yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #22311
[Bug 1365961] Re: Dangerous iptables rule generated in case of protocol "any" and source-port/destination-port usage
The security note for this issue has been published as OSSN-0029:
https://wiki.openstack.org/wiki/OSSN/OSSN-0029
** Changed in: ossn
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1365961
Title:
Dangerous iptables rule generated in case of protocol "any" and
source-port/destination-port usage
Status in OpenStack Neutron (virtual network service):
Fix Committed
Status in OpenStack Security Advisories:
Won't Fix
Status in OpenStack Security Notes:
Fix Released
Bug description:
Icehouse 2014.1.2, FWaas using iptables driver
In order to allow DNS (TCP and UDP) request, the following rule was defined:
neutron firewall-rule-create --protocol any --destination-port 53 --action allow
On L3agent namespace this has been translated in the following iptables rules:
-A neutron-l3-agent-iv441c58eb2 -j ACCEPT
-A neutron-l3-agent-ov441c58eb2 -j ACCEPT
=> there is no restriction on the destination port(53), like we could expect it !!!
There is 2 solutions to handle this issue:
1) Doesn't allow user to create a rule specifing protocol "any" AND a
source-port/destination-port.
2) Generating the following rules (like some firewalls do):
-A neutron-l3-agent-iv441c58eb2 -p tcp -m tcp --dport 53 -j ACCEPT
-A neutron-l3-agent-iv441c58eb2 -p udp -m udp --dport 53 -j ACCEPT
-A neutron-l3-agent-ov441c58eb2 -p tcp -m tcp --dport 53 -j ACCEPT
-A neutron-l3-agent-ov441c58eb2 -p udp -m udp --dport 53 -j ACCEPT
=> TCP and UDP have been completed.
The source code affected is located in
neutron/services/firewall/drivers/linux/iptables_fwaas.py (L268)
def _port_arg(self, direction, protocol, port):
if not (protocol in ['udp', 'tcp'] and port):
return ''
return '--%s %s' % (direction, port)
=> trunk code is affected too.
Nota: This is not a real Neutron security vulnerability but it is a
real security vulnerability for applications living in the Openstack
cloud... That's why I tagged it as "security vulnerability"
Regards,
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1365961/+subscriptions