Stanislaw Pitucha c6d62a198a Add OSSN-0018 - Dangerous network configuration
Change-Id: Ic142853a238f30f4f50e2616a533637e8cb895ef
Related-Bug: 1316271
2014-06-18 17:10:54 +01:00

64 lines
2.8 KiB
Plaintext

Nova Network configuration allows guest VMs to connect to host services
---
### Summary ###
When using Nova Network to manage networking for compute instances,
instances are able to reach network services running on the host
system. This may be a security issue for the operator.
### Affected Services / Software ###
Nova, Folsom, Grizzly, Havana, Icehouse
### Discussion ###
OpenStack deployments using Nova Network, rather than Neutron for
network configuration will cause the host running the instances to be
reachable on the virtual network. Specifically, booted instances can
check the address of their gateway and try to connect to it. Any host
service which listens on the interfaces created by OpenStack and does
not apply any additional filtering will receive such traffic.
This is a security issue for deployments where the OpenStack service
users are not trusted parties, or should not be allowed to access
underlying services of the host system.
Using a specific example of devstack in default configuration, the
instance spawned inside of it will see the following routing table:
$ ip r s
default via 172.16.1.1 dev eth0
172.16.1.0/24 dev eth0 src 172.16.1.2
The instance can then use the gateway's address (172.16.1.1) to connect
to the sshd service on the host system (if one is running and listening
on all interfaces). The host system will see the connection coming from
interface `br100`.
### Recommended Actions ###
Connections like this can be stopped at various levels (libvirt filters,
specific host's iptables entries, ebtables, network service
configuration). The recommended way to protect against the incoming
connections is to stop the critical services from binding to the
Nova-controlled interfaces.
Using the sshd service as an example, the default configuration on most
systems is to bind to all interfaces and all local addresses
("ListenAddress :22" in sshd_config). In order to configure it only on
a specific interface, use "ListenAddress a.b.c.d:22" where a.b.c.d is
the address assigned to the chosen interface. Similar settings can be
found for most other services.
The list of services listening on all interfaces can be obtained by
running command 'netstat -ltu', where the '*:port' in the "Local
Address" field means the service will likely accept connections from the
local Nova instances.
If filtering of the traffic is chosen instead, care must be taken to
allow traffic coming from the running instances to services controlled
by Nova - DHCP and DNS providers.
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0018
Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1316271
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg