1bf55f1eb0
All OSSN authors, added under the "Author:" metadata field Change-Id: I81771dd3ec8d2c133ebc6ddf9f2c5f0f958d603a Closes-Bug: #1599064
58 lines
2.5 KiB
Plaintext
58 lines
2.5 KiB
Plaintext
Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes
|
|
---
|
|
|
|
### Summary ###
|
|
When using the LVMISCSIDriver with Cinder, the credentials for CHAP
|
|
authentication are not formatted correctly in the tgtadm configuration
|
|
file. This leads to a condition where an operator will expect that
|
|
volumes can only be mounted with the authentication credentials when,
|
|
in fact, they can be mounted without the credentials.
|
|
|
|
### Affected Services / Software ###
|
|
Cinder, Icehouse
|
|
|
|
### Discussion ###
|
|
When requesting that LVMISCSIDriver based volumes use the CHAP
|
|
authentication protocol, Cinder will add the credentials for
|
|
authentication to the configuration file for the tgtadm
|
|
application. In pre-Juno versions of Cinder the key name for these
|
|
credentials is incorrect. This incorrect key name will cause tgtadm
|
|
to not properly parse those credentials.
|
|
|
|
With incorrect credentials in place, tgtadm will fail to authenticate
|
|
volume mounting when requested by Cinder. The failed setting of
|
|
credentials through the configuration file will also allow
|
|
unauthenticated access to these volumes. This can allow instances
|
|
on the same network as the volumes to mount them without providing the
|
|
credentials to the tgtadm application.
|
|
|
|
This behavior can be confirmed by displaying the accounts associated
|
|
with a volume. For volumes which have authentication enabled, you will
|
|
see an account listed in the output of the tgtadm application. The
|
|
account names created by Cinder will be randomly generated and will
|
|
appear as 20 character strings. To print the information for volumes
|
|
the following command can be run on nodes with attached volumes:
|
|
|
|
# tgtadm --lld iscsi --op show --mode target
|
|
|
|
User names will be found in the `Account information:` section.
|
|
|
|
### Recommended Actions ###
|
|
If possible, Cinder should be updated to the Juno release or newer. If
|
|
this is not possible, then the following guidance will help mitigate
|
|
unwanted traffic to the affected nodes.
|
|
|
|
1. Identify the nodes that will be exposing Cinder volumes with the
|
|
LVMISCSIDriver and the nodes that will need to attach those volumes.
|
|
|
|
2. Implement either security group port rules or iptables rules on
|
|
the nodes exposing the volumes to only allow traffic through port 3260
|
|
from nodes that will need to attach volumes.
|
|
|
|
### Contacts / References ###
|
|
Author: Michael McCune, Red Hat
|
|
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0058
|
|
Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1329214
|
|
OpenStack Security ML : openstack-security@lists.openstack.org
|
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|