yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1347027] Re: Security groups attached to VMs makes it possible for hacked VM to modify its security

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>
Date: Mon, 18 Aug 2014 15:01:52 -0000
Reply-to: Bug 1347027 <1347027@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: ossa
       Status: Incomplete => Invalid

** Information type changed from Private Security to Public

** Changed in: neutron
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1347027

Title:
  Security groups attached to VMs makes it possible for hacked VM to
  modify its security

Status in OpenStack Neutron (virtual network service):
  Invalid
Status in OpenStack Security Advisories:
  Invalid

Bug description:
  The security groups are associated with the VMs, rather than the
  routers.  So, if a hackers manages to get a root shell on a VM, they
  can change their security by modifying their iptable entries.

  If the security was attached to the network, rather than the VMs, such
  an exploit could be avoided.

  I do not have a POC for this issue.  But, according to the
  documentation I have been reading about how network security has been
  implemented in Open Stack, this is a potential issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1347027/+subscriptions