<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>
</p>
<div class="moz-text-html" lang="x-unicode">
<p> </p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">OpenStack Security Note:
0074<br>
</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">Nova metadata service
should not be used for sensitive information<br>
</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);"> ---</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">### Summary ###<br>
A recent security report has highlighted how users may be using
the<br>
metadata service to store security sensitive information.</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">The Nova metadata service
should not be considered a secure repository<br>
of confidential information required by compute instances.</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">### Affected Services /
Software ###<br>
Nova, All Versions</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">### Discussion ###<br>
A recent vulnerability report for Nova stated that the metadata
service<br>
will obey the `X-Forwarded-For` HTTP header. This header is
often<br>
supplied by proxies so that the end service can identify which
IP the<br>
request originated from.</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">The Nova metadata service
typically uses the source IP address of the<br>
incoming request to respond with the appropriate data for the
compute<br>
instance making the request. This is a sort of weak
authentication,<br>
designed to ensure that metadata for one tenant isn't
accidentally<br>
provided to another.</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">If the request contains a
`X-Forwarded-For` HTTP header then the<br>
metadata service will use that for the source authentication
rather than<br>
the actual TCP/IP source.</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">An attacker with access
to a compute instance in the cloud could send a<br>
request to the metadata service and include the
`X-Forwarded-For` header<br>
in order to effectively spoof their source and cause the
metadata<br>
service to provide information that should not have been
provided to<br>
that instance.</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">Consider the following:<br>
Alice creates a compute instance. She places the root password
for that<br>
instance in the metadata service. The instance is assigned a
10.1.2.2<br>
IP address. Alice believes that the root password for her
instance is<br>
safe within the metadata service.</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">Alice retrieves metadata
by running a command similar to:<br>
`curl<span class="Apple-converted-space"> </span><a
rel="nofollow" href="http://169.254.169.254/latest/meta-data"
style="color: rgb(0, 51, 170); text-decoration: none;">http://<wbr>169.254.<wbr>169.254/<wbr>latest/<wbr>meta-data</a>`<br>
this will retrieve any metadata stored for Alice's compute
instance,<br>
which has an IP address of 10.1.2.2</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">Bob has a compute
instance with IP address 10.1.9.9 however Bob wants<br>
access to the metadata for Alice's compute instance. If Bob runs
a<br>
similar command to Alice, but includes a customer header as
below, he<br>
will get access to all of Alice's metadata, including the root
password<br>
she chose to store there:<br>
`curl -H "X-Forwarded-For: 10.1.2.2"<span
class="Apple-converted-space"> </span><a rel="nofollow"
href="http://169.254.169.254/latest/meta-data" style="color:
rgb(0, 51, 170); text-decoration: none;">http://<wbr>169.254.<wbr>169.254/<wbr>latest/<wbr>meta-data</a>`</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">The Nova metadata service
is a useful utility within OpenStack but<br>
clearly not intended as a strongly authenticated system for
storing<br>
sensitive data such as private keys or passwords.</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">### Recommended Actions
###<br>
The metadata service should not be used to store sensitive
information.</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">The IP forwarding issue
is not a defect of itself, it exists to allow<br>
the metadata service to provide IP addresses for instances that
are<br>
behind a proxy as may be the case in more complex deployments.</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">Cloud users who have a
requirement to store sensitive information that<br>
compute instances require for operation should instead look to
the<br>
Config drive to provide this service. It's operation is much
more<br>
tightly bound to individual compute instances.</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">Where use of config drive
is not an option, operators should consider<br>
other mitigations such as placing a proxy in front of the
metadata service<br>
which can filter out these sorts of malicious activities.</p>
<p style="margin: 0px 0px 0.8em; padding: 0px; width: auto;
max-width: 45em; color: rgb(51, 51, 51); font-family: monospace;
font-size: 12px; font-style: normal; font-variant-ligatures:
normal; font-variant-caps: normal; font-weight: normal;
letter-spacing: normal; orphans: 2; text-align: left;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(255, 255, 255);">### Contacts / References
###<br>
Author: Robert Clark, IBM<br>
This OSSN : <a class="moz-txt-link-freetext"
href="https://wiki.openstack.org/wiki/OSSN/OSSN-0074">https://wiki.openstack.org/wiki/OSSN/OSSN-0074</a>
<br>
Original LaunchPad Bug :<span class="Apple-converted-space"> </span><a
rel="nofollow"
href="https://bugs.launchpad.net/nova/+bug/1563954"
style="color: rgb(0, 51, 170); text-decoration: none;">https:/<wbr>/bugs.launchpad<wbr>.net/nova/<wbr>+bug/1563954</a><br>
Mailing List : [Security] tag on openstack-<wbr>dev@lists.<wbr>openstack.<wbr>org<br>
OpenStack Security Group :<span class="Apple-converted-space"> </span><a
rel="nofollow" href="https://launchpad.net/%7Eopenstack-ossg"
style="color: rgb(0, 51, 170); text-decoration: none;">https:/<wbr>/launchpad.<wbr>net/~openstack-<wbr>ossg</a><br>
Config Drive :<span class="Apple-converted-space"> </span><a
rel="nofollow"
href="http://docs.openstack.org/user-guide/cli-config-drive.html"
style="color: rgb(0, 51, 170); text-decoration: none;">http://<wbr>docs.openstack.<wbr>org/user-<wbr>guide/cli-<wbr>config-<wbr>drive.html</a></p>
</div>
</body>
</html>