[OSSA 2013-033] Metadata queries from Neutron to Nova are not restricted by tenant (CVE-2013-6419)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
High
|
Aaron Rosen | ||
Grizzly |
Fix Released
|
High
|
Aaron Rosen | ||
Havana |
Fix Released
|
High
|
Aaron Rosen | ||
OpenStack Security Advisory |
Fix Released
|
High
|
Jeremy Stanley | ||
neutron |
Fix Released
|
Critical
|
Aaron Rosen | ||
Grizzly |
Fix Released
|
Critical
|
Aaron Rosen | ||
Havana |
Fix Released
|
Critical
|
Aaron Rosen |
Bug Description
The neutron metadata service works in the following way:
Instance makes a GET request to http://
This is directed to the metadata-agent which knows which router(namespace) he is running on and determines the ip_address from the http request he receives.
Now, the neturon-
The vulnerability is that if someone exposes their instance_id their metadata can be retrieved. In order to exploit this, one would need to update the device_id on a port to match the instance_id they want to hijack the data from.
To demonstrate:
arosen@
+------
| ID | Name | Status | Task State | Power State | Networks |
+------
| 1eb33bf1-
| eed973e2-
+------
arosen@
+------
| id | name | mac_address | fixed_ips |
+------
| 3128f195-
| 62465157-
| 8473fb8d-
| 92c42c1a-
+------
arosen@
+------
| Field | Value |
+------
| admin_state_up | True |
| allowed_
| device_id | 1eb33bf1-
| device_owner | compute:None |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "d5cbaa98-
| id | 62465157-
| mac_address | fa:16:3e:94:62:47 |
| name | |
| network_id | 5f68c45d-
| security_groups | 3e29d8e7-
| status | ACTIVE |
| tenant_id | 0f9d696fc73d411
+------
arosen@
+------
| Field | Value |
+------
| admin_state_up | True |
| allowed_
| device_id | eed973e2-
| device_owner | compute:None |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "d5cbaa98-
| id | 92c42c1a-
| mac_address | fa:16:3e:de:9a:39 |
| name | |
| network_id | 5f68c45d-
| security_groups | 3e29d8e7-
| status | ACTIVE |
| tenant_id | 0f9d696fc73d411
+------
From vm2 (eed973e2-
$ curl http://
vm2.novalocal
arosen@
From vm2 (eed973e2-
$ curl http://
vm1.novalocal
In order to fix this issue I believe we need to also pass the tenant-id in the metadata request to nova. When nova receives the request it will now have to query it's database using the instance_id and check that the tenant_id's match. Using the tenant_id solves this issue as the user is not allowed to specify or update this field.
CVE References
Changed in neutron: | |
status: | New → Confirmed |
Changed in nova: | |
assignee: | nobody → Aaron Rosen (arosen) |
status: | New → Confirmed |
importance: | Undecided → High |
tags: | added: metadata |
Changed in ossa: | |
assignee: | nobody → Jeremy Stanley (fungi) |
Changed in ossa: | |
status: | Confirmed → In Progress |
summary: |
- Metadata is unsecure + Metadata is unsecure (CVE-2013-6419) |
Changed in ossa: | |
status: | In Progress → Fix Committed |
Changed in neutron: | |
assignee: | Jeremy Stanley (fungi) → nobody |
summary: |
- Metadata is unsecure (CVE-2013-6419) + [OSSA 2013-033] Metadata queries from Neutron to Nova are not restricted + by tenant (CVE-2013-6419) |
Changed in neutron: | |
assignee: | nobody → Aaron Rosen (arosen) |
Changed in ossa: | |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | none → icehouse-2 |
Changed in nova: | |
status: | Fix Committed → Fix Released |
Changed in neutron: | |
milestone: | none → icehouse-2 |
status: | Fix Committed → Fix Released |
Changed in nova: | |
milestone: | icehouse-2 → 2014.1 |
Changed in neutron: | |
milestone: | icehouse-2 → 2014.1 |
FYI This affects: Grizzly and Havana.