[openstack-dev] [OSSN 0028] Nova leaks compute host SMBIOS serial number to guests
Nathan Kinder
nkinder at redhat.com
Fri Oct 3 19:20:27 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nova leaks compute host SMBIOS serial number to guests
- ---
### Summary ###
When Nova is using the libvirt virtualization driver, the SMBIOS
serial number supplied by libvirt is provided to the guest instances
that are running on a compute node. This serial number may expose
sensitive information about the underlying compute node hardware.
### Affected Services / Software ###
Nova, Icehouse, Havana
### Discussion ###
The 'serial' field in guest SMBIOS tables gets populated based on the
libvirt reported UUID of the host hardware. The rationale is to allow
correlation of guests running on the same host.
Unfortunately some hardware vendors use a subset of the host UUID as a
key for retrieving hardware support contract information without
requiring any authentication. In these cases, exposing the host UUID to
the guest is an information leak for those vendors.
The exposed host UUID could theoretically be leveraged by a cloud user
to get an approximate count of the number of unique hosts available to
them in the cloud by launching many short lived VMs.
### Recommended Actions ###
It is possible to override the use of the compute node's SMBIOS data by
libvirt in /etc/libvirt/libvirtd.conf by setting the 'host_uuid'
parameter. This allows setting an arbitrary UUID for identification
purposes that doesn't leak any information about the real underlying
hardware. It is advised to make use of this override ability to prevent
potential exposure of information about the underlying compute node
hardware.
In the Juno release of OpenStack, Nova's libvirt driver allows the
source of the host UUID to be controlled via a new 'sysinfo_serial'
config parameter. This new parameter allows the following values:
- 'auto' - try /etc/machine-id, fallback to libvirt reported
host UUID (new default)
- 'hardware' - always use libvirt host UUID (old default)
- 'os' - always use /etc/machine-id, error if missing
- 'none' - do not report any value to the guest
In general, it is preferrable to use the /etc/machine-id UUID instead
of the host hardware UUID. The former is a recent standard for Linux
distros introduced by systemd to provide a UUID that is unique per
operating system install. This means that even containers will see a
separate /etc/machine-id value. This /etc/machine-id can be expected to
be widely available in current and future distros. If this file is
missing, it is still possible to fallback to the libvirt reported host
UUID.
Administrators concerned about exposing the ability to identity an
underlying compute node by it's serial number may wish to disable
reporting of any sysinfo serial field at all by using the 'none' value.
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0028
Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1337349
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBAgAGBQJULvb7AAoJEJa+6E7Ri+EVJeUH/01GXn1cV7RHqzh1z9ybsJnY
4Cw5OYzjsSOjmkC1t4Y5llx0aSYCpF3CGdXUaN/fOIpn/yqcbzbq4lXt6rLWW4NI
k9NFgOxbqQKFhKUQ6HQZ8jaIhZm2FLzxk+9eV73DlE5kZ8y8o9T/IkmZbRFeWsx2
uzPTQy9P2BJ95XnpoKcsUJBY/3M+8++f6xRj0sU66KZNSjW7xN7MnalrRtwRxIcD
uugXv3iQ+e2ijXZvERw4NQonzSD+fcxBICxW0lUJrejnDn9ZfcJ4MmOGRYuN9sRC
Fr4lstLvBNLlyJ05JD9apusWFNdtbEp/c6gchwCGFZjmvPMXmkQCRMRrNr+H5hw=
=JjnC
-----END PGP SIGNATURE-----
More information about the OpenStack-dev
mailing list