yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #39941
[Bug 1488320] Re: neutron-vpnaas uses bad file permissions on PSK file
** Also affects: neutron/kilo
Importance: Undecided
Status: New
** Changed in: neutron/kilo
Status: New => Fix Committed
** Changed in: neutron/kilo
Milestone: None => 2015.1.2
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1488320
Title:
neutron-vpnaas uses bad file permissions on PSK file
Status in neutron:
In Progress
Status in neutron kilo series:
Fix Committed
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Summary:
OpenStack VPNaaS uses IPSec pre-shared keys(PSK) to secure VPN
tunnels. Those keys are specified by the user via the API when
creating the VPN connection, and they are stored in the neutron
database, then copied to the filesystem on the network node. The PSK
file created by the VPNaaS OpenSwan driver has perms of 644, and the
directories in its path allow access by anyone.
This means that if an intruder were to compromise the network node the
pre-shared VPN keys for all tenants would be vulnerable to
unauthorized disclosure.
VPNaaS uses the neutron utility function replace_file() to create the
PSK file, and replace_file sets the mode of all files it creates to
0o644.
This vulnerability exists in the OpenSwan ipsec driver, I have not yet
investigated whether it exists in any of the other implementation
drivers.
I have developed patches to neutron and neutron_vpnaas to add an
optional file_perm argument (with default 0o644) to replace_file(),
and to specify mode 0o400 when neutron-vpnaas creates the PSK file.
This allows all other existing calls to replace_file() to maintain
there existing behavior.
The Gory Details:
Here is the "ps -ef" output for the ipsec pluto process for the VPN
endpoint on the network node:
root 19701 1 0 01:15 ? 00:00:00 /usr/lib/ipsec/pluto
--ctlbase /var/run/neutron/ipsec/ad83280f-6993-478b-976e-
608550093ed8/var/run/pluto --ipsecdir
/var/run/neutron/ipsec/ad83280f-6993-478b-976e-608550093ed8/etc --use-
netkey --uniqueids --nat_traversal --secretsfile
/var/run/neutron/ipsec/ad83280f-6993-478b-976e-
608550093ed8/etc/ipsec.secrets --virtual_private
%v4:10.1.0.0/24,%v4:10.2.0.0/24
The PSK is stored in /var/run/neutron/ipsec/ad83280f-6993-478b-976e-
608550093ed8/etc/ipsec.secrets:
/home/stack# less /var/run/neutron/ipsec/ad83280f-6993-478b-976e-608550093ed8/etc/ipsec.secrets
# Configuration for myvpnrA
172.16.0.2 172.16.0.3 : PSK "secret"
Here we see the file perms:
/home/stack# ls -l /var/run/neutron/ipsec/ad83280f-6993-478b-976e-608550093ed8/etc/ipsec.secrets
-rw-r--r-- 1 neutron neutron 65 Aug 16 01:15 /var/run/neutron/ipsec/ad83280f-6993-478b-976e-608550093ed8/etc/ipsec.secrets
OpenSwan delivers a default secrets file
/var/lib/openswan/ipsec.secrets.inc, and we see it has a mode that we
would expect:
/home/stack# ls -l /var/lib/openswan/ipsec.secrets.inc
-rw------- 1 root root 0 Aug 15 23:51 /var/lib/openswan/ipsec.secrets.inc
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1488320/+subscriptions