OpenStack Compute (nova)

Bug #1563954
Comment #21

Comment 21 for bug 1563954

Revision history for this message

Robert Clark (robert-clark) wrote on 2016-08-17: Re: [Bug 1563954] Re: use_forwarded_for exposes metadata

#21

Agree this should be an OSSN.

It's been repeated plenty of times in the community that the metadata
service shouldn't be used for sensitive data but I've also seen multiple
examples of production services doing this.

I share Travis' concern that this could be a major issue for some users. It
would be useful to know if there's a way an operator can assess if
sensitive data is stored in the metadata service (I've seen SSH keys, LDAP
credentials etc before)

This seems like a good candidate for an embargoed release

-Rob

On Wed, Aug 17, 2016 at 3:31 PM, Travis McPeak <email address hidden> wrote:

> ** Changed in: ossn
> Assignee: (unassigned) => Travis McPeak (travis-mcpeak)
>
> --
> You received this bug notification because you are a member of OSSG
> CoreSec, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1563954
>
> Title:
> use_forwarded_for exposes metadata
>
> Status in OpenStack Compute (nova):
> Confirmed
> Status in OpenStack Security Advisory:
> Opinion
> Status in OpenStack Security Notes:
> New
>
> Bug description:
> This issue is being treated as a potential security risk under
> embargo. Please do not make any public mention of embargoed (private)
> security vulnerabilities before their coordinated publication by the
> OpenStack Vulnerability Management Team in the form of an official
> OpenStack Security Advisory. This includes discussion of the bug or
> associated fixes in public forums such as mailing lists, code review
> systems and bug trackers. Please also avoid private disclosure to
> other individuals not already approved for access to this information,
> and provide this same reminder to those who are made aware of the
> issue prior to publication. All discussion should remain confined to
> this private bug report, and any proposed fixes should be added to the
> bug as attachments.
>
> --
>
> The nova metadata service uses the remote address to determine which
> metadata to retrieve. In order to work behind a proxy there is an
> option use_forwarded_for which will use the X-Forwarded-For header to
> determine the remote IP.
>
> If this option is set then anyone who can access the metadata port can
> request metadata for any instance if they know the IP.
>
> The user data is also exposed.
>
> $ echo 123456 > /tmp/data
> $ openstack server create --image CentOS7 --flavor fedora --user-data
> /tmp/data test
> <wait>
> $ curl -H 'X-Forwarded-For: 10.0.0.7' http://localhost:8775/latest/
> user-data/
> 123456
>
> At a minimum this side-effect isn't documented anywhere I could find.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/1563954/+subscriptions
>

Agree this should be an OSSN.

It's been repeated plenty of times in the community that the metadata
service shouldn't be used for sensitive data but I've also seen multiple
examples of production services doing this.

This seems like a good candidate for an embargoed release

-Rob

On Wed, Aug 17, 2016 at 3:31 PM, Travis McPeak <tmcpeak@us.ibm.com> wrote:

> ** Changed in: ossn
>      Assignee: (unassigned) => Travis McPeak (travis-mcpeak)
>
> --
> You received this bug notification because you are a member of OSSG
> CoreSec, which is subscribed to the bug report.
> https://bugs.launchpad.net/bugs/1563954
>
> Title:
>   use_forwarded_for exposes metadata
>
> Status in OpenStack Compute (nova):
>   Confirmed
> Status in OpenStack Security Advisory:
>   Opinion
> Status in OpenStack Security Notes:
>   New
>
> Bug description:
>   This issue is being treated as a potential security risk under
>   embargo. Please do not make any public mention of embargoed (private)
>   security vulnerabilities before their coordinated publication by the
>   OpenStack Vulnerability Management Team in the form of an official
>   OpenStack Security Advisory. This includes discussion of the bug or
>   associated fixes in public forums such as mailing lists, code review
>   systems and bug trackers. Please also avoid private disclosure to
>   other individuals not already approved for access to this information,
>   and provide this same reminder to those who are made aware of the
>   issue prior to publication. All discussion should remain confined to
>   this private bug report, and any proposed fixes should be added to the
>   bug as attachments.
>
>   --
>
>   The nova metadata service uses the remote address to determine which
>   metadata to retrieve. In order to work behind a proxy there is an
>   option use_forwarded_for which will use the X-Forwarded-For header to
>   determine the remote IP.
>
>   If this option is set then anyone who can access the metadata port can
>   request metadata for any instance if they know the IP.
>
>   The user data is also exposed.
>
>   $ echo 123456 > /tmp/data
>   $ openstack server create --image CentOS7 --flavor fedora --user-data
> /tmp/data test
>   <wait>
>   $ curl -H 'X-Forwarded-For: 10.0.0.7' http://localhost:8775/latest/
> user-data/
>   123456
>
>   At a minimum this side-effect isn't documented anywhere I could find.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/nova/+bug/1563954/+subscriptions
>