Euan Harris (euanh) → John Garbutt (johngarbutt)
Euan Harris (euanh) wrote :

No problem.

This bug also affects live migration, and that's what I had been working on. Does your patch fix the problem for live migration too?

Thierry Carrez (ttx) wrote :

The bug tracking live migration is bug 1202266

information type: Public → Public Security
Thierry Carrez (ttx) wrote :

Shall be a common OSSA with 1202266

Changed in ossa:
importance: Undecided → High
status: New → Confirmed
Bob Ball (bob-ball) wrote :

John/Euan, can you confirm that https://review.openstack.org/#/c/38455/ will fix this once it is merged?

If so, we should merge the defects and update the flags to ensure that https://bugs.launchpad.net/nova/+bug/1073303 is high priority.

John Garbutt (johngarbutt) wrote :

https://review.openstack.org/#/c/38455/
As mentioned in the commit, will fix both this and:
https://bugs.launchpad.net/nova/+bug/1073303

They are quite different bugs, fixed by the same tidy up (sharing more code between spawn and finish_migrate).

It will not fix:
https://bugs.launchpad.net/nova/+bug/1202266

I didn't consider this high, because it is a side feature, but that is debatable I guess.

Jeremy Stanley (fungi) wrote :

In response to Thierry's comment #4, I'm unsure how we'll be able to issue a common OSSA if the proposed fix does not address bug 1202266. Should we hold the advisory until such time as fixes for both are ready, or do they need to diverge?

Thierry Carrez (ttx) wrote :

@Jeremy: given that this is public, if one is really ready before the other, then they probably need to diverge. Maybe we should mention the live-migration issue in the migration CVE so that people know the workaround (reapply security groups after live migration).

Changed in nova:
milestone: none → havana-rc1
John Garbutt (johngarbutt) wrote :

+1

I will try get someone to look at the live-migrate issue in the XAPI meeting, if not in progress before that.

Changed in nova:
importance: Medium → High
Jeremy Stanley (fungi) on 2013-09-17
Changed in ossa:
assignee: nobody → Jeremy Stanley (fungi)
Jeremy Stanley (fungi) wrote :

The proposedfix for this vulnerability is last in a series of 6 relatively substantial changes for nova, none of which currently have any core reviews on them whatsoever. Are all these patches granted a freeze exception, or would it be possible to divorce this fix from some/all of the other changes in that series to expedite resolution so we can publish an advisory?

Reviewed: https://review.openstack.org/38455
Committed: http://github.com/openstack/nova/commit/ba0d007fb78bd1182c3c0b808dbd7ccc84640e80
Submitter: Jenkins
Branch: master

commit ba0d007fb78bd1182c3c0b808dbd7ccc84640e80
Author: John Garbutt <email address hidden>
Date: Wed Jul 24 13:15:03 2013 +0100

    xenapi: ensure finish_migration cleans on errors

    This change makes finish_migration share code with spawn.

    This fixes some inconsistencies, such as applying the security
    group filters during finish_migration.

    Fixes bug 1073303
    Fixes bug 1073306

    Change-Id: Ib4f2a96618692c141708535f9463c856f3395922

Changed in nova:
status: In Progress → Fix Committed

Great! Does this also effect Grizzly? Folsom? (Need backports for those if so.) Also if it affects Essex or earlier, that will incluence the wording in the impact description somewhat as well.

Thierry Carrez (ttx) on 2013-10-03
Changed in nova:
status: Fix Committed → Fix Released
Jeremy Stanley (fungi) wrote :

Any information on which stable release branches are/were affected by this (if any)? We'll want bug tasks and backports for them as far back as folsom if possible.

Thierry Carrez (ttx) on 2013-10-17
Changed in nova:
milestone: havana-rc1 → 2013.2
John Garbutt (johngarbutt) wrote :

So, I think this has been an issue since essex, when security groups and migration were both present:
https://blueprints.launchpad.net/nova/+spec/xenapi-security-groups

It hasn't really been tested much since then mind :(

We will need a simpler fix to backport, but its really just a cut and paste from the spawn code to the finish_migrate (which is the issue I fixed with my patch).

tags: added: folsom-backport-potential grizzly-backport-potential
John Garbutt (johngarbutt) wrote :

@ Jeremy Stanley (fungi) this also applies to resizes, so a resize would also drop the firewall rules.

John Garbutt (johngarbutt) wrote :

This is a pain to backport given the changes, gone for a possible minimal fix:

https://review.openstack.org/#/c/52991/

https://review.openstack.org/#/c/52992/

Jeremy Stanley (fungi) wrote :

Proposed impact description (covers this bug and bug 1202266):
----
Title: XenAPI security groups not kept through migrate or resize
Reporter: Chris Behrens (Rackspace) and Vangelis Tasoulas
Products: Nova
Affects: all releases

Description:
Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of vulnerabilities in OpenStack Nova. When migrating or resizing a virtual machine, security groups may not be applied after the operation completes. Only setups using the XenAPI backend are affected. This issue also affects live migrations, introduced in the Folsom (2012.2) release.

Changed in ossa:
status: Confirmed → Triaged
Thierry Carrez (ttx) wrote :

I would say "affects: Folsom, Grizzly" and precise that Havana is not affected.

also maybe "existing security groups may not be reapplied"

I would also add a sentence about impact (instances not as protected as one may think)

Jeremy Stanley (fungi) wrote :

Updated impact description (covers this bug and bug 1202266):
----
Title: XenAPI security groups not kept through migrate or resize
Reporter: Chris Behrens (Rackspace) and Vangelis Tasoulas
Products: Nova
Affects: Folsom, Grizzly

Description:
Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of vulnerabilities in OpenStack Nova. When migrating or resizing an instance, including live migration, existing security groups may not be reapplied after the operation completes. This can lead to unintentional network exposure for virtual machines. Only setups using the XenAPI backend are affected.

Thierry Carrez (ttx) wrote :

Impact desc looks good to me.

Reviewed: https://review.openstack.org/52991
Committed: http://github.com/openstack/nova/commit/01de658210fd65171bfbf5450c93673b5ce0bd9e
Submitter: Jenkins
Branch: stable/grizzly

commit 01de658210fd65171bfbf5450c93673b5ce0bd9e
Author: John Garbutt <email address hidden>
Date: Mon Oct 21 19:34:43 2013 +0100

    xenapi: apply firewall rules in finish_migrate

    When security groups were added, the rules were not re-applied to
    servers that have been migrated to a new hypervisor.

    This change ensures the firewall rules are applied as part of creating
    the new VM in finish_migrate. This code follows a very similar pattern
    to the code in spawn, and that is where the cut and paste code comes
    from. This code duplication was removed in Havana.

    Fixes bug 1073306

    Change-Id: I6295a782df328a759e358fb82b76dd3f7bd4b39e

Jeremy Stanley (fungi) on 2013-11-03
Changed in ossa:
status: Triaged → In Progress
Jeremy Stanley (fungi) on 2013-11-03
summary: - xenapi migrations don't apply security group filters
+ xenapi migrations don't apply security group filters (CVE-2013-4497)
Thierry Carrez (ttx) on 2013-11-13
no longer affects: nova/folsom

Finalized impact description being used in advisory (also covers bug 1202266):
----
Title: XenAPI security groups not kept through migrate or resize
Reporter: Chris Behrens (Rackspace) and Vangelis Tasoulas
Products: Nova
Affects: All supported versions prior to Havana

Description:
Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of vulnerabilities in OpenStack Nova's XenAPI hypervisor backend. When migrating or resizing an instance, including live migration, existing security groups may not be reapplied after the operation completes. This can lead to unintentional network exposure for virtual machines. Only setups using the XenAPI backend are affected.

Thierry Carrez (ttx) on 2013-11-14
Changed in ossa:
status: In Progress → Fix Committed
Thierry Carrez (ttx) wrote :

[OSSA 2013-030]

Changed in ossa:
status: Fix Committed → Fix Released
summary: - xenapi migrations don't apply security group filters (CVE-2013-4497)
+ [OSSA 2013-030] xenapi migrations don't apply security group filters
+ (CVE-2013-4497)
Alan Pevec (apevec) on 2014-03-20
tags: removed: folsom-backport-potential grizzly-backport-potential
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers