© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
I reviewed neutron-vpnaas version 2:13.0.0-0ubuntu1 as checked into
cosmic. This shouldn't be considered a full security audit. I especially
did not audit the VPN configurations that it provides.
- No CVEs in our database
- neutron-vpnaas provides an interface for OpenStack administrators to
create VPNs using a variety of VPN tools
- *huge* list of build-depends. I'm not going to paste them all in here,
it's really very surprising. There's 83 packages.
- Does not itself do networking
- Does not daemonize
- pre/post inst/rm scripts autogenerated
- No initscripts
- No systemd units
- No DBus services
- No setuid files
- python3-
executables in /usr/bin
- No sudoers fragments
- No udev rules
- Extensive testsuite, unknown utility
- No cronjobs
- Subprocesses extensively spawned
- File operations are normally to well-known locations
- No environment use
- Privileged operations looked racy
- Networking done mostly via spawning ssh
- All /tmp uses look to be in test or CI
- No use of WebKit
- No use of JavaScript
- No use of Policykit
neutron-vpnaas was previously in main. I don't recall it being a
maintenance burden in the past, so this audit is fairly truncated compared
to if this were a new package entirely.
It still drastically uses string-based command executions via ssh.
Whoever can use this interface should be considered to have full control
over the entire OpenStack environment. Upstream OpenStack security team
wasn't too worried about anything I reported last time around, so this is
probably also their threat model.
write_key_
OpenStack networking and compute nodes only ever have completely trusted
users interacting with the systems.
Security team ACK for promoting neutron-vpnaas to main with the provision
that the server team promises to help provide quality assurance in the
event updates are needed. We're not in a position to test all the VPNs
that this can configure.
Thanks