OpenStack Compute (nova)

[OSSA-2013-006] VNC proxy can be made to connect to wrong VM

Bug #1125378 reported by Loganathan Parthipan
302
This bug affects 6 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
John Herndon
OpenStack Compute (nova) 2013.1 "grizzly"
Folsom
Fix Released
High
John Herndon
OpenStack Compute (nova) 2012.2.4
OpenStack Security Advisory
Fix Released
Undecided
Russell Bryant

Bug Description

Suppose a user requests a VNC token, and then deletes the VM right away, as I understand, the token is still valid not having yet exceeded the TTL. During this time if a new VM is spawned on the host and kvm reuses the port to bind the vncserver, it's possible for the user to use the old token to get access to this new VM, which could be owned by someone else.

I have seen this happening in Essex code and was wondering if this is still the case. The possible solutions are to flush the tokens on vm delete, hard reboot etc or to have a password protected VNC session.

Related branches

lp:ubuntu/quantal-security/nova
lp:ubuntu/precise-updates/nova
lp:~james-page/nova/folsom-resync
Openstack Ubuntu Testers: Pending requested
Diff: 922 lines (+887/-0)
4 files modified
debian/changelog (+31/-0)
debian/patches/CVE-2013-0335.patch (+378/-0)
debian/patches/CVE-2013-1838.patch (+476/-0)
debian/patches/series (+2/-0)
lp:~openstack-ubuntu-testing/nova/folsom

CVE References

Loganathan Parthipan (parthipan)
information type: Private Security → Public
John Herndon (john-herndon)
Changed in nova:
assignee: nobody → John Herndon (john-herndon)
Revision history for this message
John Herndon (john-herndon) wrote :

This is easily reproducible in devstack with the latest code. I have devstack configured to use only one compute node, so the instance always lands in the same place. It appears libvirt reuses the same port, which is what causes the problem.

Steps to repro:
1) nova boot server1 --image <xxx> --flavor <yyy>...
2) nova get-vnc-console server1 novnc - keep the URL
3) nova delete server1
4) nova boot server1 --image <xxx> --flavor <yyy>...
5) Connect to the vnc console from step 2. This is the console for server2, not server1

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/22086

Changed in nova:
status: New → In Progress
Revision history for this message
Loganathan Parthipan (parthipan) wrote : Re: VNC proxy can be made to connect to wrong VM

Step 4 of 'Steps to reproduce' should be 'nova boot server2 ..' and ideally from a different user and will still be reachable with the URL from step 2 by the first user.

Thierry Carrez (ttx)
Changed in nova:
importance: Undecided → High
Vish Ishaya (vishvananda)
Changed in nova:
milestone: none → grizzly-3
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/22086
Committed: http://github.com/openstack/nova/commit/3b0f4cf6bea33e6ee1893f6e872d968b0c309f88
Submitter: Jenkins
Branch: master

commit 3b0f4cf6bea33e6ee1893f6e872d968b0c309f88
Author: John Herndon <email address hidden>
Date: Tue Feb 19 22:53:49 2013 +0000

    Flush tokens on instance delete

    Force console auth service to flush all tokens
    associated with an instance when it is deleted.
    This will fix bug 1125378, where the console for
    the wrong instance can be connected to via the
    console if the correct circumstances occur. This
    change also adds a call to validate the token
    when it is used. This check will ensure that all
    tokens are valid for their target instances.
    Tokens can become scrambled when a compute node is
    restarted, because the virt driver may not
    assign ports in the same way.

    Change-Id: I0d83ec6c4dbfef1af912a200ee15f8052f72da96
    fixes: bug 1125378

Changed in nova:
status: In Progress → Fix Committed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (milestone-proposed)

Fix proposed to branch: milestone-proposed
Review: https://review.openstack.org/22616

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (milestone-proposed)

Reviewed: https://review.openstack.org/22616
Committed: http://github.com/openstack/nova/commit/ad94a90202193335f011888db017e557b07faf8a
Submitter: Jenkins
Branch: milestone-proposed

commit ad94a90202193335f011888db017e557b07faf8a
Author: John Herndon <email address hidden>
Date: Tue Feb 19 22:53:49 2013 +0000

    Flush tokens on instance delete

    Force console auth service to flush all tokens
    associated with an instance when it is deleted.
    This will fix bug 1125378, where the console for
    the wrong instance can be connected to via the
    console if the correct circumstances occur. This
    change also adds a call to validate the token
    when it is used. This check will ensure that all
    tokens are valid for their target instances.
    Tokens can become scrambled when a compute node is
    restarted, because the virt driver may not
    assign ports in the same way.

    Change-Id: I0d83ec6c4dbfef1af912a200ee15f8052f72da96
    fixes: bug 1125378
    (cherry picked from commit 3b0f4cf6bea33e6ee1893f6e872d968b0c309f88)

Changed in nova:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
information type: Public → Public Security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/folsom)

Fix proposed to branch: stable/folsom
Review: https://review.openstack.org/22758

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/essex)

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/22835

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/22840

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/22872

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/essex)

Reviewed: https://review.openstack.org/22872
Committed: http://github.com/openstack/nova/commit/e98928cf77645fdc309da894f3bd332e99482e0d
Submitter: Jenkins
Branch: stable/essex

commit e98928cf77645fdc309da894f3bd332e99482e0d
Author: Loganathan Parthipan <email address hidden>
Date: Sat Feb 23 05:42:10 2013 +0000

    Flush tokens on instance delete

    Force console auth service to flush all tokens
    associated with an instance when it is deleted.
    This will fix bug 1125378, where the console for
    the wrong instance can be connected to via the
    console if the correct circumstances occur. This
    change also adds a call to validate the token
    when it is used. This check will ensure that all
    tokens are valid for their target instances.
    Tokens can become scrambled when a compute node is
    restarted, because the virt driver may not
    assign ports in the same way.

    Change-Id: I0d83ec6c4dbfef1af912a200ee15f8052f72da96
    Fixes: bug #1125378

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/folsom)

Reviewed: https://review.openstack.org/22758
Committed: http://github.com/openstack/nova/commit/05a3374992bc8ba53ddc9c491b51c4b59eed0a72
Submitter: Jenkins
Branch: stable/folsom

commit 05a3374992bc8ba53ddc9c491b51c4b59eed0a72
Author: John Herndon <email address hidden>
Date: Fri Feb 22 20:43:58 2013 +0000

    VNC Token Validation

    Force console auth service to flush all tokens
    associated with an instance when it is deleted.
    This will fix a bug where the console for the
    wrong instance can be connected to via the console
    if the correct circumstances occur. This change also
    makes a call to veriry vnc console tokens when a
    user attempts to connect to a console. This ensures
    the user is connecting to the correct console.

    bug 1125378
    Change-Id: I0d83ec6c4dbfef1af912a200ee15f8052f72da96

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/essex)

Fix proposed to branch: stable/essex
Review: https://review.openstack.org/23768

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/essex)

Reviewed: https://review.openstack.org/23768
Committed: http://github.com/openstack/nova/commit/48e81f1554ce41c3d4f7445421d19f4a8128e98d
Submitter: Jenkins
Branch: stable/essex

commit 48e81f1554ce41c3d4f7445421d19f4a8128e98d
Author: Rafi Khardalian <email address hidden>
Date: Thu Mar 7 00:19:08 2013 +0000

    Fixed broken vncproxy flush tokens patch

    Bug 1125378 (continued)

    This review (https://review.openstack.org/22872) attempted to
    resolve a critical security issue but ended up completely breaking
    the vncproxy. The wrong dict keys were being used for Essex and the
    API calls were incomplete. This patch makes the proxy work again.

    Change-Id: I093d522abd5be20d2792c83792437b1ef580d4c6

Thierry Carrez (ttx)
Changed in nova:
milestone: grizzly-3 → 2013.1
Thierry Carrez (ttx)
summary: - VNC proxy can be made to connect to wrong VM
+ [OSSA-2013-006] VNC proxy can be made to connect to wrong VM
Changed in ossa:
assignee: nobody → Russell Bryant (russellb)
status: New → Fix Released
Sean Dague (sdague)
no longer affects: nova/essex
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.