yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1681465] Re: VNC connection to VMs is unprotected

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Sean Dague <sean@xxxxxxxxx>
Date: Tue, 25 Jul 2017 16:59:33 -0000
Reply-to: Bug 1681465 <1681465@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: nova
       Status: New => Opinion

** Changed in: nova
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1681465

Title:
  VNC connection to VMs is unprotected

Status in OpenStack Compute (nova):
  Opinion
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Description:
  ============

  OpenStack Nova does not provide any protection of VNC servers running
  on compute nodes by default. Any client that has access to management
  network can connect to the consoles of VMs running on compute node and
  obtains full access to VMs via the console (e.g. by rebooting VMs to
  single-user mode).

  Steps to reproduce
  ==================
  - Configuration: the management interface of the compute node has a public IP address and is not protected by firewalls
  - Create a VM on the compute node
  - Use a VNC client to connect directly to the IP of the compute node via port 590x from anywhere.

  Expected result
  ===============
  Connections refused. Only VNC connections from master node should be accepted. Other should connect using proxy on master node which does also authorization

  Actual result
  =============
  Connection accepted. Anyone can use VNC client to connect directly to the console of VMs running on the compute node without any authentication/authorization

  Discussion
  ===========

  To be fair, most of examples in the OpenStack documentation have
  management networks private, so the network configuration in the
  examples are safe. However, OpenStack documentation only emphasizes
  the separation of management network from other networks (VM, data)
  and does not explicitly require (in a visible way) that the management
  networks must be protected (private networks, firewalls). The
  management network may be separated to another (public) network
  segment and the system is still vulnerable to the VNC attack.

  Therefore, the VNC connection to compute nodes should be protected
  (password, iptables) by default, or the documentation should give
  explicit warning that the management network must be private or
  protected by firewalls.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1681465/+subscriptions