[Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning
George Shuklin
1274034 at bugs.launchpad.net
Fri May 15 13:45:24 UTC 2015
I consider broken antispoofing as a serious flaw, because it allows to
interrupt activity of innocent tenants by malicious activity of the
unprivileged tenant.
If you insist that it is 'not a security issue, just imperfect design',
ok, ok. But don't get upset if this bug will be used by competitors to
demonstrate how neglected security issues are in Openstack.
Two versions of Openstack had been released with known security bug And
after bugfix was finally released it was not ported to currently
supported versions.
Nice work!
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1274034
Title:
Neutron firewall anti-spoofing does not prevent ARP poisoning
Status in OpenStack Neutron (virtual network service):
In Progress
Status in OpenStack Security Advisories:
Invalid
Status in OpenStack Security Notes:
Fix Released
Bug description:
The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning.
When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature:
- no-mac-spoofing
- no-ip-spoofing
- no-arp-spoofing
- nova-no-nd-reflection
- allow-dhcp-server
Actually, the neutron firewall driver 'iptabes_firawall' handles only
MAC and IP anti-spoofing rules.
This is a security vulnerability, especially on shared networks.
Reproduce an ARP cache poisoning and man in the middle:
- Create a private network/subnet 10.0.0.0/24
- Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4)
- Log on VM1 and install ettercap [1]
- Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:'
- Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok
- Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2]
- Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1
[1] http://ettercap.github.io/ettercap/
[2] http://paste.openstack.org/show/62112/
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions
More information about the Openstack-security
mailing list