yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1493955] [NEW] CIDR that ends in /0 makes rule act as if it is a 0.0.0.0/0

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Joseph bajin <josephbajin@xxxxxxxxx>
Date: Wed, 09 Sep 2015 18:11:39 -0000
Reply-to: Bug 1493955 <1493955@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

A security rule can be added that ends with a /0 that makes the rule act
as if it is a 0.0.0.0/0 type of rule.

Example:

(neutron) security-group-rule-list
+--------------------------------------+----------------+-----------+-----------+---------------+-----------------------+
| id                                   | security_group | direction | ethertype | protocol/port | remote                |
+--------------------------------------+----------------+-----------+-----------+---------------+-----------------------+
| BLAHBLAHID | TEST          | ingress   | IPv4      | 3128/tcp      | 192.168.10.0/0 (CIDR) |

The example below is to allow TCP ingress for port 3128 only from
192.168.10.0/24 networks.  Instead during the addition of the rule, a
mistake happened and instead of a /24 network, it was entered in as a
/0.

The rule now allows 0.0.0.0/0 networks access to TCP port 3128 instead
of the intended CIDR.

This can create a security issue as non-network people could
inadvertently open up access to areas they did not want to allow.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1493955

Title:
  CIDR that ends in /0 makes rule act as if it is a 0.0.0.0/0

Status in neutron:
  New

Bug description:
  A security rule can be added that ends with a /0 that makes the rule
  act as if it is a 0.0.0.0/0 type of rule.

  Example:

  (neutron) security-group-rule-list
  +--------------------------------------+----------------+-----------+-----------+---------------+-----------------------+
  | id                                   | security_group | direction | ethertype | protocol/port | remote                |
  +--------------------------------------+----------------+-----------+-----------+---------------+-----------------------+
  | BLAHBLAHID | TEST          | ingress   | IPv4      | 3128/tcp      | 192.168.10.0/0 (CIDR) |

  The example below is to allow TCP ingress for port 3128 only from
  192.168.10.0/24 networks.  Instead during the addition of the rule, a
  mistake happened and instead of a /24 network, it was entered in as a
  /0.

  The rule now allows 0.0.0.0/0 networks access to TCP port 3128 instead
  of the intended CIDR.

  This can create a security issue as non-network people could
  inadvertently open up access to areas they did not want to allow.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1493955/+subscriptions

Follow ups

[Bug 1493955] Re: CIDR that ends in /0 makes rule act as if it is a 0.0.0.0/0
From: Kevin Benton, 2015-09-09