[Openstack-security] [Bug 1681465] Re: VNC connection to VMs is unprotected

Jeremy Stanley fungi at yuggoth.org
Wed May 24 14:36:22 UTC 2017 

I really don't see where keeping this report secret is helping anyone
anyway, and given that the risk for this is already documented and there
is known work underway to mitigate it in future releases I'm going ahead
with switching it to public, as a potential hardening opportunity.

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  Description:
  ============
  
  OpenStack Nova does not provide any protection of VNC servers running on
  compute nodes by default. Any client that has access to management
  network can connect to the consoles of VMs running on compute node and
  obtains full access to VMs via the console (e.g. by rebooting VMs to
  single-user mode).
  
  Steps to reproduce
  ==================
  - Configuration: the management interface of the compute node has a public IP address and is not protected by firewalls
  - Create a VM on the compute node
  - Use a VNC client to connect directly to the IP of the compute node via port 590x from anywhere.
  
  Expected result
  ===============
  Connections refused. Only VNC connections from master node should be accepted. Other should connect using proxy on master node which does also authorization
  
  Actual result
  =============
  Connection accepted. Anyone can use VNC client to connect directly to the console of VMs running on the compute node without any authentication/authorization
  
  Discussion
  ===========
  
  To be fair, most of examples in the OpenStack documentation have
  management networks private, so the network configuration in the
  examples are safe. However, OpenStack documentation only emphasizes the
  separation of management network from other networks (VM, data) and does
  not explicitly require (in a visible way) that the management networks
  must be protected (private networks, firewalls). The management network
  may be separated to another (public) network segment and the system is
  still vulnerable to the VNC attack.
  
  Therefore, the VNC connection to compute nodes should be protected
  (password, iptables) by default, or the documentation should give
  explicit warning that the management network must be private or
  protected by firewalls.

** Information type changed from Private Security to Public

** Tags added: security

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1681465

Title:
  VNC connection to VMs is unprotected

Status in OpenStack Compute (nova):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  Description:
  ============

  OpenStack Nova does not provide any protection of VNC servers running
  on compute nodes by default. Any client that has access to management
  network can connect to the consoles of VMs running on compute node and
  obtains full access to VMs via the console (e.g. by rebooting VMs to
  single-user mode).

  Steps to reproduce
  ==================
  - Configuration: the management interface of the compute node has a public IP address and is not protected by firewalls
  - Create a VM on the compute node
  - Use a VNC client to connect directly to the IP of the compute node via port 590x from anywhere.

  Expected result
  ===============
  Connections refused. Only VNC connections from master node should be accepted. Other should connect using proxy on master node which does also authorization

  Actual result
  =============
  Connection accepted. Anyone can use VNC client to connect directly to the console of VMs running on the compute node without any authentication/authorization

  Discussion
  ===========

  To be fair, most of examples in the OpenStack documentation have
  management networks private, so the network configuration in the
  examples are safe. However, OpenStack documentation only emphasizes
  the separation of management network from other networks (VM, data)
  and does not explicitly require (in a visible way) that the management
  networks must be protected (private networks, firewalls). The
  management network may be separated to another (public) network
  segment and the system is still vulnerable to the VNC attack.

  Therefore, the VNC connection to compute nodes should be protected
  (password, iptables) by default, or the documentation should give
  explicit warning that the management network must be private or
  protected by firewalls.

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1681465/+subscriptions

More information about the Openstack-security mailing list