I reviewed neutron-vpnaas version 2:8.0.0~rc1-0ubuntu1 as checked into
xenial. This shouldn't be considered a full security audit but rather a
quick gauge of maintainability.
I had to enable universe for this build:
builddeps:neutron-vpnaas : Depends: dh-systemd but it is not installable Depends: python-hacking but it is not going to be installed
- neutron-vpnaas knows how to configure network namespaces and several
ipsec daemons to provide VPNs as a servive to openstack
- Build-Depends: debhelper, dh-python, dh-systemd, openstack-pkg-tools,
python-all, python-pbr, python-setuptools, python-sphinx
- Build-Depends-Indep: alembic, python-coverage, python-fixtures,
python-hacking, python-jinja2, python-mock, python-netaddr,
python-neutron, python-neutron-lib, python-oslo.concurrency,
python-oslo.config, python-oslo.db, python-oslo.log,
python-oslo.messaging, python-oslo.serialization, python-oslo.service,
python-oslo.utils, python-oslosphinx, python-oslotest, python-requests,
python-requests-mock, python-six, python-sqlalchemy,
python-testresources, python-testscenarios, python-testtools,
python-webob, python-webtest, subunit, testrepository,
- neutron-vpn-agent starts via initscripts, though I lose the flow of
execution nearly immediately -- no idea if it daemonizes correctly, but
there's no fork() or setsid() calls in the codebase
- pre/post inst/rm scripts automatically generated
- No dbus services
- No setuid
- /usr/bin/neutron-vpn-netns-wrapper and /usr/bin/neutron-vpn-agent
binaries
- No sudo fragments
- No udev rules
- Decent-sized tests run during build but I assume they're mostly mocked
- No cron jobs
- Dependency injection makes it difficult to trace filesystem writes
- Some adapter classes know how to configure:
- cisco csr client
- cisco ipsec
- fedora strongswan
- ipsec
- libreswan ipsec
- strongswan ipsec
- vyatta ipsec
- Only environment variable referenced was HUDSON_PUBLISH_DOCS in doc/
- There is a racy chmod() call in vpn_utils.py that is likely exploitable
if the machine in question has untrusted users
- Extensive configuration of cryptography but none implemented here
- I did not investigate the ipsec configurations for sanity or safety; I
did see that many were configured to use sha1 authentication. sha1 is
being phased out nearly everywhere but its use as online integrity
checks for tcp/ip streams may still be acceptable.
- Outgoing networking initiated via paramiko, may be more
- temp file handling looks poor, /tmp is used with what looks to be
often-predictable names, sometimes files aren't cleaned up
- No webkit
- No policykit
- We will consider rootwrap is an _advisory_ service only, much like php's
safe_open. Any issues with rootwrap will probably be treated as "low" or
lower in our workflow.
- write_key_to_compute_node() doesn't check write_key_to_local_path()
error return
- write_key_to_compute_node() doesn't clean up local_path
- write_key_to_local_path() race condition, creates local_key_file and then
sets permissions on the file -- an attacker could open the file for
reading between the two system calls and then read the private key after
it has been written to the file. Are these machines dedicated to this
task?
- VpnBase setup() has a gross temporary file handling hack:
self.local_key_files = ['/tmp/' + x for x in self.remote_key_files]
This may be exploitable if the remote_key_files can have '../etc/' in
the pathnames. I did not find sanity checks to prevent this.
- vpn_utils.py extensive use of unquoted string-based shell executions;
this is very difficult to audit. Probably whoever has privileges to
modify SDN functionality should be considered to have full control over
the entire openstack environment. Examples:
- cmd = "sudo ip netns exec {} ip a".format(namespace)
- interfaces = execute_cmd_over_ssh(controller, cmd, private_key)
I reviewed neutron-vpnaas version 2:8.0.0~ rc1-0ubuntu1 as checked into
xenial. This shouldn't be considered a full security audit but rather a
quick gauge of maintainability.
I had to enable universe for this build:
builddeps: neutron- vpnaas : Depends: dh-systemd but it is not installable
Depends: python-hacking but it is not going to be installed
- neutron-vpnaas knows how to configure network namespaces and several pkg-tools, Indep: alembic, python-coverage, python-fixtures, oslo.concurrenc y, oslo.config, python-oslo.db, python-oslo.log, oslo.messaging, python- oslo.serializat ion, python- oslo.service, oslo.utils, python-oslosphinx, python-oslotest, python-requests, requests- mock, python-six, python-sqlalchemy, testresources, python- testscenarios, python-testtools,
ipsec daemons to provide VPNs as a servive to openstack
- Build-Depends: debhelper, dh-python, dh-systemd, openstack-
python-all, python-pbr, python-setuptools, python-sphinx
- Build-Depends-
python-hacking, python-jinja2, python-mock, python-netaddr,
python-neutron, python-neutron-lib, python-
python-
python-
python-
python-
python-
python-webob, python-webtest, subunit, testrepository,
- neutron-vpn-agent starts via initscripts, though I lose the flow of neutron- vpn-netns- wrapper and /usr/bin/ neutron- vpn-agent
execution nearly immediately -- no idea if it daemonizes correctly, but
there's no fork() or setsid() calls in the codebase
- pre/post inst/rm scripts automatically generated
- No dbus services
- No setuid
- /usr/bin/
binaries
- No sudo fragments
- No udev rules
- Decent-sized tests run during build but I assume they're mostly mocked
- No cron jobs
- Dependency injection makes it difficult to trace filesystem writes
- Some adapter classes know how to configure:
- cisco csr client
- cisco ipsec
- fedora strongswan
- ipsec
- libreswan ipsec
- strongswan ipsec
- vyatta ipsec
- Only environment variable referenced was HUDSON_PUBLISH_DOCS in doc/
- There is a racy chmod() call in vpn_utils.py that is likely exploitable
if the machine in question has untrusted users
- Extensive configuration of cryptography but none implemented here
- I did not investigate the ipsec configurations for sanity or safety; I
did see that many were configured to use sha1 authentication. sha1 is
being phased out nearly everywhere but its use as online integrity
checks for tcp/ip streams may still be acceptable.
- Outgoing networking initiated via paramiko, may be more
- temp file handling looks poor, /tmp is used with what looks to be
often-predictable names, sometimes files aren't cleaned up
- No webkit
- No policykit
- We will consider rootwrap is an _advisory_ service only, much like php's to_compute_ node() doesn't check write_key_ to_local_ path() to_compute_ node() doesn't clean up local_path to_local_ path() race condition, creates local_key_file and then local_key_ files = ['/tmp/' + x for x in self.remote_ key_files]
safe_open. Any issues with rootwrap will probably be treated as "low" or
lower in our workflow.
- write_key_
error return
- write_key_
- write_key_
sets permissions on the file -- an attacker could open the file for
reading between the two system calls and then read the private key after
it has been written to the file. Are these machines dedicated to this
task?
- VpnBase setup() has a gross temporary file handling hack:
self.
This may be exploitable if the remote_key_files can have '../etc/' in
the pathnames. I did not find sanity checks to prevent this.
- vpn_utils.py extensive use of unquoted string-based shell executions;
this is very difficult to audit. Probably whoever has privileges to
modify SDN functionality should be considered to have full control over
the entire openstack environment. Examples:
- cmd = "sudo ip netns exec {} ip a".format( namespace) cmd_over_ ssh(controller, cmd, private_key)
- interfaces = execute_
- cmd = "sudo ip netns exec {} ping -w {} -c {} {}".format(
namespace, 2 * count, count, router_gw_ip)
return ping(controller, cmd, private_key)
- for key, ns_comp in zip(remote_ key_files, ns_compute_tuples):
execute_ cmd_over_ ssh(host, cmd, private_key)
cmd = "sudo rm -f {}".format(key)
host = ns_comp[1]
- cmd = ("sudo ssh-keygen -f /root/. ssh/known_ hosts -R" cmd_over_ ssh(compute_ host, cmd, private_key)
" {}".format(host))
execute_
I filed https:/ /bugs.launchpad .net/bugs/ 1570694 for this, OpenStack
security team considers it a non-issue.
- The /etc/init. d/neutron- vpn-agent file looks corrupted, two #!/bin/sh
lines, PATH is set twice.
Security team ACK for promoting neutron-vpnaas to main.
Thanks