[openstack-dev] [OSSN 0058] Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes
Nathan Kinder
nkinder at redhat.com
Thu Sep 17 21:17:09 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes
- ---
### Summary ###
When using the LVMISCSIDriver with Cinder, the credentials for CHAP
authentication are not formatted correctly in the tgtadm configuration
file. This leads to a condition where an operator will expect that
volumes can only be mounted with the authentication credentials when,
in fact, they can be mounted without the credentials.
### Affected Services / Software ###
Cinder, Icehouse
### Discussion ###
When requesting that LVMISCSIDriver based volumes use the CHAP
authentication protocol, Cinder will add the credentials for
authentication to the configuration file for the tgtadm
application. In pre-Juno versions of Cinder the key name for these
credentials is incorrect. This incorrect key name will cause tgtadm
to not properly parse those credentials.
With incorrect credentials in place, tgtadm will fail to authenticate
volume mounting when requested by Cinder. The failed setting of
credentials through the configuration file will also allow
unauthenticated access to these volumes. This can allow instances
on the same network as the volumes to mount them without providing the
credentials to the tgtadm application.
This behavior can be confirmed by displaying the accounts associated
with a volume. For volumes which have authentication enabled, you will
see an account listed in the output of the tgtadm application. The
account names created by Cinder will be randomly generated and will
appear as 20 character strings. To print the information for volumes
the following command can be run on nodes with attached volumes:
# tgtadm --lld iscsi --op show --mode target
User names will be found in the `Account information:` section.
### Recommended Actions ###
If possible, Cinder should be updated to the Juno release or newer. If
this is not possible, then the following guidance will help mitigate
unwanted traffic to the affected nodes.
1. Identify the nodes that will be exposing Cinder volumes with the
LVMISCSIDriver and the nodes that will need to attach those volumes.
2. Implement either security group port rules or iptables rules on
the nodes exposing the volumes to only allow traffic through port 3260
from nodes that will need to attach volumes.
### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0058
Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1329214
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJV+y3VAAoJEJa+6E7Ri+EVgg0IAILU1NC/FtRrbWNuEJg3Yryu
3lpxtYuAfVB9tEkJo9jTDeNjCY3Uz+iAMzI5ztjUrD7XVffR9PKB2X0IMTkGqxgT
l6KKPndmhtaD191yuomFQIn30H1cPaNg45ZTrqAJG4yR5ho4xgArQ9qhCtfOid8Q
gS85XraV56fB9Iw6helVGro6dCohz6S8rZksnSzw5rubHF2r56ZpzxgKQie8soOo
nh+XXNubUx8bY25TqCNEojtc7w2t2Ht6XxLHHq9e9JA13hmeO8t+OqzyyIduCOSl
tq42i+SEHACfn1zKoQw/02qNHsYbYtq94RTdavtZK6lkVdwc5DHPr9U7oAeU1Yw=
=9Kem
-----END PGP SIGNATURE-----
More information about the OpenStack-dev
mailing list