yahoo-eng-team team mailing list archive

Thread
Date
[Bug 1488320] Re: neutron-vpnaas uses bad file permissions on PSK file

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Armando Migliaccio <1488320@xxxxxxxxxxxxxxxxxx>
Date: Wed, 16 Nov 2016 23:53:34 -0000
Reply-to: Bug 1488320 <1488320@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Changed in: neutron
       Status: Incomplete => Fix Committed

** Changed in: neutron
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1488320

Title:
  neutron-vpnaas uses bad file permissions on PSK file

Status in neutron:
  Fix Released
Status in neutron kilo series:
  Fix Released
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Summary:

  OpenStack VPNaaS uses IPSec pre-shared keys(PSK) to secure VPN
  tunnels.  Those keys are specified by the user via the API when
  creating the VPN connection, and they are stored in the neutron
  database, then copied to the filesystem on the network node.  The PSK
  file created by the VPNaaS OpenSwan driver has perms of 644, and the
  directories in its path allow access by anyone.

  This means that if an intruder were to compromise the network node the
  pre-shared VPN keys for all tenants would be vulnerable to
  unauthorized disclosure.

  VPNaaS uses the neutron utility function replace_file() to create the
  PSK file, and replace_file sets the mode of all files it creates to
  0o644.

  This vulnerability exists in the OpenSwan ipsec driver, I have not yet
  investigated whether it exists in any of the other implementation
  drivers.

  I have developed patches to neutron and neutron_vpnaas to add an
  optional file_perm argument (with default 0o644)  to replace_file(),
  and to specify mode 0o400 when neutron-vpnaas creates the PSK file.
  This allows all other existing calls to replace_file() to maintain
  there existing behavior.

  The Gory Details:

  Here is the "ps -ef" output for the ipsec pluto process for the VPN
  endpoint on the network node:

  root     19701     1  0 01:15 ?        00:00:00 /usr/lib/ipsec/pluto
  --ctlbase /var/run/neutron/ipsec/ad83280f-6993-478b-976e-
  608550093ed8/var/run/pluto --ipsecdir
  /var/run/neutron/ipsec/ad83280f-6993-478b-976e-608550093ed8/etc --use-
  netkey --uniqueids --nat_traversal --secretsfile
  /var/run/neutron/ipsec/ad83280f-6993-478b-976e-
  608550093ed8/etc/ipsec.secrets --virtual_private
  %v4:10.1.0.0/24,%v4:10.2.0.0/24

  The PSK is stored in /var/run/neutron/ipsec/ad83280f-6993-478b-976e-
  608550093ed8/etc/ipsec.secrets:

  /home/stack# less /var/run/neutron/ipsec/ad83280f-6993-478b-976e-608550093ed8/etc/ipsec.secrets
  # Configuration for myvpnrA
  172.16.0.2 172.16.0.3 : PSK "secret"

  Here we see the file perms:

  /home/stack# ls -l /var/run/neutron/ipsec/ad83280f-6993-478b-976e-608550093ed8/etc/ipsec.secrets
  -rw-r--r-- 1 neutron neutron 65 Aug 16 01:15 /var/run/neutron/ipsec/ad83280f-6993-478b-976e-608550093ed8/etc/ipsec.secrets

  OpenSwan delivers a default secrets file
  /var/lib/openswan/ipsec.secrets.inc, and we see it has a mode that we
  would expect:

  /home/stack# ls -l /var/lib/openswan/ipsec.secrets.inc
  -rw------- 1 root root 0 Aug 15 23:51 /var/lib/openswan/ipsec.secrets.inc

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1488320/+subscriptions