[Openstack-security] [Bug 1822572] Re: default security group with multiple subnets can expose all services to internet

Jeremy Stanley fungi at yuggoth.org
Wed Apr 24 18:30:00 UTC 2019 

*** This bug is a duplicate of bug 1793029 ***
    https://bugs.launchpad.net/bugs/1793029

Yes, this seems to be a duplicate. I'll switch it to public and mark it
as such now.

** Changed in: ossa
       Status: Incomplete => Won't Fix

** Description changed:

- This issue is being treated as a potential security risk under embargo.
- Please do not make any public mention of embargoed (private) security
- vulnerabilities before their coordinated publication by the OpenStack
- Vulnerability Management Team in the form of an official OpenStack
- Security Advisory. This includes discussion of the bug or associated
- fixes in public forums such as mailing lists, code review systems and
- bug trackers. Please also avoid private disclosure to other individuals
- not already approved for access to this information, and provide this
- same reminder to those who are made aware of the issue prior to
- publication. All discussion should remain confined to this private bug
- report, and any proposed fixes should be added to the bug as
- attachments.
- 
  The Default security group permits connections from other members via an
  ipset definition. In a project which has multiple networks/subnets, this
  ipset gets the following entries added;
  
    0.0.0.0/1
    128.0.0.0/1
  
  Combined with a float IP assignment, the result is that all services are
  exposed to Internet regardless of all other security group policies
  applied.
  
  Example Default security group definition;
  
  routergod at juju:~/openstack-base$ openstack security group show b74db3fa-110c-4a69-81c7-c20eb268545f --format shell
  created_at="2018-12-19T08:20:46Z"
  description="Default security group"
  id="b74db3fa-110c-4a69-81c7-c20eb268545f"
  name="default"
  project_id="be08d8a5ba844902927d14deb1aa1673"
  revision_number="1"
  rules="created_at='2018-12-19T08:20:46Z', direction='egress', ethertype='IPv4', id='14801bac-3519-411e-ba33-4b1321756d2b', updated_at='2018-12-19T08:20:46Z'
  created_at='2018-12-19T08:20:46Z', direction='ingress', ethertype='IPv4', id='4b6bfdd4-366e-49cd-b3ff-323e33464750', remote_group_id='b74db3fa-110c-4a69-81c7-c20eb268545f', updated_at='2018-12-19T08:20:46Z'
  created_at='2018-12-19T08:20:46Z', direction='ingress', ethertype='IPv6', id='6d0f6be0-3c10-46c1-a279-b79b55deef36', remote_group_id='b74db3fa-110c-4a69-81c7-c20eb268545f', updated_at='2018-12-19T08:20:46Z'
  created_at='2018-12-19T08:20:46Z', direction='egress', ethertype='IPv6', id='eae8ef70-2ce9-486b-84ad-46cf09908ba8', updated_at='2018-12-19T08:20:46Z'"
  updated_at="2018-12-19T08:20:46Z"
  
  The ipset definition in the hypervisor;
  
  root at oshv07:~# ipset list
  Name: NIPv4b74db3fa-110c-4a69-81c7-
  Type: hash:net
  Revision: 6
  Header: family inet hashsize 1024 maxelem 65536
  Size in memory: 1688
  References: 14
  Number of entries: 22
  Members:
  192.168.4.7
  192.168.4.11
  192.168.4.14
  192.168.4.36
  192.168.4.35
  192.168.4.15
  192.168.4.26
  192.168.4.27
  192.168.2.19
  192.168.4.46
  192.168.4.28
  128.0.0.0/1
  192.168.4.13
  192.168.1.5
  192.168.4.10
  192.168.4.22
  0.0.0.0/1
  192.168.4.30
  192.168.4.20
  192.168.4.19
  192.168.4.16
  192.168.4.25
  
  This is a similar definition for a project where there is only one
  subnet;
  
  Name: NIPv4b7c8d07b-d814-448d-88ac-
  Type: hash:net
  Revision: 6
  Header: family inet hashsize 1024 maxelem 65536
  Size in memory: 792
  References: 7
  Number of entries: 7
  Members:
  192.168.1.14
  192.168.1.13
  192.168.1.11
  192.168.1.5
  192.168.1.24
  192.168.1.10
  192.168.1.8
  
  This has been verified on Mitaka with Linux Bridging and on Queens with
  OVS.

** Information type changed from Private Security to Public

** Tags added: security

** This bug has been marked a duplicate of bug 1793029
   adding 0.0.0.0/0 address pair to a port  bypasses all other vm security groups

-- 
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1822572

Title:
  default security group with multiple subnets can expose all services
  to internet

Status in neutron:
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  The Default security group permits connections from other members via
  an ipset definition. In a project which has multiple networks/subnets,
  this ipset gets the following entries added;

    0.0.0.0/1
    128.0.0.0/1

  Combined with a float IP assignment, the result is that all services
  are exposed to Internet regardless of all other security group
  policies applied.

  Example Default security group definition;

  routergod at juju:~/openstack-base$ openstack security group show b74db3fa-110c-4a69-81c7-c20eb268545f --format shell
  created_at="2018-12-19T08:20:46Z"
  description="Default security group"
  id="b74db3fa-110c-4a69-81c7-c20eb268545f"
  name="default"
  project_id="be08d8a5ba844902927d14deb1aa1673"
  revision_number="1"
  rules="created_at='2018-12-19T08:20:46Z', direction='egress', ethertype='IPv4', id='14801bac-3519-411e-ba33-4b1321756d2b', updated_at='2018-12-19T08:20:46Z'
  created_at='2018-12-19T08:20:46Z', direction='ingress', ethertype='IPv4', id='4b6bfdd4-366e-49cd-b3ff-323e33464750', remote_group_id='b74db3fa-110c-4a69-81c7-c20eb268545f', updated_at='2018-12-19T08:20:46Z'
  created_at='2018-12-19T08:20:46Z', direction='ingress', ethertype='IPv6', id='6d0f6be0-3c10-46c1-a279-b79b55deef36', remote_group_id='b74db3fa-110c-4a69-81c7-c20eb268545f', updated_at='2018-12-19T08:20:46Z'
  created_at='2018-12-19T08:20:46Z', direction='egress', ethertype='IPv6', id='eae8ef70-2ce9-486b-84ad-46cf09908ba8', updated_at='2018-12-19T08:20:46Z'"
  updated_at="2018-12-19T08:20:46Z"

  The ipset definition in the hypervisor;

  root at oshv07:~# ipset list
  Name: NIPv4b74db3fa-110c-4a69-81c7-
  Type: hash:net
  Revision: 6
  Header: family inet hashsize 1024 maxelem 65536
  Size in memory: 1688
  References: 14
  Number of entries: 22
  Members:
  192.168.4.7
  192.168.4.11
  192.168.4.14
  192.168.4.36
  192.168.4.35
  192.168.4.15
  192.168.4.26
  192.168.4.27
  192.168.2.19
  192.168.4.46
  192.168.4.28
  128.0.0.0/1
  192.168.4.13
  192.168.1.5
  192.168.4.10
  192.168.4.22
  0.0.0.0/1
  192.168.4.30
  192.168.4.20
  192.168.4.19
  192.168.4.16
  192.168.4.25

  This is a similar definition for a project where there is only one
  subnet;

  Name: NIPv4b7c8d07b-d814-448d-88ac-
  Type: hash:net
  Revision: 6
  Header: family inet hashsize 1024 maxelem 65536
  Size in memory: 792
  References: 7
  Number of entries: 7
  Members:
  192.168.1.14
  192.168.1.13
  192.168.1.11
  192.168.1.5
  192.168.1.24
  192.168.1.10
  192.168.1.8

  This has been verified on Mitaka with Linux Bridging and on Queens
  with OVS.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1822572/+subscriptions

More information about the Openstack-security mailing list