OpenStack Compute (nova)

normal user can show all the networks

Bug #1186867 reported by David Geng
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
High
David Geng
OpenStack Compute (nova) 2013.2 "havana"
Grizzly
Fix Released
High
David Geng
OpenStack Compute (nova) 2013.1.4
OpenStack Security Advisory
Won't Fix
Undecided
Unassigned

Bug Description

As an normal user in project I can show all the networks even the network is not belong to the project.

Expectation: An normal user can only see the networks which belongs to the user's project.

Tags: api db network
David Geng (genggjh)
Changed in nova:
assignee: nobody → David Geng (genggjh)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/31481

Changed in nova:
status: New → In Progress
Revision history for this message
Russell Bryant (russellb) wrote :

Added vulnerability management team to take a look to see if this is something we should be treating as a vulnerability. It looks like as a regular user, you when you list networks using the os-tenant-networks API extension, you get the networks for all tenants.

tags: added: api db network
information type: Public → Public Security
Revision history for this message
Thierry Carrez (ttx) wrote :

This could decently be seen as an information leak.

Changed in ossa:
status: New → Incomplete
Revision history for this message
David Geng (genggjh) wrote :
Download full text (4.6 KiB)

Here is our detail test scenario:
Scenario:

Step 1.
        - create 3 new projects
        - public-project
        - my-project1
        - my-project2
    - create 3 users belong to my-project1
        - test1-admin with admin role
        - test1-member with member role
        - test1-catalogeditor with catalogeditor role
    - add them to public-project
    - create 3 users belong to my-project2
        - test2-admin with admin role
        - test2-member with member role
        - test2-catalogeditor with catalogeditor role
    - add them to public-project
    - add all other users to public-project as well

    NOTE for all the users into this environment the password is always passw0rd.

Step 2.Modify network settings

    one network is associated with public-project
    another network is associated with my-project1

[root@fbox-env6-b7 ˜]# keystone tenant-list
+----------------------------------+----------------+---------+
| id | name | enabled |
 +----------------------------------+----------------+---------+
| 31eaf85660ca49c181cbe4e18be05f25 | my-project1 | True |
| 4825fd88da044c628207a5563c2e6fef | public-project | True |
| 5b4085ec4e2e49d7a9e6ae012111f6f0 | service | true |
| 66b1ae90d1624969af9753994e3d3da9 | admin | true |
| aa45e77fa2a34b2395f3f6593b9d53ce | my-project2 | True |
 +----------------------------------+----------------+---------+

nova-manage network modify --project=4825fd88da044c628207a5563c2e6fef --fixed_range=172.16.86.0/24

nova-manage network modify --project=31eaf85660ca49c181cbe4e18be05f25 --fixed_range=172.16.85.0/24

so i'll have the same result:

[root@fbox-env6-b7 ˜]# nova-manage network list
id IPv4 IPv6 start address DNS1 DNS2 VlanID project uuid
1 172.16.79.0/24 None 172.16.79.56 172.16.79.50 172.16.79.50 4090 None 6d72af56-5398-453c-91ff-2ce60d622519
2 172.16.85.0/24 None 172.16.85.3 172.16.79.50 172.16.79.50 3215 31eaf85660ca49c181cbe4e18be05f25 bf9ec47a-21ce-45e3-9d3f-3e33cf43695c
3 172.16.86.0/24 None 172.16.86.3 172.16.79.50 172.16.79.50 3216 4825fd88da044c628207a5563c2e6fef 31fe2434-a341-4461-931d-237f62d17d1e

Step 3.

done the following command:

[root@fbox-env6-b7 ˜]# nova --os-tenant-name public-project --os-username test2-member --os-password passw0rd network-list
+--------------------------------------+-----------+----------------+
| ID | Label | Cidr |
 +--------------------------------------+-----------+----------------+
| 31fe2434-a341-4461-931d-237f62d17d1e | vlan-3216 | 172.16.86.0/24 |
| 6d72af56-5398-453c-91ff-2ce60d622519 | public | 172.16.79.0/24 |
| bf9ec47a-21ce-45e3-9d3f-3e33cf43695c | vlan-3215 | 172.16.85.0/24 |
 +--------------------------------------+-----------+----------------+

It is an error....the expected result should be that only the vlan 3216 associated to the public...

Read more...

Revision history for this message
Jeremy Stanley (fungi) wrote :

Can Nova developers comment specifically in here on what the actual intent is with network restrictions, whether it's just meant to limit access to particular networks or if it's really designed to hide all information on the unavailable topology and failing at that task? If the former, this seems like maybe a need for clearer wording in the documentation to set appropriate expectations along with a hardening feature request. If the latter, then I agree this is an information leak vulnerability (but a low one, because relying on the secrecy of your network topology to protect you from an attacker is a serious case of security by obscurity in my opinion).

Revision history for this message
David Geng (genggjh) wrote :

IMO, at least if the end user can not use the networks which are not belong to his project to run VM, then he need not to see those networks which will mislead him.

Revision history for this message
David Ripton (dripton) wrote :

I marked it as High priority. The security team can overrule that if they want.

Changed in nova:
importance: Undecided → High
milestone: none → havana-2
Revision history for this message
Vish Ishaya (vishvananda) wrote :

I agree that you shouldn't see networks belonging to other projects. I don't think this is severe enough to be considered a vulnerability though.

Revision history for this message
Thierry Carrez (ttx) wrote :

It just affects nova-network, not Quantum^WNeutron, right ? If yes I would just pass on OSSA for this one.

Revision history for this message
David Geng (genggjh) wrote :

I have not gotten the chance to try this in Quantum, since our production is still basing on VlanManage.

Revision history for this message
Vish Ishaya (vishvananda) wrote :

AFAIK this will not affect Neutron, but adding aaron rosen to verify.

Revision history for this message
Aaron Rosen (arosen) wrote :

Nope this does not affect neutron as nova-manage network list does not query quantum for it's networks (also neutron's policy engine takes this into account that the tenant_id matches what's returned).

I'm wondering if this is the expected behavor since in nova-network you cannot have overlapping ips one would need to see a list of networks created before they could create a network for themselves?

Revision history for this message
David Geng (genggjh) wrote :

But the problem is they can not use the networks which are not under their project (it is blocked in nova code) even they can see.

Revision history for this message
Thierry Carrez (ttx) wrote :

OK, let's pass on security advisory for this one. Just scream if you disagree.

Changed in ossa:
status: Incomplete → Won't Fix
Thierry Carrez (ttx)
information type: Public Security → Public
Russell Bryant (russellb)
Changed in nova:
milestone: havana-2 → havana-3
Revision history for this message
David Geng (genggjh) wrote :

Please help to review my commit https://review.openstack.org/31481 and give me your comments. Thanks!

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.openstack.org/31481
Committed: http://github.com/openstack/nova/commit/2a7f08ae4abca51dc60a02deee06a108ad1c4dcc
Submitter: Jenkins
Branch: master

commit 2a7f08ae4abca51dc60a02deee06a108ad1c4dcc
Author: gengjh <email address hidden>
Date: Mon Jun 3 18:34:15 2013 +0800

    Filter network by project id

    Need filter the networks by project id when show the networks with
    normal user

    Fix bug 1186867

    Change-Id: I10b5880070a569614f54fa7dbcf08e548bcbc924

David Geng (genggjh)
tags: added: grizzly-backport-potential
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (stable/grizzly)

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/44256

Revision history for this message
OpenStack Infra (hudson-openstack) wrote :

Fix proposed to branch: stable/grizzly
Review: https://review.openstack.org/45159

Thierry Carrez (ttx)
Changed in nova:
milestone: havana-3 → havana-rc1
Joe Gordon (jogo)
Changed in nova:
status: In Progress → Fix Committed
Alan Pevec (apevec)
tags: removed: grizzly-backport-potential
Thierry Carrez (ttx)
Changed in nova:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (stable/grizzly)

Reviewed: https://review.openstack.org/45159
Committed: http://github.com/openstack/nova/commit/c5a59fd2f9ceac2ad618fa1db052a8e5b5576082
Submitter: Jenkins
Branch: stable/grizzly

commit c5a59fd2f9ceac2ad618fa1db052a8e5b5576082
Author: gengjh <email address hidden>
Date: Mon Jun 3 18:34:15 2013 +0800

    Filter network by project id

    Need filter the networks by project id when show the networks with
    normal user

    Fix bug 1186867

    Change-Id: I10b5880070a569614f54fa7dbcf08e548bcbc924
    (cherry picked from commit 2a7f08ae4abca51dc60a02deee06a108ad1c4dcc)

tags: added: in-stable-grizzly
Thierry Carrez (ttx)
Changed in nova:
milestone: havana-rc1 → 2013.2
Alan Pevec (apevec)
tags: removed: in-stable-grizzly
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.