Add OSSN-0058
Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes Change-Id: I15de98bdad06753b5bf68ebb7f635da698df29e7 Closes-Bug: 1329214
This commit is contained in:
Michael McCune
56
security-notes/OSSN-0058
Normal file
56
security-notes/OSSN-0058
Normal file
@@ -0,0 +1,56 @@
|
||||
Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes
|
||||
---
|
||||
|
||||
### Summary ###
|
||||
When using the LVMISCSIDriver with Cinder, the credentials for CHAP
|
||||
authentication are not formatted correctly in the tgtadm configuration
|
||||
file. This leads to a condition where an operator will expect that
|
||||
volumes can only be mounted with the authentication credentials when,
|
||||
in fact, they can be mounted without the credentials.
|
||||
|
||||
### Affected Services / Software ###
|
||||
Cinder, Icehouse
|
||||
|
||||
### Discussion ###
|
||||
When requesting that LVMISCSIDriver based volumes use the CHAP
|
||||
authentication protocol, Cinder will add the credentials for
|
||||
authentication to the configuration file for the tgtadm
|
||||
application. In pre-Juno versions of Cinder the key name for these
|
||||
credentials is incorrect. This incorrect key name will cause tgtadm
|
||||
to not properly parse those credentials.
|
||||
|
||||
With incorrect credentials in place, tgtadm will fail to authenticate
|
||||
volume mounting when requested by Cinder. The failed setting of
|
||||
credentials through the configuration file will also allow
|
||||
unauthenticated access to these volumes. This can allow instances
|
||||
on the same network as the volumes to mount them without providing the
|
||||
credentials to the tgtadm application.
|
||||
|
||||
This behavior can be confirmed by displaying the accounts associated
|
||||
with a volume. For volumes which have authentication enabled, you will
|
||||
see an account listed in the output of the tgtadm application. The
|
||||
account names created by Cinder will be randomly generated and will
|
||||
appear as 20 character strings. To print the information for volumes
|
||||
the following command can be run on nodes with attached volumes:
|
||||
|
||||
# tgtadm --lld iscsi --op show --mode target
|
||||
|
||||
User names will be found in the `Account information:` section.
|
||||
|
||||
### Recommended Actions ###
|
||||
If possible, Cinder should be updated to the Juno release or newer. If
|
||||
this is not possible, then the following guidance will help mitigate
|
||||
unwanted traffic to the affected nodes.
|
||||
|
||||
1. Identify the nodes that will be exposing Cinder volumes with the
|
||||
LVMISCSIDriver and the nodes that will need to attach those volumes.
|
||||
|
||||
2. Implement either security group port rules or iptables rules on
|
||||
the nodes exposing the volumes to only allow traffic through port 3260
|
||||
from nodes that will need to attach volumes.
|
||||
|
||||
### Contacts / References ###
|
||||
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0058
|
||||
Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1329214
|
||||
OpenStack Security ML : openstack-security@lists.openstack.org
|
||||
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
||||
Reference in New Issue
Block a user