[Openstack-security] Fwd: [Openstack] Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!

Nathanael Burton nathanael.i.burton.work at gmail.com
Thu Dec 26 23:16:15 UTC 2013


I'm not so sure this is an 'admin' user or role issue. Certainly a user
with the 'admin' role could get to the console of VMs in different tenants,
but the problem as described seems to indicate the user is getting the
wrong console (regardless of them being authorized or not).

Issues like this most commonly occur when things get out of sync between
the hypervisor and various nova services.  I also wouldn't rule out a bug,
but if so it's not a very obvious one from looking at the code and based on
first-hand usage.

Nate
On Dec 26, 2013 1:32 PM, "Sriram Subramanian" <sriram at sriramhere.com> wrote:

> Thierry, Thiago hasn't responded yet on the admin/ non-admin user part.
> Looks like that is the issue. I have pinged him to file a bug with more
> details, so that it will be acted upon.
>
> Thanks,
> -Sriram
>
>
> On Thu, Dec 26, 2013 at 2:57 AM, Thierry Carrez <thierry at openstack.org>wrote:
>
>> Sriram Subramanian wrote:
>> > Anybody seen this? Can we follow up with him for more details?
>>
>> We had several people report the same type of "breach" in the past. It
>> always boiled down to people misunderstanding the power of the "admin"
>> users (which by default are not that much restricted by tenant
>> boundaries).
>>
>> I would not be surprised if that was the case here. Especially if the
>> reporter can't reproduce it on a "fresh" setup (where he would set up
>> normal users).
>>
>> --
>> Thierry Carrez (ttx)
>>
>> _______________________________________________
>> Openstack-security mailing list
>> Openstack-security at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>>
>
>
>
> --
> Thanks,
> -Sriram
>
> _______________________________________________
> Openstack-security mailing list
> Openstack-security at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-security
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-security/attachments/20131226/07177901/attachment.html>


More information about the Openstack-security mailing list