Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes
- ---

### Summary ###
When using the LVMISCSIDriver with Cinder, the credentials for CHAP
authentication are not formatted correctly in the tgtadm configuration
file. This leads to a condition where an operator will expect that
volumes can only be mounted with the authentication credentials when,
in fact, they can be mounted without the credentials.

### Affected Services / Software ###
Cinder, Icehouse

### Discussion ###
When requesting that LVMISCSIDriver based volumes use the CHAP
authentication protocol, Cinder will add the credentials for
authentication to the configuration file for the tgtadm
application. In pre-Juno versions of Cinder the key name for these
credentials is incorrect. This incorrect key name will cause tgtadm
to not properly parse those credentials.

With incorrect credentials in place, tgtadm will fail to authenticate
volume mounting when requested by Cinder. The failed setting of
credentials through the configuration file will also allow
unauthenticated access to these volumes. This can allow instances
on the same network as the volumes to mount them without providing the
credentials to the tgtadm application.

This behavior can be confirmed by displaying the accounts associated
with a volume. For volumes which have authentication enabled, you will
see an account listed in the output of the tgtadm application. The
account names created by Cinder will be randomly generated and will
appear as 20 character strings. To print the information for volumes
the following command can be run on nodes with attached volumes:

    # tgtadm --lld iscsi --op show --mode target

User names will be found in the `Account information:` section.

### Recommended Actions ###
If possible, Cinder should be updated to the Juno release or newer. If
this is not possible, then the following guidance will help mitigate
unwanted traffic to the affected nodes.

1. Identify the nodes that will be exposing Cinder volumes with the
LVMISCSIDriver and the nodes that will need to attach those volumes.

2. Implement either security group port rules or iptables rules on
the nodes exposing the volumes to only allow traffic through port 3260
from nodes that will need to attach volumes.

### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0058
Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1329214
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJV+y3SAAoJEJa+6E7Ri+EVkZcH/0dhSGD2zg4293NP6eagIAWE
fb6H71CNJ8y3gyu08Z2qc9FB/bi2NTxQtYJQVNQ61nhacukgVk60rJ/OD2ibOKFZ
sEWMg+A1DGk9JXkG8hvzh31caVx0KJr1YOcSrzLiPARLDsUIgSOnPXSubLSyivtl
KisHbGXv3q8IySxdHtLbPOBSK7Gc+0Th8c2LiUKIQ61nmMx8vOw/foLRklHqluJ4
uCHmAEfHz9ZC1zk1+K6A+37nRq4kvhBcQta3Kgcwm62on+GXkt0yejkSE0EPctl9
h9t8DTPsaG4MKpFHgqBHpq+0oRgVrwdI91kVI1UxqNSsVHv6nHRpdBTcU1F4Aqg=
=5s7B
-----END PGP SIGNATURE-----