yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1410984] Re: special routers ports' ownership can be edited

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <fungi@xxxxxxxxxxx>
Date: Fri, 06 Feb 2015 00:20:36 -0000
Reply-to: Bug 1410984 <1410984@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Oh, I guess that was Salvatore's comment. Anyway, caught up with Armando
in IRC and it sounds like even if the attacker _does_ guess another
tenant's resource UUID (which this bug doesn't enable or simplify in any
way), there was still no clear indication that it would allow a data
plane breach.

Given that I'm switching this to a regular bug now.

** Information type changed from Private Security to Public

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1410984

Title:
  special routers ports' ownership can be edited

Status in OpenStack Neutron (virtual network service):
  New
Status in OpenStack Security Advisories:
  Won't Fix

Bug description:
  This issue is being treated as a potential security risk under
  embargo. Please do not make any public mention of embargoed (private)
  security vulnerabilities before their coordinated publication by the
  OpenStack Vulnerability Management Team in the form of an official
  OpenStack Security Advisory. This includes discussion of the bug or
  associated fixes in public forums such as mailing lists, code review
  systems and bug trackers. Please also avoid private disclosure to
  other individuals not already approved for access to this information,
  and provide this same reminder to those who are made aware of the
  issue prior to publication. All discussion should remain confined to
  this private bug report, and any proposed fixes should be added as to
  the bug as attachments.

  This is basically a sister bug of bug #1243327, but applies to DVR
  and, possibly, HA routers. This affects plugins that support DVR/HA,
  which right now is just ML2/OVS.

  In a nutshell what happens is that check
  _enforce_device_owner_not_router_intf_or_device_id in [1] is skipped,
  instead of being forbidden.

  From a data plane standpoint, since these routers work a bit
  differently from centralized routers, there is no actual cross
  plugging. In fact, since DVR routers will do the interface plugging
  only after a network has been attached to the router, this makes the
  exploit a lot more difficult to achieve, but the fix provided at least
  prevents malicious attempts from creative people.

  [1]
  https://github.com/openstack/neutron/blob/stable/juno/neutron/db/db_base_plugin_v2.py#L1493
  (stable/juno)

  Patch applies for master attached, which applies cleanly to Juno.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1410984/+subscriptions