yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #56360
[Bug 1622654] [NEW] Security Group doesn't work if the specific allowed-address-pairs value is set
Public bug reported:
Summary:
Security Group doesn't work if the specific allowed-address-pairs value
is set to the port associated with it.
High level description:
OpenStack user is allowed to specify arbitrary mac_address/ip_address
pairs that are allowed to pass through a port. For some practical
reasons, OpenStack users can specify huge subnets, and CIRDs provided
there are not sanitized. If the CIRD provided with 'allowed-address-
pairs' for any single port associated with Security Group overlaps with
a subnet used by the VM, the VM is always accessible by any port and any
protocol, despite the fact that its security group denies all ingress
traffic.
Step-by-step reproduction process:
1) Create a VM in OpenStack
2) Check that there are no rules allowing icmp (for instance) in the security group associated with the VM
3) perform:
neutron port-update [any-port-associated-with-the-secgroup] --allowed-address-pairs type=dict list=true ip_address=[a-very-huge-cidr]
if your VM uses a private IPv4 address from networks 192.168.x or
172.16.x, then 128.0.0.0/1 will work as "a-very-huge-cidr", if it uses
10.x network then 0.0.0.0/1 should.
4) ping all the VMs in this secgroup successfully (from router
namespace, or from any host which is allowed to access floating IPs if
floating IP is also assigned to the VM), as well as access it by any
port and protocol which the VM is listening.
Version:
All OpenStack releases up to Mitaka.
Perceived severity:
It's not a blocker as workaround are pretty obvious, but it's a huge
security bug: all the network security provided by Security Groups might
be ruined easily, just by updating a single port in neutron.
If we restrict the value of allowed-address-pairs in neutron to a single
address (/32 or /128), might it break anything?
** Affects: neutron
Importance: Undecided
Status: Confirmed
** Changed in: neutron
Status: New => Confirmed
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1622654
Title:
Security Group doesn't work if the specific allowed-address-pairs
value is set
Status in neutron:
Confirmed
Bug description:
Summary:
Security Group doesn't work if the specific allowed-address-pairs
value is set to the port associated with it.
High level description:
OpenStack user is allowed to specify arbitrary mac_address/ip_address
pairs that are allowed to pass through a port. For some practical
reasons, OpenStack users can specify huge subnets, and CIRDs provided
there are not sanitized. If the CIRD provided with 'allowed-address-
pairs' for any single port associated with Security Group overlaps
with a subnet used by the VM, the VM is always accessible by any port
and any protocol, despite the fact that its security group denies all
ingress traffic.
Step-by-step reproduction process:
1) Create a VM in OpenStack
2) Check that there are no rules allowing icmp (for instance) in the security group associated with the VM
3) perform:
neutron port-update [any-port-associated-with-the-secgroup] --allowed-address-pairs type=dict list=true ip_address=[a-very-huge-cidr]
if your VM uses a private IPv4 address from networks 192.168.x or
172.16.x, then 128.0.0.0/1 will work as "a-very-huge-cidr", if it uses
10.x network then 0.0.0.0/1 should.
4) ping all the VMs in this secgroup successfully (from router
namespace, or from any host which is allowed to access floating IPs if
floating IP is also assigned to the VM), as well as access it by any
port and protocol which the VM is listening.
Version:
All OpenStack releases up to Mitaka.
Perceived severity:
It's not a blocker as workaround are pretty obvious, but it's a huge
security bug: all the network security provided by Security Groups
might be ruined easily, just by updating a single port in neutron.
If we restrict the value of allowed-address-pairs in neutron to a
single address (/32 or /128), might it break anything?
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1622654/+subscriptions
Follow ups
