OpenStack Compute (nova)

Insecurely generated session ID in vpn_ping()

Bug #1420457 reported by Travis McPeak on 2015-02-10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Compute (nova)	Fix Released	Low	Tony Breeds	OpenStack Compute (nova) 2015.1.0 "kilo"
	OpenStack Security Advisory	Won't Fix	Undecided	Unassigned

Bug Description

On this line: https://github.com/openstack/nova/blob/master/nova/utils.py#L163 the Python random.randint() function is being used to generate a 64 bit session ID, which according to the function is used in VPN negotiation.

Session IDs which are not generated using a cryptographically suitable random number generation function maybe be vulnerable to session hijacking attacks if an adversary can predict the session ID.

I'm not familiar enough with the code to be able to assess the impact of this vulnerability, but if it really is unimportant to have non-predictable session IDs, we should explicitly call it out via a comment in the code. If this session ID should be cryptographically unpredictable, it should be a simple fix.

See original description

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-02-10:

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status:	New → Incomplete
description:	updated

Revision history for this message

Thierry Carrez (ttx) wrote on 2015-02-12:

Looks like one for Vish, yay Nov 2010 code.

Revision history for this message

Andrew Laski (alaski) wrote on 2015-02-12:

I can't speak to what the session id is used for exactly, though it seems to be that it's just an identifier to verify the response matches the request. But this code is only used to verify if a VPN connection is listening, there is no session exposed from this. In other words this code is used for a boolean response and therefore exposes no security vulnerability that I can see. I do agree that the code could be rewritten a bit to document why the random session is fine, and actually return a boolean rather than a session, but as it's used now I see nothing that warrants keeping this bug as private.

Revision history for this message

Vish Ishaya (vishvananda) wrote on 2015-02-13:

So vpn_ping is used exlusively to tell if a vpn server is actually listening. The sessionid it picks is not sensitive. It is just using the sessionid to make sure that the packet it receives back is a response to the packet it sends so that it can measure latency and tell that the server is up. I don't think there is any need to fix this. In other words Alaski is correct above :)

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2015-02-16:

Thanks, I've marked the OSSA task as won't fix according to Alaski and Vish comments.

Changed in ossa:
status:	Incomplete → Won't Fix
information type:	Private Security → Public

Davanum Srinivas (DIMS) (dims-v) on 2015-02-17

Changed in nova:
status:	New → Confirmed
importance:	Undecided → Low

Tony Breeds (o-tony) on 2015-02-18

Changed in nova:
assignee:	nobody → Tony Breeds (o-tony)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-19: Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.openstack.org/157247

Changed in nova:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-23: Fix merged to nova (master)

Reviewed: https://review.openstack.org/157247
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=61e1686b2659ac10e1c17e1a8ae46550445365e4
Submitter: Jenkins
Branch: master

commit 61e1686b2659ac10e1c17e1a8ae46550445365e4
Author: Tony Breeds <email address hidden>
Date: Wed Feb 18 09:34:57 2015 +1100

Change utils.vpn_ping() to return a Boolean

    vpn_ping() is used exlusively to tell if a vpn server is actually
    listening. The session_id it picks is not sensitive. It is just using
    the session_id to make sure that the packet it receives back is a
    response to the packet it sends so that it can measure latency and
    tell that the server is up.

Also the tests in test_cloudpipe.py are already treating the return
value as Boolean. Lets make it explicit.

Change-Id: I2a1d98b5fb3c9c02a4161c6df2473e091442d01d
Closes-Bug: #1420457

Changed in nova:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-20

Changed in nova:
milestone:	none → kilo-3
status:	Fix Committed → Fix Released

Jeremy Stanley (fungi) on 2015-04-14

description:

updated

Thierry Carrez (ttx) on 2015-04-30

Changed in nova:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.