[Openstack-security] [Bug 1274034] Related fix merged to neutron (master)

OpenStack Infra 1274034 at bugs.launchpad.net
Fri Apr 24 04:58:37 UTC 2015 

Reviewed:  https://review.openstack.org/141130
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=2414834ffeb8ba7ce2401236d01c88702fec5a14
Submitter: Jenkins
Branch:    master

commit 2414834ffeb8ba7ce2401236d01c88702fec5a14
Author: Édouard Thuleau <edouard.thuleau at cloudwatt.com>
Date:   Tue Feb 10 13:43:34 2015 +1300

    ARP spoofing patch: Low level ebtables integration
    
    ARP cache poisoning is not actually prevented by the firewall
    driver 'iptables_firewall'. We are adding the use of the ebtables
    command - with a corresponding ebtables-driver - in order to create
    Ethernet frame filtering rules, which prevent the sending of ARP
    cache poisoning frames.
    
    The complete patch is broken into a set of smaller patches for easier review.
    
    This patch here is th first of the series and includes the low-level ebtables
    integration, unit and functional tests.
    
    Note:
        This commit is based greatly on an original, now abandoned patch,
        presented for review here:
    
            https://review.openstack.org/#/c/70067/
    
        Full spec can be found here:
    
            https://review.openstack.org/#/c/129090/
    
    SecurityImpact
    
    Change-Id: I9ef57a86b1a1c1fa4ba1a034c920f23cb40072c0
    Implements: blueprint arp-spoof-patch-ebtables
    Related-Bug: 1274034
    Co-Authored-By: jbrendel <jbrendel at cisco.com>

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1274034

Title:
  Neutron firewall anti-spoofing does not prevent ARP poisoning

Status in OpenStack Neutron (virtual network service):
  In Progress
Status in OpenStack Security Advisories:
  Invalid
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning.
  When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature:
  - no-mac-spoofing
  - no-ip-spoofing
  - no-arp-spoofing
  - nova-no-nd-reflection
  - allow-dhcp-server

  Actually, the neutron firewall driver 'iptabes_firawall' handles only
  MAC and IP anti-spoofing rules.

  This is a security vulnerability, especially on shared networks.

  Reproduce an ARP cache poisoning and man in the middle:
  - Create a private network/subnet 10.0.0.0/24
  - Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4)
  - Log on VM1 and install ettercap [1]
  - Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:'
  - Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok
  - Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2]
  - Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1

  [1] http://ettercap.github.io/ettercap/
  [2] http://paste.openstack.org/show/62112/

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions

More information about the Openstack-security mailing list