Add OSSN-0018 - Dangerous network configuration
Change-Id: Ic142853a238f30f4f50e2616a533637e8cb895ef Related-Bug: 1316271
This commit is contained in:
Stanislaw Pitucha
parent
5f5202470c
commit
c6d62a198a
63
notes/OSSN-0018
Normal file
63
notes/OSSN-0018
Normal file
@ -0,0 +1,63 @@
|
||||
Nova Network configuration allows guest VMs to connect to host services
|
||||
---
|
||||
|
||||
### Summary ###
|
||||
When using Nova Network to manage networking for compute instances,
|
||||
instances are able to reach network services running on the host
|
||||
system. This may be a security issue for the operator.
|
||||
|
||||
### Affected Services / Software ###
|
||||
Nova, Folsom, Grizzly, Havana, Icehouse
|
||||
|
||||
### Discussion ###
|
||||
OpenStack deployments using Nova Network, rather than Neutron for
|
||||
network configuration will cause the host running the instances to be
|
||||
reachable on the virtual network. Specifically, booted instances can
|
||||
check the address of their gateway and try to connect to it. Any host
|
||||
service which listens on the interfaces created by OpenStack and does
|
||||
not apply any additional filtering will receive such traffic.
|
||||
|
||||
This is a security issue for deployments where the OpenStack service
|
||||
users are not trusted parties, or should not be allowed to access
|
||||
underlying services of the host system.
|
||||
|
||||
Using a specific example of devstack in default configuration, the
|
||||
instance spawned inside of it will see the following routing table:
|
||||
|
||||
$ ip r s
|
||||
default via 172.16.1.1 dev eth0
|
||||
172.16.1.0/24 dev eth0 src 172.16.1.2
|
||||
|
||||
The instance can then use the gateway's address (172.16.1.1) to connect
|
||||
to the sshd service on the host system (if one is running and listening
|
||||
on all interfaces). The host system will see the connection coming from
|
||||
interface `br100`.
|
||||
|
||||
### Recommended Actions ###
|
||||
Connections like this can be stopped at various levels (libvirt filters,
|
||||
specific host's iptables entries, ebtables, network service
|
||||
configuration). The recommended way to protect against the incoming
|
||||
connections is to stop the critical services from binding to the
|
||||
Nova-controlled interfaces.
|
||||
|
||||
Using the sshd service as an example, the default configuration on most
|
||||
systems is to bind to all interfaces and all local addresses
|
||||
("ListenAddress :22" in sshd_config). In order to configure it only on
|
||||
a specific interface, use "ListenAddress a.b.c.d:22" where a.b.c.d is
|
||||
the address assigned to the chosen interface. Similar settings can be
|
||||
found for most other services.
|
||||
|
||||
The list of services listening on all interfaces can be obtained by
|
||||
running command 'netstat -ltu', where the '*:port' in the "Local
|
||||
Address" field means the service will likely accept connections from the
|
||||
local Nova instances.
|
||||
|
||||
If filtering of the traffic is chosen instead, care must be taken to
|
||||
allow traffic coming from the running instances to services controlled
|
||||
by Nova - DHCP and DNS providers.
|
||||
|
||||
### Contacts / References ###
|
||||
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0018
|
||||
Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1316271
|
||||
OpenStack Security ML : openstack-security@lists.openstack.org
|
||||
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
||||
Loading…
Reference in New Issue
Block a user