security-doc/security-notes/OSSN-0058
Luke Hinds 1bf55f1eb0 Added Authors to Security Notes
All OSSN authors, added under the "Author:" metadata field

Change-Id: I81771dd3ec8d2c133ebc6ddf9f2c5f0f958d603a
Closes-Bug: #1599064
2016-07-11 10:51:07 +00:00

58 lines
2.5 KiB
Plaintext

Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes
---
### Summary ###
When using the LVMISCSIDriver with Cinder, the credentials for CHAP
authentication are not formatted correctly in the tgtadm configuration
file. This leads to a condition where an operator will expect that
volumes can only be mounted with the authentication credentials when,
in fact, they can be mounted without the credentials.
### Affected Services / Software ###
Cinder, Icehouse
### Discussion ###
When requesting that LVMISCSIDriver based volumes use the CHAP
authentication protocol, Cinder will add the credentials for
authentication to the configuration file for the tgtadm
application. In pre-Juno versions of Cinder the key name for these
credentials is incorrect. This incorrect key name will cause tgtadm
to not properly parse those credentials.
With incorrect credentials in place, tgtadm will fail to authenticate
volume mounting when requested by Cinder. The failed setting of
credentials through the configuration file will also allow
unauthenticated access to these volumes. This can allow instances
on the same network as the volumes to mount them without providing the
credentials to the tgtadm application.
This behavior can be confirmed by displaying the accounts associated
with a volume. For volumes which have authentication enabled, you will
see an account listed in the output of the tgtadm application. The
account names created by Cinder will be randomly generated and will
appear as 20 character strings. To print the information for volumes
the following command can be run on nodes with attached volumes:
# tgtadm --lld iscsi --op show --mode target
User names will be found in the `Account information:` section.
### Recommended Actions ###
If possible, Cinder should be updated to the Juno release or newer. If
this is not possible, then the following guidance will help mitigate
unwanted traffic to the affected nodes.
1. Identify the nodes that will be exposing Cinder volumes with the
LVMISCSIDriver and the nodes that will need to attach those volumes.
2. Implement either security group port rules or iptables rules on
the nodes exposing the volumes to only allow traffic through port 3260
from nodes that will need to attach volumes.
### Contacts / References ###
Author: Michael McCune, Red Hat
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0058
Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1329214
OpenStack Security ML : openstack-security@lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg