[Openstack-security] [Bug 1563954] Re: use_forwarded_for exposes metadata
Jeremy Stanley
fungi at yuggoth.org
Fri Dec 6 16:48:31 UTC 2019
Any idea what would have fixed it? My understanding of this report was
that it's an architectural issue in deployments where if you set up a
proxy (for example a load balancer) between the guest instances and the
metadata service then you need to be able to tell the metadata service
to look at the X-Forwarded-For header added by the load balancer to know
which instance is making the request. If you set that and your network
is mis-designed to allow instances to also contact the metadata service
directly without passing through the load balancer, then the request
from the instance can be specially constructed so as to include a
spoofed X-Forwarded-For header which allows it to obtain metadata for a
different instance associated with the address included in that injected
header.
--
You received this bug notification because you are a member of OpenStack
Security SIG, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1563954
Title:
use_forwarded_for exposes metadata
Status in OpenStack Compute (nova):
Confirmed
Status in OpenStack Security Advisory:
Opinion
Status in OpenStack Security Notes:
Fix Released
Bug description:
The nova metadata service uses the remote address to determine which
metadata to retrieve. In order to work behind a proxy there is an
option use_forwarded_for which will use the X-Forwarded-For header to
determine the remote IP.
If this option is set then anyone who can access the metadata port can
request metadata for any instance if they know the IP.
The user data is also exposed.
$ echo 123456 > /tmp/data
$ openstack server create --image CentOS7 --flavor fedora --user-data /tmp/data test
<wait>
$ curl -H 'X-Forwarded-For: 10.0.0.7' http://localhost:8775/latest/user-data/
123456
At a minimum this side-effect isn't documented anywhere I could find.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1563954/+subscriptions
More information about the Openstack-security
mailing list