[Openstack-security] [Bug 1316822] Re: soft reboot of instance does not ensure iptables rules are present

Jeremy Stanley fungi at yuggoth.org
Mon Jul 7 19:11:49 UTC 2014 

After discussing with Andrew and Thierry, I'm convinced that the
potential behavior change introduced by a backport of that mitigating
commit, when weighed against the amount of social engineering needed to
exploit this in Havana, means this bug is probably better just
documented as a known behavior.

Removed the advisory task and tagged security in case the OSSG has any
interest in documenting this.

** Tags added: security

** Information type changed from Public Security to Public

** No longer affects: ossa

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1316822

Title:
  soft reboot of instance does not ensure iptables rules are present

Status in OpenStack Compute (Nova):
  New

Bug description:
  The iptables rules needed to implement instance security group rules
  get inserted by the "_create_domain_and_network" function in
  nova/virt/libvirt/driver.py

  This function is called by the following functions: _hard_reboot,
  resume and spawn (also in a couple of migration related functions).

  Doing "nova reboot <instance_id>" only does a soft reboot
  (_soft_reboot) and assumes that the rules are already present and
  therefore does not check or try to add them.

  If the instances is stopped (nova stop <instance_id>) and nova-compute
  is restarted (for example for a maintenance or problem), the iptables
  rules are removed as observed via output displayed in iptables -S.

  If the instance is started via  nova reboot <instance_id> the rule is
  NOT reapplied until a service nova-compute restart is issued. I have
  reports that this may affect "nova start <instance_id>" as well.

  Depending on if the Cloud is public facing, this opens up a
  potentially huge security vulnerability as an instance can be powered
  on without being protected by any security group rules (not even the
  sg-fallback rule). This is unbeknownst to the instance owner or Cloud
  operators unless they specifically monitor for this situation.

  The code should not do a soft reboot/start and error out or fallback
  to a resume (start)or hard reboot if it detects that the domain is not
  running.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1316822/+subscriptions

More information about the Openstack-security mailing list