[Openstack-security] [Bug 1666959] Re: ha_vrrp_auth_type defaults to PASS which is insecure
Jeremy Stanley
fungi at yuggoth.org
Fri Mar 3 16:20:25 UTC 2017
Thanks for digging into this. Looks like we can treat it as a public
report of a potential security hardening opportunity (there are at least
some in the community who would eventually like to see every service
able to operate over untrusted backend/admin networks, but it should
certainly not be an expectation as things stand today).
** Information type changed from Private Security to Public
** Changed in: ossa
Status: Incomplete => Won't Fix
** Tags added: security
** Description changed:
- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
-
With l3_ha enabled, ha_vrrp_auth_type defaults to PASS authentication:
https://github.com/openstack/neutron/blob/b90ec94dc3f83f63bdb505ace1e4c272435c494b/neutron/conf/agent/l3/ha.py#L28
which according to http://louwrentius.com/configuring-attacking-and-
securing-vrrp-on-linux.html is totally insecure because the VRRP
password is transmitted in the clear.
I'm not sure if this is currently a serious issue, since if the VRRP
network is untrusted, maybe there are already bigger problems. But I
thought it was worth reporting, at least.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1666959
Title:
ha_vrrp_auth_type defaults to PASS which is insecure
Status in neutron:
New
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
With l3_ha enabled, ha_vrrp_auth_type defaults to PASS authentication:
https://github.com/openstack/neutron/blob/b90ec94dc3f83f63bdb505ace1e4c272435c494b/neutron/conf/agent/l3/ha.py#L28
which according to http://louwrentius.com/configuring-attacking-and-
securing-vrrp-on-linux.html is totally insecure because the VRRP
password is transmitted in the clear.
I'm not sure if this is currently a serious issue, since if the VRRP
network is untrusted, maybe there are already bigger problems. But I
thought it was worth reporting, at least.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1666959/+subscriptions
More information about the Openstack-security
mailing list