[OSSA 2013-030] xenapi migrations don't apply security group filters (CVE-2013-4497)

Bug #1073306 reported by Chris Behrens
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
John Garbutt
Grizzly
Fix Released
High
John Garbutt
OpenStack Security Advisory
Fix Released
High
Jeremy Stanley

Bug Description

xenapi's finish_migration() is missing code to apply security group rules, etc. There's code in spawn() that appears we need to also use in finish_migration().

(Somewhat related, see: https://bugs.launchpad.net/bugs/1073303)

Tags: xenserver

CVE References

Chris Behrens (cbehrens)
Changed in nova:
importance: Undecided → Medium
status: New → Triaged
tags: added: xenserver
Euan Harris (euanh)
Changed in nova:
assignee: nobody → Euan Harris (euanh)
Euan Harris (euanh)
Changed in nova:
status: Triaged → In Progress
Revision history for this message
John Garbutt (johngarbutt) wrote :

This seems to have got fixed by the work on:
https://bugs.launchpad.net/nova/+bug/1073303

Sorry for the clash, but would really appreciate you checking I have made the same changes.

Changed in nova:
assignee: Euan Harris (euanh) → John Garbutt (johngarbutt)
Revision history for this message
Euan Harris (euanh) wrote :

No problem.

This bug also affects live migration, and that's what I had been working on. Does your patch fix the problem for live migration too?

Revision history for this message
Thierry Carrez (ttx) wrote :

The bug tracking live migration is bug 1202266

information type: Public → Public Security
Revision history for this message
Thierry Carrez (ttx) wrote :

Shall be a common OSSA with 1202266

Changed in ossa:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Bob Ball (bob-ball) wrote :

John/Euan, can you confirm that https://review.openstack.org/#/c/38455/ will fix this once it is merged?

If so, we should merge the defects and update the flags to ensure that https://bugs.launchpad.net/nova/+bug/1073303 is high priority.

Revision history for this message
John Garbutt (johngarbutt) wrote :

https://review.openstack.org/#/c/38455/
As mentioned in the commit, will fix both this and:
https://bugs.launchpad.net/nova/+bug/1073303

They are quite different bugs, fixed by the same tidy up (sharing more code between spawn and finish_migrate).

It will not fix:
https://bugs.launchpad.net/nova/+bug/1202266

I didn't consider this high, because it is a side feature, but that is debatable I guess.

Revision history for this message
Jeremy Stanley (fungi) wrote :

In response to Thierry's comment #4, I'm unsure how we'll be able to issue a common OSSA if the proposed fix does not address bug 1202266. Should we hold the advisory until such time as fixes for both are ready, or do they need to diverge?

Revision history for this message
Thierry Carrez (ttx) wrote :

@Jeremy: given that this is public, if one is really ready before the other, then they probably need to diverge. Maybe we should mention the live-migration issue in the migration CVE so that people know the workaround (reapply security groups after live migration).

Changed in nova:
milestone: none → havana-rc1
Revision history for this message
John Garbutt (johngarbutt) wrote :

+1

I will try get someone to look at the live-migrate issue in the XAPI meeting, if not in progress before that.

Changed in nova:
importance: Medium → High
Jeremy Stanley (fungi)
Changed in ossa:
assignee: nobody → Jeremy Stanley (fungi)
Revision history for this message
Jeremy Stanley (fungi) wrote :

The proposedfix for this vulnerability is last in a series of 6 relatively substantial changes for nova, none of which currently have any core reviews on them whatsoever. Are all these patches granted a freeze exception, or would it be possible to divorce this fix from some/all of the other changes in that series to expedite resolution so we can publish an advisory?

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/38455
Committed: http://github.com/openstack/nova/commit/ba0d007fb78bd1182c3c0b808dbd7ccc84640e80
Submitter: Jenkins
Branch: master

commit ba0d007fb78bd1182c3c0b808dbd7ccc84640e80
Author: John Garbutt <email address hidden>
Date: Wed Jul 24 13:15:03 2013 +0100

    xenapi: ensure finish_migration cleans on errors

    This change makes finish_migration share code with spawn.

    This fixes some inconsistencies, such as applying the security
    group filters during finish_migration.

    Fixes bug 1073303
    Fixes bug 1073306

    Change-Id: Ib4f2a96618692c141708535f9463c856f3395922

Changed in nova:
status: In Progress → Fix Committed
Revision history for this message
Jeremy Stanley (fungi) wrote : Re: xenapi migrations don't apply security group filters

Great! Does this also effect Grizzly? Folsom? (Need backports for those if so.) Also if it affects Essex or earlier, that will incluence the wording in the impact description somewhat as well.

Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Revision history for this message
Jeremy Stanley (fungi) wrote :

Any information on which stable release branches are/were affected by this (if any)? We'll want bug tasks and backports for them as far back as folsom if possible.

Thierry Carrez (ttx)
Changed in nova:
milestone: havana-rc1 → 2013.2
Revision history for this message
John Garbutt (johngarbutt) wrote :

So, I think this has been an issue since essex, when security groups and migration were both present:
https://blueprints.launchpad.net/nova/+spec/xenapi-security-groups

It hasn't really been tested much since then mind :(

We will need a simpler fix to backport, but its really just a cut and paste from the spawn code to the finish_migrate (which is the issue I fixed with my patch).

tags: added: folsom-backport-potential grizzly-backport-potential
Revision history for this message
John Garbutt (johngarbutt) wrote :

@ Jeremy Stanley (fungi) this also applies to resizes, so a resize would also drop the firewall rules.

Revision history for this message
John Garbutt (johngarbutt) wrote :

This is a pain to backport given the changes, gone for a possible minimal fix:

https://review.openstack.org/#/c/52991/

https://review.openstack.org/#/c/52992/

Revision history for this message
Jeremy Stanley (fungi) wrote :

Proposed impact description (covers this bug and bug 1202266):
----
Title: XenAPI security groups not kept through migrate or resize
Reporter: Chris Behrens (Rackspace) and Vangelis Tasoulas
Products: Nova
Affects: all releases

Description:
Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of vulnerabilities in OpenStack Nova. When migrating or resizing a virtual machine, security groups may not be applied after the operation completes. Only setups using the XenAPI backend are affected. This issue also affects live migrations, introduced in the Folsom (2012.2) release.

Changed in ossa:
status: Confirmed → Triaged
Revision history for this message
Thierry Carrez (ttx) wrote :

I would say "affects: Folsom, Grizzly" and precise that Havana is not affected.

also maybe "existing security groups may not be reapplied"

I would also add a sentence about impact (instances not as protected as one may think)

Revision history for this message
Jeremy Stanley (fungi) wrote :

Updated impact description (covers this bug and bug 1202266):
----
Title: XenAPI security groups not kept through migrate or resize
Reporter: Chris Behrens (Rackspace) and Vangelis Tasoulas
Products: Nova
Affects: Folsom, Grizzly

Description:
Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of vulnerabilities in OpenStack Nova. When migrating or resizing an instance, including live migration, existing security groups may not be reapplied after the operation completes. This can lead to unintentional network exposure for virtual machines. Only setups using the XenAPI backend are affected.

Revision history for this message
Thierry Carrez (ttx) wrote :

Impact desc looks good to me.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/grizzly)

Reviewed: https://review.openstack.org/52991
Committed: http://github.com/openstack/nova/commit/01de658210fd65171bfbf5450c93673b5ce0bd9e
Submitter: Jenkins
Branch: stable/grizzly

commit 01de658210fd65171bfbf5450c93673b5ce0bd9e
Author: John Garbutt <email address hidden>
Date: Mon Oct 21 19:34:43 2013 +0100

    xenapi: apply firewall rules in finish_migrate

    When security groups were added, the rules were not re-applied to
    servers that have been migrated to a new hypervisor.

    This change ensures the firewall rules are applied as part of creating
    the new VM in finish_migrate. This code follows a very similar pattern
    to the code in spawn, and that is where the cut and paste code comes
    from. This code duplication was removed in Havana.

    Fixes bug 1073306

    Change-Id: I6295a782df328a759e358fb82b76dd3f7bd4b39e

Jeremy Stanley (fungi)
Changed in ossa:
status: Triaged → In Progress
Jeremy Stanley (fungi)
summary: - xenapi migrations don't apply security group filters
+ xenapi migrations don't apply security group filters (CVE-2013-4497)
Thierry Carrez (ttx)
no longer affects: nova/folsom
Revision history for this message
Jeremy Stanley (fungi) wrote : Re: xenapi migrations don't apply security group filters (CVE-2013-4497)

Finalized impact description being used in advisory (also covers bug 1202266):
----
Title: XenAPI security groups not kept through migrate or resize
Reporter: Chris Behrens (Rackspace) and Vangelis Tasoulas
Products: Nova
Affects: All supported versions prior to Havana

Description:
Chris Behrens with Rackspace and Vangelis Tasoulas reported a set of vulnerabilities in OpenStack Nova's XenAPI hypervisor backend. When migrating or resizing an instance, including live migration, existing security groups may not be reapplied after the operation completes. This can lead to unintentional network exposure for virtual machines. Only setups using the XenAPI backend are affected.

Thierry Carrez (ttx)
Changed in ossa:
status: In Progress → Fix Committed
Revision history for this message
Thierry Carrez (ttx) wrote :

[OSSA 2013-030]

Changed in ossa:
status: Fix Committed → Fix Released
summary: - xenapi migrations don't apply security group filters (CVE-2013-4497)
+ [OSSA 2013-030] xenapi migrations don't apply security group filters
+ (CVE-2013-4497)
Alan Pevec (apevec)
tags: removed: folsom-backport-potential grizzly-backport-potential
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.