[Openstack-security] [Bug 1563954] Re: use_forwarded_for exposes metadata

Tristan Cacqueray tdecacqu at redhat.com
Fri Jan 20 01:03:45 UTC 2017 

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
- --
- 
  The nova metadata service uses the remote address to determine which
  metadata to retrieve. In order to work behind a proxy there is an option
  use_forwarded_for which will use the X-Forwarded-For header to determine
  the remote IP.
  
  If this option is set then anyone who can access the metadata port can
  request metadata for any instance if they know the IP.
  
  The user data is also exposed.
  
  $ echo 123456 > /tmp/data
  $ openstack server create --image CentOS7 --flavor fedora --user-data /tmp/data test
  <wait>
  $ curl -H 'X-Forwarded-For: 10.0.0.7' http://localhost:8775/latest/user-data/
  123456
  
  At a minimum this side-effect isn't documented anywhere I could find.

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1563954

Title:
  use_forwarded_for exposes metadata

Status in OpenStack Compute (nova):
  Confirmed
Status in OpenStack Security Advisory:
  Opinion
Status in OpenStack Security Notes:
  Fix Released

Bug description:
  The nova metadata service uses the remote address to determine which
  metadata to retrieve. In order to work behind a proxy there is an
  option use_forwarded_for which will use the X-Forwarded-For header to
  determine the remote IP.

  If this option is set then anyone who can access the metadata port can
  request metadata for any instance if they know the IP.

  The user data is also exposed.

  $ echo 123456 > /tmp/data
  $ openstack server create --image CentOS7 --flavor fedora --user-data /tmp/data test
  <wait>
  $ curl -H 'X-Forwarded-For: 10.0.0.7' http://localhost:8775/latest/user-data/
  123456

  At a minimum this side-effect isn't documented anywhere I could find.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1563954/+subscriptions

More information about the Openstack-security mailing list