← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1365961] Re: Dangerous iptables rule generated in case of protocol "any" and source-port/destination-port usage

 

The security note for this issue has been published as OSSN-0029:

  https://wiki.openstack.org/wiki/OSSN/OSSN-0029

** Changed in: ossn
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1365961

Title:
  Dangerous iptables rule generated in case of protocol "any" and
  source-port/destination-port usage

Status in OpenStack Neutron (virtual network service):
  Fix Committed
Status in OpenStack Security Advisories:
  Won't Fix
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  Icehouse 2014.1.2, FWaas using iptables driver

  In order to allow DNS (TCP and UDP) request, the following rule was defined:
  neutron firewall-rule-create --protocol any --destination-port 53 --action allow

  On L3agent namespace this has been translated in the following iptables rules:
  -A neutron-l3-agent-iv441c58eb2 -j ACCEPT
  -A neutron-l3-agent-ov441c58eb2 -j ACCEPT
  => there is no restriction on the destination port(53), like we could expect it !!!

  There is 2 solutions to handle this issue:

  1) Doesn't allow user to create a rule specifing protocol "any" AND a
  source-port/destination-port.

  2) Generating the following rules (like some firewalls do):
  -A neutron-l3-agent-iv441c58eb2 -p tcp -m tcp --dport 53 -j ACCEPT
  -A neutron-l3-agent-iv441c58eb2 -p udp -m udp --dport 53 -j ACCEPT
  -A neutron-l3-agent-ov441c58eb2 -p tcp -m tcp --dport 53 -j ACCEPT
  -A neutron-l3-agent-ov441c58eb2 -p udp -m udp --dport 53 -j ACCEPT
  => TCP and UDP have been completed.

  The source code affected is located in
  neutron/services/firewall/drivers/linux/iptables_fwaas.py  (L268)

      def _port_arg(self, direction, protocol, port):
          if not (protocol in ['udp', 'tcp'] and port):
              return ''
          return '--%s %s' % (direction, port)

  => trunk code is affected too.

  Nota: This is not a real Neutron security vulnerability but it is a
  real security vulnerability for applications living in the Openstack
  cloud... That's why I tagged it as "security vulnerability"

  Regards,

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1365961/+subscriptions