[Openstack] Security Breach! Tenant A is seeing the VNC Consoles of Tenant B!

Jeffrey Walton noloader at gmail.com
Mon Dec 23 21:32:22 UTC 2013 

> This security breach is happening right now here and I
> don't know what can I do to fix it, or what should I type
> on a BUG at Launchpad...
Ubuntu has made it all but impossible to file bug reports. Their circular
redirects are worse than a telephone menu system that takes you down a
bunch of dead-end paths. Unless you have the URL jotted down in a
notebook....

Try this link to file a bug report:
https://bugs.launchpad.net/ubuntu/+filebug/?no-redirect.

The pages asks you to select a package. But I find the package search tool
is nearly broken, and often have to file them under "I Don't Know" because
the package I am looking for is not a selection.

*> This problem is very serious*, mostly because "Tenant A"
> can't see its own instances, so, he is unable to use the
> OpenStack anymore and, "Tenant B" isn't aware that someone
> else is accessing its Instances without his permission.
There's a few CVE's associated with similar:

 * http://insecure.org/search.html?q=openstack%20tenant
 * http://insecure.org/search.html?q=openstack%20vnc

See, for example "VNC proxy can connect to the wrong VM",
http://seclists.org/oss-sec/2013/q1/456. Perhaps you are seeing an
unpatched bug due to a downlevel version of the software?

Jeff

On Mon, Dec 23, 2013 at 3:57 PM, Martinx - ジェームズ
<thiagocmartinsc at gmail.com>wrote:

> Hi Diego!
>
> I did not reinstall OpenStack components or Compute Node... It was a fresh
> install, that I started using into production.
>
> I already did this before, I mean, reinstall things without formatting the
> server but, I always remove all the remaining instances, with virt-manager,
> before starting it over again, but not this time.
>
> This security breach is happening right now here and I don't know what can
> I do to fix it, or what should I type on a BUG at Launchpad...
>
> *This problem is very serious*, mostly because "Tenant A" can't see its
> own instances, so, he is unable to use the OpenStack anymore and, "Tenant
> B" isn't aware that someone else is accessing its Instances without his
> permission.
>
> I'm sure that this problem is worth to take a look by someone more expert
> than I.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20131223/ccef0aba/attachment.html>

More information about the Openstack mailing list