[Openstack-security] [Bug 1337349] Re: Nova qemu hypervisor host smbios serial number is leaked to guest
OpenStack Infra
1337349 at bugs.launchpad.net
Sat Aug 23 01:45:19 UTC 2014
Reviewed: https://review.openstack.org/113311
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=4431eec1c94c4a353b45e5d873854b3fb1eaa11b
Submitter: Jenkins
Branch: master
commit 4431eec1c94c4a353b45e5d873854b3fb1eaa11b
Author: Daniel P. Berrange <berrange at redhat.com>
Date: Mon Jul 28 15:15:44 2014 +0100
libvirt: make sysinfo serial number configurable
The 'serial' field in guest SMBIOS tables gets populated
based on the libvirt reported UUID of the host hardware.
The rationale is to allow correlation of guests running
on the same host.
Unfortunately some hardware vendors use a subset of the
host UUID as a key for retrieving hardware support
contract information without requiring any authentication.
So exposing the host UUID to the guest is an information
leak for those vendors. It is possible to override the
use of SMBIOS data by libvirt in /etc/libvirt/libvirtd.conf
by setting the 'host_uuid' parameter.
As a way to reduce the configuration burden though, it is
preferrable to use the /etc/machine-id UUID, instead of
the host hardware UUID. The former is a recent standard
for Linux distros introduced by systemd to provide a UUID
that is unique per operating system install. This means
that even containers will see a separate /etc/machine-id
value. This /etc/machine-id can be expected to be widely
available in current and future distros. If missing, it
is still possible to fallback to the libvirt reported
host UUID.
The host UUID exposed could theoretically be leveraged
by a cloud user to get an approximate count of the number
of unique hosts available to them in the cloud by launching
many short lived VMs. Administrators concerned about this
may wish to disable reporting of any sysinfo serial field
at all.
Introduce a 'sysinfo_serial' config parameter to the libvirt
driver to control behaviour, accepting values:
- 'auto' - try /etc/machine-id, fallback to
libvirt reported host UUID (new default)
- 'hardware' - always use libvirt host UUID (old default)
- 'os' - always use /etc/machine-id, error if missing
- 'none' - do not report any value to the guest
DocImpact: new libvirt.sysinfo_serial config parameter
SecurityImpact
Closes-bug: #1337349
Change-Id: I7ba7dbd65e913a66efe35a1d6490a85bec8413da
** Changed in: nova
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1337349
Title:
Nova qemu hypervisor host smbios serial number is leaked to guest
Status in OpenStack Compute (Nova):
Fix Committed
Status in OpenStack Security Advisories:
Won't Fix
Status in OpenStack Security Notes:
New
Bug description:
Erwan Velu from eNovance reported a vulnerability in OpenStack Nova.
The hypervisor is passing host system uuid (-smbios version) to guests, and this happen to be a critical info leak.
The defect have been pinpointed to:
https://github.com/openstack/nova/blob/master/nova/virt/libvirt/driver.py#L3054
From a simple virtual machine, this may allow numerous info leak like:
Allow compute hardware enumeration from guests
Deduce service tag and get all hardware configuration
Ability to know if two instances are on the same compute
Dell hardware is particulary impacted as :
- the uuid encodes the service tag
- the service tag can be used on support site to determine:
- detailled hardware configuration
- date & country where the hw was shipped
- date & type of support contract
- amount of servers bought during this shipment
If there is no use case for this, we should scrambled that piece of
information.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1337349/+subscriptions
More information about the Openstack-security
mailing list