https://wiki.openstack.org/w/api.php?action=feedcontributions&user=Nkinder&feedformat=atomOpenStack - User contributions [en]2024-03-29T06:20:35ZUser contributionsMediaWiki 1.28.2https://wiki.openstack.org/w/index.php?title=Security_Notes&diff=126544Security Notes2016-06-09T19:51:41Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Project (OSSP) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0068|OSSN-0068]] - DoS style attack on keystone, using repeated token revocation requests, can lead to service degradation or disruption<br />
* [[OSSN/OSSN-0067|OSSN-0067]] - Barbican server discloses SQL password and X-auth token values via LOG.debug ("work in progress")<br />
* [[OSSN/OSSN-0066|OSSN-0066]] - mongodb guest instance allows any user to connect ("work in progress")<br />
* [[OSSN/OSSN-0065|OSSN-0065]] - Glance embargoed issue ("work in progress")<br />
* [[OSSN/OSSN-0064|OSSN-0064]] - Keystone 'Admin_Token' in default configuration leads to insecure operation ("work in progress")<br />
* [[OSSN/OSSN-0063|OSSN-0063]] - Nova and Cinder key manager for Barbican misuses cached credentials (9 Jun 2016)<br />
* [[OSSN/OSSN-0062|OSSN-0062]] - Potential reuse of revoked Identity tokens (15 Dec 2015)<br />
* [[OSSN/OSSN-0061|OSSN-0061]] - Glance image signature uses an insecure hash algorithm (MD5) (15 Dec 2015)<br />
* [[OSSN/OSSN-0060|OSSN-0060]] - Glance configuration option can lead to privilege escalation (25 Jan 2016)<br />
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host (16 Nov 2015)<br />
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)<br />
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)<br />
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)<br />
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)<br />
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)<br />
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)<br />
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)<br />
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')<br />
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0063&diff=126543OSSN/OSSN-00632016-06-09T19:49:11Z<p>Nkinder: Created page with "__NOTOC__ == Nova and Cinder key manager for Barbican misuses cached credentials == === Summary === During the Icehouse release the Cinder and Nova projects added a feature t..."</p>
<hr />
<div>__NOTOC__<br />
<br />
== Nova and Cinder key manager for Barbican misuses cached credentials ==<br />
=== Summary ===<br />
During the Icehouse release the Cinder and Nova projects added a feature<br />
that supports storage volume encryption using keys stored in Barbican.<br />
The Barbican key manager, that is part of Nova and Cinder, had a bug<br />
that could cause an authorized user to lose access to an encryption key<br />
or allow the wrong user to gain access to an encryption key.<br />
<br />
=== Affected Services / Software ===<br />
Cinder: Icehouse, Juno, Kilo, Liberty<br />
Nova: Juno, Kilo, Liberty<br />
<br />
=== Discussion ===<br />
The Barbican key manager is a feature that is part of Nova and Cinder to<br />
allow those projects to create and retrieve keys in Barbican. The key<br />
manager includes a cache function that allows for a copy_key() operation<br />
to work while only validating the token once with Keystone.<br />
<br />
This cache function had a bug such that the cached token was used for<br />
operations where it was no longer valid. The symptoms of this error<br />
vary, but include a user not being able to access their key or the wrong<br />
user being able to access a key.<br />
<br />
An affected user would see an error similar to this in their cinder log:<br />
<br />
2015-12-03 09:09:03.648 TRACE cinder.volume.api Unauthorized: The<br />
request you have made requires authentication. (Disable debug mode to<br />
suppress these details.) (HTTP 401) (Request-ID:<br />
req-d2c52e0b-c16d-43ec-a7a0-7611113f1270)<br />
<br />
=== Recommended Actions ===<br />
Users wishing to use the Barbican key manager to provided keys for<br />
volume encryption with Nova and Cinder should ensure they are using a<br />
patched version.<br />
<br />
A specification for a fix has been merged for the Mitaka release of both<br />
Nova and Cinder. Additionally these patches have been backported to<br />
stable/kilo and stable/liberty.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0063<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1523646<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg<br />
* Nova patch for Mitaka : https://review.openstack.org/254358/<br />
* Nova patch for stable/liberty: https://review.openstack.org/288490<br />
* Cinder patch for Mitaka : https://review.openstack.org/254357/<br />
* Cinder patch for stable/liberty: https://review.openstack.org/266678<br />
* Cinder patch for stable/kilo: https://review.openstack.org/266680<br />
* CVE : N/A</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0060&diff=102129OSSN/OSSN-00602016-01-25T20:56:17Z<p>Nkinder: /* Contacts / References */</p>
<hr />
<div>__NOTOC__<br />
<br />
== Glance configuration option can lead to privilege escalation ==<br />
=== Summary ===<br />
Glance exposes a configuration option called `use_user_token` in the<br />
configuration file `glance-api.conf`. It should be noted that the<br />
default setting (`True`) is secure. If, however, the setting is<br />
changed to `False` and valid admin credentials are supplied in the<br />
following section (`admin_user` and `admin_password`), Glance API<br />
commands will be executed with admin privileges regardless of the<br />
intended privilege level of the calling user.<br />
<br />
=== Affected Services / Software ===<br />
Glance, Juno, Kilo, Liberty<br />
<br />
=== Discussion ===<br />
The `use_user_token` configuration option was created to enable<br />
automatic re-authentication for tokens whch are close to expiration,<br />
thus preventing the tokens from expiring in the middle of<br />
longer-lasting Glance commands. Unfortunately the implementation<br />
enables privilege escalation attacks by automatically executing API<br />
commands as an administrator level user.<br />
<br />
By default `use_user_token` is set to `True` which is secure. If the<br />
option is disabled (set to `False`) and valid admin credentials are<br />
specified in the `glance-api.conf` file, API commands will be executed<br />
as the supplied admin user regardless of the intended privileges of the<br />
calling user. Glance API v2 configurations which don't enable the<br />
registry service (`data_api = glance.db.registry.api`) aren't affected.<br />
<br />
Enabling unauthenticated and lower privileged users to execute Glance<br />
commands with administrator privileges is very dangerous and may<br />
expose risks including:<br />
* tampering with images<br />
* deleting images<br />
* denial of service attacks<br />
<br />
=== Recommended Actions ===<br />
A comprehensive fix will be included in the Mitaka release. Meanwhile<br />
it is recommended that all users ensure that `use_user_token` is left<br />
at the default setting (`True`) or commented out.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0060<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1493448<br />
* OpenStack Security Documentation : https://security.openstack.org<br />
* OpenStack Security Project : https://wiki.openstack.org/wiki/Security<br />
* Bug Introduction : https://review.openstack.org/#/c/29967/</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=102128Security Notes2016-01-25T20:55:36Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Project (OSSP) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0063|OSSN-0063]] - Improper use of cached credentials in Nova and Cinder Key Manager ('''work in progress''')<br />
* [[OSSN/OSSN-0062|OSSN-0062]] - Potential reuse of revoked Identity tokens (15 Dec 2015)<br />
* [[OSSN/OSSN-0061|OSSN-0061]] - Glance image signature uses an insecure hash algorithm (MD5) (15 Dec 2015)<br />
* [[OSSN/OSSN-0060|OSSN-0060]] - Glance configuration option can lead to privilege escalation (25 Jan 2016)<br />
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host (16 Nov 2015)<br />
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)<br />
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)<br />
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)<br />
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)<br />
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)<br />
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)<br />
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)<br />
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')<br />
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=99716Security Notes2015-12-15T23:00:41Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0062|OSSN-0062]] -Potential reuse of revoked Identity tokens (15 Dec 2015)<br />
* [[OSSN/OSSN-0061|OSSN-0061]] - Glance image signature uses an insecure hash algorithm (MD5) (15 Dec 2015)<br />
* [[OSSN/OSSN-0060|OSSN-0060]] - Embargoed Issue ('''work in progress''')<br />
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host (16 Nov 2015)<br />
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)<br />
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)<br />
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)<br />
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)<br />
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)<br />
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)<br />
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)<br />
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')<br />
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0062&diff=99715OSSN/OSSN-00622015-12-15T23:00:16Z<p>Nkinder: Created page with "__NOTOC__ == Potential reuse of revoked Identity tokens == === Summary === An authorization token issued by the Identity service can be revoked, which is designed to immediat..."</p>
<hr />
<div>__NOTOC__<br />
<br />
== Potential reuse of revoked Identity tokens ==<br />
=== Summary ===<br />
An authorization token issued by the Identity service can be revoked,<br />
which is designed to immediately make that token invalid for future use.<br />
When the PKI or PKIZ token providers are used, it is possible for an<br />
attacker to manipulate the token contents of a revoked token such that<br />
the token will still be considered to be valid. This can allow<br />
unauthorized access to cloud resources if a revoked token is intercepted<br />
by an attacker.<br />
<br />
=== Affected Services / Software ===<br />
Keystone, Icehouse, Juno, Kilo, Liberty<br />
<br />
=== Discussion ===<br />
Token revocation is used in OpenStack to invalidate a token for further<br />
use. This token revocation takes place automatically in certain<br />
situations, such as when a user logs out of the Dashboard. If a revoked<br />
token is obtained by another party, it should no longer be possible to<br />
use it to perform any actions within the cloud. Unfortunately, this is<br />
not the case when the PKI or PKIZ token providers are used.<br />
<br />
When a PKI or PKIZ token is validated, the Identity service checks it<br />
by searching for a revocation by the entire token. It is possible for<br />
an attacker to manipulate portions of an intercepted PKI or PKIZ token<br />
that are not cryptographically protected, which will cause the<br />
revocation check to improperly consider the token to be valid.<br />
<br />
=== Recommended Actions ===<br />
We recommend that you do not use the PKI or PKIZ token providers. The<br />
PKI and PKIZ token providers do not offer any significant benefit over<br />
other token providers such as the UUID or Fernet.<br />
<br />
If you are using the PKI or PKIZ token providers, it is recommended that<br />
you switch to using another supported token provider such as the UUID<br />
provider. This issue might be fixed in a future update of the PKI and<br />
PKIZ token providers in the Identity service.<br />
<br />
To check what token provider you are using, you must look in the<br />
'keystone.conf' file for your Identity service. An example is provided<br />
below:<br />
<br />
[token]<br />
#provider = keystone.token.providers.pki.Provider<br />
#provider = keystone.token.providers.pkiz.Provider<br />
provider = keystone.token.providers.uuid.Provider<br />
<br />
In the Liberty release of the Identity service, the token provider<br />
configuration is different than previous OpenStack releases. An<br />
example from the Libery release is provided below:<br />
<br />
[token]<br />
#provider = pki<br />
#provider = pkiz<br />
provider = uuid<br />
<br />
These configuration snippets are using the UUID token provider. If you<br />
are using any of the commented out settings from these examples, your<br />
cloud is vulnerable to this issue and you should switch to a different<br />
token provider.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0062<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1490804<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg<br />
* CVE: CVE-2015-7546</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=99714Security Notes2015-12-15T22:43:32Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0062|OSSN-0062]] -Potential reuse of revoked Identity tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0061|OSSN-0061]] - Glance image signature uses an insecure hash algorithm (MD5) (15 Dec 2015)<br />
* [[OSSN/OSSN-0060|OSSN-0060]] - Embargoed Issue ('''work in progress''')<br />
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host (16 Nov 2015)<br />
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)<br />
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)<br />
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)<br />
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)<br />
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)<br />
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)<br />
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)<br />
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')<br />
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=99712Security Notes2015-12-15T22:39:36Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0062|OSSN-0062]] -Potential reuse of revoked Identity tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0061|OSSN-0061]] - Glance image signature uses an insecure hash algorithm (MD5)<br />
* [[OSSN/OSSN-0060|OSSN-0060]] - Embargoed Issue ('''work in progress''')<br />
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host(16 Nov 2015)<br />
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)<br />
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)<br />
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)<br />
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)<br />
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)<br />
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)<br />
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)<br />
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')<br />
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0061&diff=99711OSSN/OSSN-00612015-12-15T22:38:42Z<p>Nkinder: </p>
<hr />
<div>__NOTOC__<br />
<br />
== Glance image signature uses an insecure hash algorithm (MD5) ==<br />
<br />
=== Summary ===<br />
During the Liberty release the Glance project added a feature that<br />
supports verifying images by their signature. There is a flaw in the<br />
implementation that degrades verification by using the weak MD5<br />
algorithm.<br />
<br />
=== Affected Services / Software ===<br />
Glance, Liberty<br />
<br />
=== Discussion ===<br />
A signature algorithm is typically created by hashing data and then<br />
encrypting that hash in some way. In the case of the new Glance feature<br />
the signature algorithm does not hash the image to be verified. It<br />
rehashes the existing MD5 checksum that is used to locally verify the<br />
integrity of image data stored in Glance.<br />
<br />
The Glance image signature algorithm uses configurable hash algorithms.<br />
No matter which algorithm is used, the overall security of the algorithm<br />
is degraded to that of MD5 because instead of applying it to the image<br />
data it's applied only to the MD5 checksum that already exists in<br />
Glance.<br />
<br />
The image signature algorithm is a relatively new feature, introduced in<br />
the Liberty release.<br />
<br />
=== Recommended Actions ===<br />
Users concerned with image security should be aware that the current<br />
Glance signature algorithm is not secure by todays cryptographic<br />
standards.<br />
<br />
A specification for a fix has been proposed by the Glance development<br />
team and is targeted for the Mitaka release.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0061<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1516031<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg<br />
* Glance Spec for fix : https://review.openstack.org/#/c/252462/<br />
* CVE : CVE-2015-8234</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=99694Security Notes2015-12-15T20:23:17Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0062|OSSN-0062]] -Potential reuse of revoked Identity tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0061|OSSN-0061]] - Glance images signatures insecure hashes ('''work in progress''')<br />
* [[OSSN/OSSN-0060|OSSN-0060]] - Embargoed Issue ('''work in progress''')<br />
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host(16 Nov 2015)<br />
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)<br />
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)<br />
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)<br />
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)<br />
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)<br />
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)<br />
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)<br />
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')<br />
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=97040Security Notes2015-11-16T21:33:58Z<p>Nkinder: </p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0060|OSSN-0060]] - Embargoed Issue ("work in progress")<br />
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host(16 Nov 2015)<br />
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)<br />
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)<br />
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)<br />
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)<br />
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)<br />
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)<br />
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)<br />
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')<br />
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0059&diff=97039OSSN/OSSN-00592015-11-16T21:33:02Z<p>Nkinder: </p>
<hr />
<div>__notoc__<br />
<br />
== Trusted VM can be powered on untrusted hosts ==<br />
=== Summary ===<br />
A trusted VM that has been launched earlier on a trusted host can<br />
still be powered on from the same host even after the trusted host is<br />
compromised.<br />
<br />
=== Affected Services / Software ===<br />
Nova, Trusted Computing Pools<br />
<br />
=== Discussion ===<br />
Trusted Computing Pools aim to ensure the trustworthiness of the hosts<br />
leveraging hardware-based security features. When an instance is<br />
scheduled, the scheduler finds a trusted host by calling the remote<br />
Attestation API for each host to check whether it is trusted or not.<br />
Then, the scheduler calls the corresponding compute node to launch<br />
the VM. Once the VM is launched, the scheduler is no longer involved<br />
unless a migration, a resize or an evacuation is asked for that VM.<br />
<br />
Malicious users can bypass the trust check by the Attestation API using<br />
these steps:<br />
<br />
# Launch a trusted VM on a trusted host<br />
# Stop the VM on the trusted host<br />
# Compromise the host<br />
# Power on the VM from the compromised host. There is no check by the Attestation API for powering on the VM in this case.<br />
<br />
=== Recommended Actions ===<br />
We recommend investigating further if the trust check by Attestation<br />
API fails but the VM still boots. Another approach is to combine<br />
secure boot with trusted boot. At the same time, Nova team has<br />
discussed deprecating Trusted Filter.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0059<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1456228<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg<br />
* Nova Team Email Proposing Deprecation : http://lists.openstack.org/pipermail/openstack-dev/2015-June/067766.html<br />
* CR Demoting TrustedFilter to "experimental" : https://review.openstack.org/#/c/194592</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=92698Security Notes2015-10-15T22:08:30Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0060|OSSN-0060]] - Embargoed Issue ("work in progress")<br />
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host('''work in progress''')<br />
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)<br />
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption (15 Oct 2015)<br />
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)<br />
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)<br />
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)<br />
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)<br />
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)<br />
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')<br />
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0057&diff=92697OSSN/OSSN-00572015-10-15T22:07:40Z<p>Nkinder: Created page with "__NOTOC__ == DoS attack on Glance service can lead to interruption or disruption == === Summary === The typical Glance workflow allows authenticated users to create an image..."</p>
<hr />
<div>__NOTOC__<br />
<br />
== DoS attack on Glance service can lead to interruption or disruption ==<br />
<br />
=== Summary ===<br />
The typical Glance workflow allows authenticated users to create an<br />
image and upload the image content in a separate step. This can be<br />
abused by malicious users to flood the Glance database with entries<br />
for zero sized images.<br />
<br />
=== Affected Services / Software ===<br />
Glance, Icehouse, Juno, Kilo, Liberty<br />
<br />
=== Discussion ===<br />
Glance by default allows an authenticated user to create zero size<br />
images. Those images do not consume resources on the storage backend<br />
and do not hit any limits for size, but do take up space in the<br />
database.<br />
<br />
Malicious users can potentially cause database resource depletion with<br />
an endless flood of 'image-create' requests.<br />
<br />
=== Recommended Actions ===<br />
For current stable OpenStack releases, users can workaround this<br />
vulnerability by using rate-limiting proxies to cover access to the<br />
Glance API. Rate-limiting is a common mechanism to prevent DoS and<br />
Brute-Force attacks. Rate limiting on the API requests allows a delay<br />
in the consequences of the attack, but does not prevent it.<br />
<br />
For example, if you are using a proxy such as Repose, enable the rate<br />
limiting feature by following these steps:<br />
<br />
https://repose.atlassian.net/wiki/display/REPOSE/Rate+Limiting+Filter<br />
<br />
An alternative approach to mitigate this issue would be to restrict<br />
image creates to trusted administrators within your deployed Glance<br />
policy.json file.<br />
<br />
"add_image": "role:admin",<br />
<br />
Another preventative action would be to monitor the logs to identify<br />
excessive image create requests. One example of such a log message from glance-api.log<br />
is as follows (single line, wrapped):<br />
<br />
DEBUG glance.registry.client.v1.api [req-da1cafc0-f41f-4587-a484-672ba7f3546e<br />
admin 8b04efc28055428c940505838314f262 - - -]<br />
Adding image metadata... add_image_metadata<br />
/usr/lib/python2.7/dist-packages/glance/registry/client/v1/api.py:161<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0057<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1401170<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0033&diff=90933OSSN/OSSN-00332015-09-23T19:39:58Z<p>Nkinder: /* Contacts / References */</p>
<hr />
<div>__NOTOC__<br />
== Some SSL-Enabled connections fail to perform basic certificate checks ==<br />
<br />
=== Summary ===<br />
In many places, OpenStack components use Python 2.x HTTPSConnection to<br />
establish an SSL connection between endpoints. This does not provide<br />
many of the assurances one would expect when using SSL and leaves<br />
connections open to potential man-in-the-middle attacks.<br />
<br />
=== Affected Services / Software ===<br />
All OpenStack services, Havana, Icehouse, Juno<br />
<br />
=== Discussion ===<br />
A secure SSL session relies on validation of a X.509 certificate. Basic<br />
checks include:<br />
<br />
* Certificate Authority trust verification<br />
* Certificate revocation status<br />
* Certificate expiration<br />
* Certificate subject name matching<br />
<br />
<br />
The HTTPSConnection class is used in a large number of locations and<br />
fails to check that certificates are signed by a valid authority.<br />
Without that check in place, the subsequent checks (some highlighted<br />
above) are largely invalid.<br />
<br />
The result is that an attacker who has access to the network traffic<br />
between two endpoints relying on HTTPSConnection can trivially create a<br />
certificate that will be accepted by HTTPSConnection as valid - allowing<br />
the attacker to intercept, read and modify traffic that should be<br />
encrypted by SSL.<br />
<br />
=== Recommended Actions ===<br />
Some projects have updated their code to be more secure, others have<br />
not. The OSSG suggest cloud deployers check the status of the bug<br />
mentioned in the 'References' section of this note to see if the<br />
projects they require have updated.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0033<br />
* Launchpad Bugs :<br />
** https://bugs.launchpad.net/ossn/+bug/1188189<br />
** https://bugs.launchpad.net/ossn/+bug/1436082<br />
** https://bugs.launchpad.net/nova/+bug/1276207<br />
** https://bugs.launchpad.net/vmware-nsx/+bug/1487962<br />
** https://bugs.launchpad.net/vmware-nsx/+bug/1488265<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0033&diff=90932OSSN/OSSN-00332015-09-23T19:38:31Z<p>Nkinder: /* Contacts / References */</p>
<hr />
<div>__NOTOC__<br />
== Some SSL-Enabled connections fail to perform basic certificate checks ==<br />
<br />
=== Summary ===<br />
In many places, OpenStack components use Python 2.x HTTPSConnection to<br />
establish an SSL connection between endpoints. This does not provide<br />
many of the assurances one would expect when using SSL and leaves<br />
connections open to potential man-in-the-middle attacks.<br />
<br />
=== Affected Services / Software ===<br />
All OpenStack services, Havana, Icehouse, Juno<br />
<br />
=== Discussion ===<br />
A secure SSL session relies on validation of a X.509 certificate. Basic<br />
checks include:<br />
<br />
* Certificate Authority trust verification<br />
* Certificate revocation status<br />
* Certificate expiration<br />
* Certificate subject name matching<br />
<br />
<br />
The HTTPSConnection class is used in a large number of locations and<br />
fails to check that certificates are signed by a valid authority.<br />
Without that check in place, the subsequent checks (some highlighted<br />
above) are largely invalid.<br />
<br />
The result is that an attacker who has access to the network traffic<br />
between two endpoints relying on HTTPSConnection can trivially create a<br />
certificate that will be accepted by HTTPSConnection as valid - allowing<br />
the attacker to intercept, read and modify traffic that should be<br />
encrypted by SSL.<br />
<br />
=== Recommended Actions ===<br />
Some projects have updated their code to be more secure, others have<br />
not. The OSSG suggest cloud deployers check the status of the bug<br />
mentioned in the 'References' section of this note to see if the<br />
projects they require have updated.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0033<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1188189<br />
* Launchpad Bugs :<br />
** https://bugs.launchpad.net/ossn/+bug/1188189<br />
** https://bugs.launchpad.net/ossn/+bug/1436082<br />
** https://bugs.launchpad.net/nova/+bug/1276207<br />
** https://bugs.launchpad.net/vmware-nsx/+bug/1487962<br />
** https://bugs.launchpad.net/vmware-nsx/+bug/1488265<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=90931Security Notes2015-09-23T19:21:19Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0060|OSSN-0060]] - Embargoed Issue ("work in progress")<br />
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host('''work in progress''')<br />
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)<br />
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption ('''work in progress''')<br />
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)<br />
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)<br />
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)<br />
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation (23 Sep 2015)<br />
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)<br />
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')<br />
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0053&diff=90930OSSN/OSSN-00532015-09-23T19:20:57Z<p>Nkinder: </p>
<hr />
<div>__NOTOC__<br />
<br />
== Keystone token disclosure may result in malicious trust creation ==<br />
=== Summary ===<br />
Keystone tokens are the foundation of authentication and authorization<br />
in OpenStack. When a service node is compromised, it is possible that<br />
an attacker would have access to all tokens passing through that node.<br />
With a valid token an attacker will be able to issue new tokens that<br />
may be used to create trusts between the originating user and a new<br />
user.<br />
<br />
=== Affected Services / Software ===<br />
Keystone, Grizzly, Havana, Icehouse, Juno, Kilo<br />
<br />
=== Discussion ===<br />
If a service node is compromised, an attacker now has access to every<br />
token that passes through that node. By default, a Keystone token can<br />
be exchanged for another token, and there is no restriction on scoping<br />
of the new token. With the trust API, these tokens can be used to<br />
delegate roles between the original user and a new user.<br />
<br />
Trusts allow a user to set up a long term delegation that permits<br />
another user to perform operations on their behalf. While tokens<br />
created through trusts are limited in what they can do, the<br />
limitations are only on things like changing passwords or creating<br />
new tokens. This would grant an attacker access to all the operations<br />
available to the originating user in their projects, and the roles that<br />
are delegated through the trust.<br />
<br />
There are other ways that a compromised token can be misused beyond the<br />
methods described here. This note addresses one possible path for<br />
vulnerabilities based on the unintended access that could be gained<br />
from trusts created through intercepted tokens.<br />
<br />
This behavior is intrinsic to the bearer token model used within<br />
Keystone / OpenStack.<br />
<br />
=== Recommended Actions ===<br />
The following steps are recommended to reduce exposure, based on the<br />
granularity and accepted level of risk in a given environment:<br />
<br />
1. Monitor and audit trust creation events within your environment.<br />
Keystone emits notifications on trust creation and deletion that are<br />
accessible through system logs or, if configured, the CADF<br />
data/security/trust resource extension.<br />
<br />
2. Offer roles that cannot create trusts / delegate permissions /<br />
assign new roles via Keystone to users. This limits the vector of<br />
attack to compromising Keystone directly or man-in-the-middle capture<br />
of a separate token that has the authorization to create<br />
trusts/delegate/assign roles.<br />
<br />
3. Retain the default token lifespan of 1 hour. Many workloads require<br />
a single token for the whole workload, and take more than one hour, so<br />
installations have increased token lifespans back to the old value of<br />
24 hours - increasing their exposure to this issue.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0053<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1455582<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg<br />
* Hierarchical Roles : https://review.openstack.org/#/c/125704<br />
* Policy by URL : https://review.openstack.org/#/c/192422<br />
* Unified policy file : https://review.openstack.org/#/c/134656<br />
* Endpoint_ID from URL : https://review.openstack.org/#/c/199844</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=90512Security Notes2015-09-18T02:21:22Z<p>Nkinder: </p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host('''work in progress''')<br />
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)<br />
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption ('''work in progress''')<br />
* [[OSSN/OSSN-0056|OSSN-0056]] - Cached keystone tokens may be accepted after revocation (17 Sep 2015)<br />
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)<br />
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)<br />
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation ('''work in progress''')<br />
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)<br />
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')<br />
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0056&diff=90511OSSN/OSSN-00562015-09-18T02:20:42Z<p>Nkinder: </p>
<hr />
<div>__NOTOC__<br />
<br />
== Cached keystone tokens may be accepted after revocation ==<br />
=== Summary ===<br />
Keystone auth_token middleware token and revocation list caching is used<br />
to reduce the load on the keystone service. The default token cache time<br />
is set to 300 seconds and the default token revocation list cache time<br />
is set to 10 seconds. This creates a misleading expectation that revoked<br />
tokens will not be accepted more than 10 seconds after revocation,<br />
however the maximum validity of a cached token must be assumed to be the<br />
cache duration. System owners should make a risk based decision to<br />
balance token lifespan with performance requirements and if the use of<br />
revoked tokens is an unacceptable risk then caching should be disabled.<br />
<br />
=== Affected Services / Software ===<br />
OpenStack Services that use Keystone middleware: Juno, Kilo, Liberty<br />
<br />
=== Discussion ===<br />
There are multiple options for configuring token caching in the keystone<br />
auth_token middleware. These options include token_cache_time,<br />
revocation_cache_time and check_revocations_for_cached, with each option<br />
affecting the different stages of token caching and revocation.<br />
Depending on the configuration the previously mentioned options, an<br />
attacker could use a compromised token for up to token_cache_time seconds<br />
before the token becomes disabled. To mitigate this vulnerability, a<br />
change was issued in Juno where the default Token Revocation List (TRL)<br />
cache time was reduced to 10 seconds and the<br />
check_revocations_for_cached option was added. The addition of a token<br />
to a TRL does not guarantee that cached tokens will be rejected<br />
considering the operational nature of token caching. For instance, if<br />
the check_revocations_for_cached is disabled then tokens are valid after<br />
caching token_cache_time or the designated expiration given to the<br />
token. Otherwise (if check_revocations_for_cached is enabled) then<br />
tokens are rejected after the revocation_cache_time.<br />
<br />
System owners should weigh the risk of an attacker using a revoked token<br />
versus the performance implications of reducing the token cache time.<br />
<br />
=== Recommended Actions ===<br />
Review the implications of the default 300 second token cache time and<br />
any risks associated with the use of revoked tokens for up to that cache<br />
time. If this is unacceptable, reduce the cache time to reduce the<br />
attack window or disable token caching entirely.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0056<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/python-keystoneclient/+bug/1287301<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=90498Security Notes2015-09-17T21:16:25Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host('''work in progress''')<br />
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes (17 Sep 2015)<br />
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption ('''work in progress''')<br />
* [[OSSN/OSSN-0056|OSSN-0056]] - Keystonemiddleware allowing access after token revocation('''work in progress''')<br />
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)<br />
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)<br />
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation ('''work in progress''')<br />
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)<br />
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')<br />
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0058&diff=90497OSSN/OSSN-00582015-09-17T21:16:02Z<p>Nkinder: </p>
<hr />
<div>__NOTOC__<br />
<br />
== Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes ==<br />
=== Summary ===<br />
When using the LVMISCSIDriver with Cinder, the credentials for CHAP<br />
authentication are not formatted correctly in the tgtadm configuration<br />
file. This leads to a condition where an operator will expect that<br />
volumes can only be mounted with the authentication credentials when,<br />
in fact, they can be mounted without the credentials.<br />
<br />
=== Affected Services / Software ===<br />
Cinder, Icehouse<br />
<br />
=== Discussion ===<br />
When requesting that LVMISCSIDriver based volumes use the CHAP<br />
authentication protocol, Cinder will add the credentials for<br />
authentication to the configuration file for the tgtadm<br />
application. In pre-Juno versions of Cinder the key name for these<br />
credentials is incorrect. This incorrect key name will cause tgtadm<br />
to not properly parse those credentials.<br />
<br />
With incorrect credentials in place, tgtadm will fail to authenticate<br />
volume mounting when requested by Cinder. The failed setting of<br />
credentials through the configuration file will also allow<br />
unauthenticated access to these volumes. This can allow instances<br />
on the same network as the volumes to mount them without providing the<br />
credentials to the tgtadm application.<br />
<br />
This behavior can be confirmed by displaying the accounts associated<br />
with a volume. For volumes which have authentication enabled, you will<br />
see an account listed in the output of the tgtadm application. The<br />
account names created by Cinder will be randomly generated and will<br />
appear as 20 character strings. To print the information for volumes<br />
the following command can be run on nodes with attached volumes:<br />
<br />
# tgtadm --lld iscsi --op show --mode target<br />
<br />
User names will be found in the `Account information:` section.<br />
<br />
=== Recommended Actions ===<br />
If possible, Cinder should be updated to the Juno release or newer. If<br />
this is not possible, then the following guidance will help mitigate<br />
unwanted traffic to the affected nodes.<br />
<br />
1. Identify the nodes that will be exposing Cinder volumes with the<br />
LVMISCSIDriver and the nodes that will need to attach those volumes.<br />
<br />
2. Implement either security group port rules or iptables rules on<br />
the nodes exposing the volumes to only allow traffic through port 3260<br />
from nodes that will need to attach volumes.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0058<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1329214<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=90496Security Notes2015-09-17T21:08:07Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host('''work in progress''')<br />
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes ('''work in progress''')<br />
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption ('''work in progress''')<br />
* [[OSSN/OSSN-0056|OSSN-0056]] - Keystonemiddleware allowing access after token revocation('''work in progress''')<br />
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)<br />
* [[OSSN/OSSN-0054|OSSN-0054]] - Potential Denial of Service in Horizon login (17 Sep 2015)<br />
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation ('''work in progress''')<br />
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)<br />
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')<br />
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0054&diff=90495OSSN/OSSN-00542015-09-17T21:07:27Z<p>Nkinder: Created page with "__NOTOC__ == Potential Denial of Service in Horizon login == === Summary === Horizon uses the Python based Django web framework. Older versions of this framework allow an una..."</p>
<hr />
<div>__NOTOC__<br />
<br />
== Potential Denial of Service in Horizon login ==<br />
=== Summary ===<br />
Horizon uses the Python based Django web framework. Older versions of<br />
this framework allow an unauthorized user to fill up the session store<br />
database causing a Horizon denial of service. A fix for Django is<br />
available but works only with Kilo and later versions of Horizon.<br />
<br />
=== Affected Services / Software ===<br />
Horizon, Django, Essex, Folsom, Grizzly, Havana, Icehouse, Juno<br />
<br />
=== Discussion ===<br />
Django will record the session ID of web requests even when the request<br />
is from an unauthorized user. This allows an attacker to populate the<br />
session store database with invalid session information, potentially<br />
causing a denial of service condition by filling the database with<br />
useless session information.<br />
<br />
=== Recommended Actions ===<br />
The Django developers have released a fix for this issue which is<br />
included in software versions 1.4.21, 1.7.9 and 1.8.3. Horizon<br />
administrators should ensure that they are using an up to date version<br />
of Django to avoid being affected by this vulnerability.<br />
<br />
Versions of Horizon prior to Kilo cannot run with the fixed version of<br />
Django, and may require updating to a newer version of OpenStack.<br />
Administrators can test if their deployment is affected by attempting to<br />
inject invalid sessions into the session store database using the<br />
following script and then querying the session store database to check<br />
if multiple 'aaaaa' session ID's were recorded.<br />
<br />
for i in {1..100}<br />
do<br />
curl -b "sessionid=aaaaa;" http://HORIZON__IP/auth/login/ &> /dev/null<br />
done<br />
<br />
If possible, affected users should upgrade to the Kilo or newer release<br />
of Horizon, allowing them to use the fixed version of Django.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0054<br />
* Django fix : https://www.djangoproject.com/weblog/2015/jul/08/security-releases/<br />
* Django CVE : CVE-2015-5143<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/horizon/+bug/1457551<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=90487Security Notes2015-09-17T18:41:56Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host('''work in progress''')<br />
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes ('''work in progress''')<br />
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption ('''work in progress''')<br />
* [[OSSN/OSSN-0056|OSSN-0056]] - Keystonemiddleware allowing access after token revocation('''work in progress''')<br />
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (17 Sep 2015)<br />
* [[OSSN/OSSN-0054|OSSN-0054]] - Another Horizon login page vulnerability to a DoS attack ('''work in progress''')<br />
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation ('''work in progress''')<br />
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)<br />
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')<br />
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0055&diff=90486OSSN/OSSN-00552015-09-17T18:38:26Z<p>Nkinder: </p>
<hr />
<div>__NOTOC__<br />
<br />
== Service accounts may have cloud admin privileges ==<br />
=== Summary ===<br />
OpenStack services (for example Nova and Glance) typically use a<br />
service account in Keystone to perform actions. In some cases this<br />
service account has full admin privileges, may therefore perform any<br />
action on your cloud, and should be protected appropriately.<br />
<br />
=== Affected Services / Software ===<br />
Most OpenStack services / all versions<br />
<br />
=== Discussion ===<br />
In many cases, OpenStack services require an OpenStack account to<br />
perform API actions such as validating Keystone tokens. Some<br />
deployment tools grant administrative level access to these service<br />
accounts, making these accounts very powerful.<br />
<br />
A service account with administrator access could be used to:<br />
* destroy/modify/access data<br />
* create or destroy admin accounts<br />
* potentially escalate to undercloud access<br />
* log in to Horizon<br />
<br />
=== Recommended Actions ===<br />
Service accounts can use the "service" role rather than admin. You<br />
can check what role the service account has by performing the following<br />
steps:<br />
<br />
1. List roles:<br />
<br />
openstack role list<br />
<br />
2. Check the role assignment for the service user in question:<br />
<br />
openstack role assignment list --user <service_user><br />
<br />
3. Compare the ID listed in the "role" column from step 2 with the role<br />
IDs listed in step 1. If the role is listed as "admin", the service<br />
account has full admin privileges on the cloud.<br />
<br />
It is possible to change the role to "service" for some accounts but<br />
this may have unexpected consequences for services such as Nova and<br />
Neutron, and is therefore not recommended for inexperienced admins.<br />
<br />
If a service account does have admin, it's advisable to closely<br />
monitor login events for that user to ensure that it is not used<br />
unexpectedly. In particular, pay attention to unusual IPs using the<br />
service account.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0055<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1464750<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=90485Security Notes2015-09-17T18:27:16Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0059|OSSN-0059]] - Trusted vm can be powered on untrusted host('''work in progress''')<br />
* [[OSSN/OSSN-0058|OSSN-0058]] - Cinder LVMISCIDriver allows possible unauthenticated mounting of volumes ('''work in progress''')<br />
* [[OSSN/OSSN-0057|OSSN-0057]] - DoS style attack on Glance service can lead to service interruption or disruption ('''work in progress''')<br />
* [[OSSN/OSSN-0056|OSSN-0056]] - Keystonemiddleware allowing access after token revocation('''work in progress''')<br />
* [[OSSN/OSSN-0055|OSSN-0055]] - Service accounts may have cloud admin privileges (2 Sep 2015)<br />
* [[OSSN/OSSN-0054|OSSN-0054]] - Another Horizon login page vulnerability to a DoS attack ('''work in progress''')<br />
* [[OSSN/OSSN-0053|OSSN-0053]] - Keystone token disclosure may result in malicious trust creation ('''work in progress''')<br />
* [[OSSN/OSSN-0052|OSSN-0052]] - Python-swiftclient exposes raw token values in debug logs (17 Sep 2015)<br />
* [[OSSN/OSSN-0051|OSSN-0051]] - keystonemiddleware can allow access after token revocation ('''work in progress''')<br />
* [[OSSN/OSSN-0050|OSSN-0050]] - Disabling users & groups may not invalidate previously-issued tokens ('''work in progress''')<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0052&diff=90484OSSN/OSSN-00522015-09-17T18:26:29Z<p>Nkinder: </p>
<hr />
<div>__NOTOC__<br />
<br />
== Python-swiftclient exposes raw token values in debug logs ==<br />
<br />
=== Summary ===<br />
The password and authentication token configuration options for the<br />
python-swiftclient are not marked as secret. The values of these options<br />
will be logged to the standard logging output when the controller is run<br />
in debug mode.<br />
<br />
=== Affected Services / Software ===<br />
Python-swiftclient, Swift, Glance, Juno, Kilo<br />
<br />
=== Discussion ===<br />
When using the python-swiftclient to connect to Glance, and the<br />
'glance-api.conf' has set the value of the debug option to True, the<br />
requests sent through the API, including user and token details, will be<br />
captured in the local log mechanism.<br />
<br />
=== Recommended Actions ===<br />
It is recommended to use the debug level in configurations only when<br />
necessary to troubleshoot an issue. When the debug flag is set, the<br />
resulting logs should be treated as having sensitive information and as<br />
such should have strict permissions around the file and containing<br />
directory set in the operating system. Additionally, the logs should<br />
not be transported off the system in plaintext such as through syslog.<br />
<br />
The debug level can be turned off by setting the following option in<br />
the `glance-api.conf` file:<br />
<br />
[DEFAULT]<br />
debug = false<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0052<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/python-swiftclient/+bug/1470740<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0049&diff=85313OSSN/OSSN-00492015-07-07T13:46:05Z<p>Nkinder: /* Discussion */</p>
<hr />
<div>__NOTOC__<br />
<br />
== Nova ironic driver logs sensitive information while operating in debug mode ==<br />
=== Summary ===<br />
The password and authentication token configuration options for the<br />
ironic driver in nova are not marked as secret. The values of these<br />
options will be logged to the standard logging output when the<br />
controller is run in debug mode.<br />
<br />
=== Affected Services / Software ===<br />
Nova, Ironic, Juno, Kilo<br />
<br />
=== Discussion ===<br />
When using nova with the ironic driver, an operator will need to specify<br />
either the password or an authentication token for the ironic admin<br />
user's keystone credentials. Under normal circumstances this is not an<br />
issue, but when running the API server with logging levels set to<br />
include the DEBUG message level these credentials will be exposed in<br />
the logs.<br />
<br />
Logging of configuration values is controlled by the `secret` flag for<br />
any oslo configuration option. Without this flag set, the value for a<br />
configuration option will be displayed in the logs. In the case of the<br />
ironic credentials, these options are not marked as secret.<br />
<br />
This presents a challenge to any operator who might have increased the<br />
log verbosity for the purposes of debugging or extended log collection.<br />
Depending on permissions and log storage location, these values could<br />
be read by an intruder to the system. The credentials will provide<br />
anyone who controls them access to the ironic API server's<br />
administrative functions. Additionally, they could be used in conjunction<br />
with OpenStack Identity functions to issue new authentication tokens or<br />
perform further malicious activity depending on the scope of the<br />
administrative account access (for example, modifying account<br />
permissions).<br />
<br />
All nova installations that have values defined for the<br />
`admin_password` or `admin_auth_token` options in the `ironic` section,<br />
and have set `debug=true` in the `DEFAULT` section of their<br />
configuration file will be affected by this issue.<br />
<br />
=== Recommended Actions ===<br />
As of the Liberty-1 release of nova, this issue has been resolved.<br />
It has also been backported to the Kilo and Juno stable releases, which<br />
can be expected in the 2015.1.1 and 2014.2.4 tags, respectively.<br />
<br />
Where possible, nova deployments should be updated to one of these<br />
releases: Liberty-1, 2015.1.1 (Kilo), or 2014.2.4 (Juno).<br />
<br />
If updating the nova deployment is not feasible, operators should<br />
turn off the debug logging level whenever it is not in use and ensure<br />
that log files produced from those debug sessions are stored securely.<br />
To disable the debug log level, the nova configuration file should be<br />
editted as follows:<br />
<br />
[DEFAULT]<br />
debug = False<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0049<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1451931<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg<br />
* Oslo Config Special Handling Instructions: http://docs.openstack.org/developer/oslo.config/cfg.html#special-handling-instructions</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=85312Security Notes2015-07-07T13:43:31Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0049|OSSN-0049]] - Nova ironic driver logs sensitive information while operating in debug mode (7 Jul 2015)<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0049&diff=85311OSSN/OSSN-00492015-07-07T13:42:44Z<p>Nkinder: Created page with "__NOTOC__ == Nova ironic driver logs sensitive information while operating in debug mode == === Summary === The password and authentication token configuration options for th..."</p>
<hr />
<div>__NOTOC__<br />
<br />
== Nova ironic driver logs sensitive information while operating in debug mode ==<br />
=== Summary ===<br />
The password and authentication token configuration options for the<br />
ironic driver in nova are not marked as secret. The values of these<br />
options will be logged to the standard logging output when the<br />
controller is run in debug mode.<br />
<br />
=== Affected Services / Software ===<br />
Nova, Ironic, Juno, Kilo<br />
<br />
=== Discussion ===<br />
When using nova with the ironic driver, an operator will need to specify<br />
either the password or an authentication token for the ironic admin<br />
user's keystone credentials. Under normal circumstances this is not an<br />
issue, but when running the API server with logging levels set to<br />
include the DEBUG message level these credentials will be exposed in<br />
the logs.<br />
<br />
Logging of configuration values is controlled by the `secret` flag for<br />
any oslo configuration option. Without this flag set, the value for a<br />
configuration option will be displayed in the logs. In the case of the<br />
ironic credentials, these options are not marked as secret.<br />
<br />
This presents a challenge to any operator who might have increased the<br />
log verbosity for the purposes of debugging or extended log collection.<br />
Depending on permissions and log storage location, these values could<br />
be read by an intruder to the system. The credentials will provide<br />
anyone who controls them access to the ironic API server's<br />
administrative functions. Additionally, they could be used in conjuction<br />
with OpenStack Identity functions to issue new authentication tokens or<br />
perform further malicious activity depending on the scope of the<br />
administrative account access (for example, modifying account<br />
permissions).<br />
<br />
All nova installations that have values defined for the<br />
`admin_password` or `admin_auth_token` options in the `ironic` section,<br />
and have set `debug=true` in the `DEFAULT` section of their<br />
configuration file will be affected by this issue.<br />
<br />
=== Recommended Actions ===<br />
As of the Liberty-1 release of nova, this issue has been resolved.<br />
It has also been backported to the Kilo and Juno stable releases, which<br />
can be expected in the 2015.1.1 and 2014.2.4 tags, respectively.<br />
<br />
Where possible, nova deployments should be updated to one of these<br />
releases: Liberty-1, 2015.1.1 (Kilo), or 2014.2.4 (Juno).<br />
<br />
If updating the nova deployment is not feasible, operators should<br />
turn off the debug logging level whenever it is not in use and ensure<br />
that log files produced from those debug sessions are stored securely.<br />
To disable the debug log level, the nova configuration file should be<br />
editted as follows:<br />
<br />
[DEFAULT]<br />
debug = False<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0049<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1451931<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg<br />
* Oslo Config Special Handling Instructions: http://docs.openstack.org/developer/oslo.config/cfg.html#special-handling-instructions</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=80876Security Notes2015-05-11T14:17:53Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode can also set Pecan to debug (11 May 2015)<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0046&diff=80875OSSN/OSSN-00462015-05-11T14:17:04Z<p>Nkinder: /* OSSN-0046 */</p>
<hr />
<div>__NOTOC__<br />
<br />
== Setting services to debug mode can also set Pecan to debug ==<br />
<br />
=== Summary ===<br />
When debug mode is set for a service using Pecan (via ''--debug'' or<br />
''CONF.debug=True'') Pecan is also set to debug. This can result in<br />
accidental information disclosures.<br />
<br />
=== Affected Services / Software ===<br />
Blazar, Ceilometer, Cue, Gnocchi, Ironic, Kite, Libra, Pecan, Tuskar<br />
<br />
===Â Discussion ===<br />
Although it's best practice to run production environments with<br />
debugging functionality disabled, experience shows us that many<br />
deployers choose to run OpenStack with debugging enabled to aid with<br />
administration and fault finding.<br />
<br />
When Pecan is running in debug mode, the following capabilities are made<br />
available to anyone who can interact with the API service:<br />
<br />
* Retrieve a stack trace of failed Pecan calls<br />
* Retrieve a full list of environment variables containing potentially<br />
sensitive information such as API credentials, passwords etc.<br />
* Set an execution breakpoint which hangs the service with a pdb shell,<br />
resulting in a denial of service<br />
<br />
<br />
===Â Recommended Actions ===<br />
At time of writing, Ceilometer, Gnocchi and Ironic have released fixes.<br />
Deployers are encouraged to apply these fixes (see launchpad bug in<br />
References) in their clouds. For services that do not have a fix, or<br />
where fixes cannot be applied in existing deployments, we advise not<br />
using the debug configuration for affected services in production<br />
environments.<br />
<br />
===Â Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0046<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/ironic/+bug/1425206<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg<br />
* Pecan : http://www.pecanpy.org/</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=78684Security Notes2015-04-30T14:54:38Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance method filtering does not work under certain conditions (30 Apr 2015)<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode also sets Pecan to debug ('''Work in progress''')<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0048&diff=78683OSSN/OSSN-00482015-04-30T14:54:05Z<p>Nkinder: Created page with "__notoc__ == Glance method filtering does not work under certain conditions == === Summary === Glance is using the Python assert statement for validating the HTTP method typ..."</p>
<hr />
<div>__notoc__<br />
<br />
== Glance method filtering does not work under certain conditions ==<br />
<br />
=== Summary ===<br />
Glance is using the Python assert statement for validating the HTTP<br />
method type in its caching middleware for some image endpoints. The<br />
Python documentation states that when optimization is requested<br />
(command line option -O), assert statements will not be evaluated.<br />
This results in a condition where these method validations will not<br />
occur and can allow a specific method to be called with a different<br />
HTTP verb.<br />
<br />
=== Affected Services / Software ===<br />
Glance, Icehouse, Juno, Kilo<br />
<br />
=== Discussion ===<br />
Glance uses the Python assert statement to validate the HTTP method<br />
for some of the image endpoints in the version 1 and 2 REST interfaces.<br />
In circumstances where glance is being run with Python optimization<br />
enabled (by using the -O command line option), these assert statements<br />
will not be evaluated. In these cases, the HTTP verb is unchecked for<br />
the requested endpoints.<br />
<br />
The endpoints and methods affected by this are the following:<br />
<br />
* GET on /v1/images/{image_id}<br />
* DELETE on /v1/images/{image_id}<br />
* GET on /v2/images/{image_id}/file<br />
* DELETE on /v2/images/{image_id}<br />
<br />
<br />
This can lead to access violations in some configurations. For<br />
example, if filtering were occurring in front of the glance API to<br />
restrict queries based on HTTP method and IP address, an attacker<br />
could circumvent this filtering by matching the endpoint regular<br />
expression and providing a different HTTP verb. In this example<br />
an attacker would be able to download or delete images from glance.<br />
<br />
Assuming a user were restricted by network filtering to only send<br />
DELETE requests to the glance API endpoint. The user could attempt to<br />
circumvent the filtering by sending a well crafted request to the<br />
endpoint that would actually retrieve the named image. If an image ID<br />
were known to be "12345", then a DELETE request sent to the glance API<br />
endpoint "/v2/images/12345/file" would end up matching the GET URI<br />
pattern. This would retrieve the image from glance, thus exploiting the<br />
filtering.<br />
<br />
=== Recommended Actions ===<br />
As of the Kilo-rc1 release of glance, this vulnerability has been<br />
patched. It has also been backported to the stable branch of the Juno<br />
release and will be officially updated in the 2014.2.4 tag of glance.<br />
This will not be fixed for Icehouse.<br />
<br />
Kilo deployments should be updated to the rc1 tag. Juno deployments<br />
should be updated to the 2014.2.4 tag. Operators maintaining Icehouse<br />
deployments of glance should consider upgrading to the Juno 2014.2.4<br />
release.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0048<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/glance/+bug/1414532<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg<br />
* Python assert documentation: https://docs.python.org/3/reference/simple_stmts.html#the-assert-statement<br />
* Python optimize documentation: https://docs.python.org/2/using/cmdline.html#envvar-PYTHONOPTIMIZE<br />
* Glance v1 API: http://developer.openstack.org/api-ref-image-v1.html<br />
* Glance v2 API: http://developer.openstack.org/api-ref-image-v2.html</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=77779Security Notes2015-04-19T18:32:26Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0048|OSSN-0048]] - Glance using assert for method checking in middleware ('''Work in progress''')<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - Keystone does not validate that identity providers match federation mappings (19 Apr 2015)<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode also sets Pecan to debug ('''Work in progress''')<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0047&diff=77778OSSN/OSSN-00472015-04-19T18:31:46Z<p>Nkinder: Created page with "__NOTOC__ == Keystone does not validate that identity providers match federation mappings == === Summary === Keystone's OS-FEDERATION extension does not enforce a link betwee..."</p>
<hr />
<div>__NOTOC__<br />
<br />
== Keystone does not validate that identity providers match federation mappings ==<br />
=== Summary ===<br />
Keystone's OS-FEDERATION extension does not enforce a link between an<br />
identity provider and a federation mapping. This can lead to assertions<br />
or claims from one identity provider being used with mappings intended<br />
for use with another identity provider, which could result in users<br />
obtaining access to resources that they are not intended to have.<br />
<br />
=== Affected Services / Software ===<br />
Keystone, Juno, Kilo<br />
<br />
=== Discussion ===<br />
Keystone's OS-FEDERATION extension allows for a set of environment<br />
variables provided by a trusted identity provider to be used as mapping<br />
inputs to determine group membership (and ultimately role assignment).<br />
Mapping rules are intended to be identity provider specific, as<br />
different identity providers provide their assertions or claims in<br />
different forms.<br />
<br />
In the Juno release of Keystone, there is no ability within Keystone<br />
itself to enforce that assertions or claims from an identity provider<br />
are actually being used against a mapping that is associated with that<br />
same identity provider. A malicious user from one trusted identity<br />
provider could access a Keystone federated authentication URL for a<br />
different trusted identity provider. Depending on the content of the<br />
assertions or claims and the mapping rules, this could result in a user<br />
gaining access to resources that they are not intended to access.<br />
<br />
Consider an example deployment where Keystone is configured to trust two<br />
identity providers ('idp1' and 'idp2'). The federation mapping for<br />
'idp1' might result in users of the 'devops' group having the 'admin'<br />
role on a specific project. If a user with an assertion or claim from<br />
'idp2' that says they are in the 'devops' group uses the authentication<br />
URL that is associated with 'idp1', they could also be given the 'admin'<br />
role just as if they were a 'devops' user from 'idp1'. This access<br />
should not be allowed.<br />
<br />
=== Recommended Actions ===<br />
Even though the Juno release of Keystone does not have the ability to<br />
enforce that an identity provider and a mapping match, it is possible to<br />
configure the frontend webserver that is used to deploy Keystone to<br />
perform this enforcement. Each identity provider supported by Keystone<br />
has its own authentication URL. It is recommended that the webserver<br />
configuration configures its underlying federation plug-ins to<br />
cryptograhically enforce that an identity provider is only valid for<br />
its associated authentication URL.<br />
<br />
For example, the SAML protocol uses an asymmetric keypair to sign the<br />
requests and responses that are transmitted between an identity provider<br />
and a service provider (Keystone in our case). When using Apache HTTPD<br />
as a webserver for Keystone, a separate 'Location' directive can be used<br />
for each federated authentication URL. The directives that define the<br />
certificate of the identity provider for the underlying HTTPD module<br />
that is handling the SAML protocol can be defined within the identity<br />
provider specific 'Location' directives. This will ensure that a signed<br />
SAML assertion from one trusted identity provider will only be<br />
successfully validated when used against the appropriate authentication<br />
URL.<br />
<br />
Here is an example with the mod_auth_mellon HTTPD module:<br />
<br />
<Location /v3/OS-FEDERATION/identity_providers/idp1/protocols/saml2/auth><br />
AuthType "Mellon"<br />
MellonEnable "auth"<br />
...<br />
MellonIdPMetadataFile /etc/httpd/mellon/idp1-metadata.xml<br />
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/idp1/protocols/saml2/auth/mellon<br />
</Location><br />
<br />
<Location /v3/OS-FEDERATION/identity_providers/idp2/protocols/saml2/auth><br />
AuthType "Mellon"<br />
MellonEnable "auth"<br />
...<br />
MellonIdPMetadataFile /etc/httpd/mellon/idp2-metadata.xml<br />
MellonEndpointPath /v3/OS-FEDERATION/identity_providers/idp2/protocols/saml2/auth/mellon<br />
</Location><br />
<br />
In the above example, we have two identity providers ('idp1' and<br />
'idp2'). Each identity provider has their own 'Location' directive,<br />
and the 'MellonIdPMetadataFile' directive that points to the metadata<br />
that contains the certificate of the identity provider is specific to<br />
each 'Location' directive. This configuration will not allow a signed<br />
assertion from 'idp1' to be used against the authentication URL for<br />
'idp2'. An attempt to do so would be rejected by mod_auth_mellon and<br />
would never actually reach Keystone's OS-FEDERATION extention.<br />
<br />
It is recommended to read the Keystone federation documentation as well<br />
as the documentation for the HTTPD module that you are using for your<br />
federation method of choice. Some useful links to this documentation<br />
are provided in the references section of this note.<br />
<br />
In the Kilo release of Keystone, it is also possible to have Keystone<br />
enforce that an assertion actually comes from the identity provider that<br />
is associated with the authentication URL. This is performed by<br />
comparing an identity provider identifier value from the assertion or<br />
claim with an identifier that is stored as a part of the identity<br />
provider within Keystone.<br />
<br />
To enable this functionality, you must set the 'remote_id_attribute'<br />
setting in keystone.conf, which defines the environment variable that<br />
contains the identity provider identifier. You then must add the<br />
identifier value that the 'remote_id_attribute' will contain as one of<br />
the 'remote_ids' values of the associated identity provider in Keystone.<br />
This can be done using the Identity API directly, or via the 'openstack'<br />
command-line utility.<br />
<br />
It is recommended that you use a webserver configuration that has<br />
identity provider specific 'Location' directives as described above in<br />
addition to using the new 'remote_ids' checking in the Kilo release.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0047<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/keystone/+bug/1390124<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg<br />
* Keystone Federation Docs : http://docs.openstack.org/developer/keystone/configure_federation.html<br />
* mod_auth_mellon Docs : https://github.com/UNINETT/mod_auth_mellon/wiki<br />
* mod_shib Docs : https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPApacheConfig<br />
* mod_auth_openidc Docs : https://github.com/pingidentity/mod_auth_openidc</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=77239Security Notes2015-04-09T14:53:51Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0047|OSSN-0047]] - No validation between client's IdP and Keystone IdP ('''Work in progress''')<br />
* [[OSSN/OSSN-0046|OSSN-0046]] - Setting services to debug mode also sets Pecan to debug ('''Work in progress''')<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=75407Security Notes2015-03-11T18:10:47Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0045|OSSN-0045]] - Vulnerable clients allow a TLS protocol downgrade (FREAK) (11 Mar 2015)<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] - Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0045&diff=75405OSSN/OSSN-00452015-03-11T18:10:07Z<p>Nkinder: </p>
<hr />
<div>__NOTOC__<br />
<br />
== Vulnerable clients allow a TLS protocol downgrade (FREAK)==<br />
<br />
=== Summary ===<br />
Some client-side libraries, including un-patched versions of OpenSSL,<br />
contain a vulnerability which can allow a man-in-the-middle (MITM) to<br />
force a TLS version downgrade. Even though this vulnerability exists in<br />
the client side, an attack known as FREAK is exploitable when TLS<br />
servers offer weak cipher choices. This security note provides guidance<br />
to mitigate the FREAK attack on the server side, so that TLS provides<br />
reasonable security for even un-patched clients.<br />
<br />
=== Affected Services / Software ===<br />
Any service using TLS. Depending on the backend TLS library, this<br />
can include many components of an OpenStack cloud:<br />
<br />
* OpenStack services<br />
* OpenStack clients<br />
* Web servers (Apache, Nginx, etc)<br />
* SSL/TLS terminators (Stud, Pound, etc)<br />
* Proxy services (HAProxy, etc)<br />
* Miscellaneous services (eventlet, syslog, ldap, smtp, etc)<br />
<br />
=== Discussion ===<br />
TLS connections are established by a process known as a TLS handshake.<br />
During this process a client first sends a message to the server known<br />
as "HELLO", where among other things the client lists all of the TLS<br />
encryption ciphers it supports. In the next step, the server responds<br />
with its own "HELLO" packet, in which the server picks one of the cipher<br />
options the client offered. After this the client and server continue on<br />
to securely exchange a secret which becomes a master key.<br />
<br />
The FREAK attack exploits a flaw in client logic in which vulnerable<br />
clients don't actually check that the cipher which was selected by the<br />
server was one they had offered in the first place. This creates the<br />
possibility that an attacker on the network somewhere between the client<br />
and server can alter the client's HELLO packet, removing all choices<br />
except for really weak ciphers known as "export grade ciphers". If the<br />
server supports these weak ciphers, it will (regretfully) chose it, as<br />
it appears that this is the only option that the client supports, and<br />
send it back in the server HELLO message.<br />
<br />
Export grade ciphers are a legacy of a time when the US government<br />
prohibited the export of cryptographic ciphers which were stronger than<br />
512 bits for asymmetric ciphers and 40 bits for symmetric ciphers. Today<br />
these ciphers are easily and quickly crackable using commodity hardware<br />
or cloud resources.<br />
<br />
=== Recommended Actions ===<br />
Since this is a vulnerability in client logic, the best option is to<br />
ensure that all clients update to the latest version of the affected<br />
library. For more details about upgrading OpenSSL please see the link to<br />
the OpenSSL advisory in the "Further discussion" section below. Since it<br />
is unfeasible to assume that all clients have updated, we should also<br />
mitigate this on the TLS server-side.<br />
<br />
To mitigate the FREAK attack on the server side, we need to remove<br />
support for any ciphers which are weak. This is to prevent a MITM from<br />
forcing the negotiation of a weak cipher. In particular we need to<br />
remove support for any export grade ciphers, which are especially weak.<br />
<br />
The first step is to find what versions your TLS server currently<br />
supports. Two useful solutions exist for this: SSL Server Test at<br />
Qualys SSL Labs can be used to scan any web accessible endpoints, and<br />
SSLScan is a command line tool which attempts a TLS connection to a<br />
server with all possible cipher suites. Please see "tools" below for<br />
links to both.<br />
<br />
The specific steps required to configure which cipher suites are<br />
supported in a TLS deployment depend on the software and configuration,<br />
and are beyond the scope of this note. Some good starting places are<br />
provided below in the section: "Resources for configuring TLS options".<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0045<br />
* Original LaunchPad Bug : N/A<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg<br />
* CVE: CVE-2015-0204 (OpenSSL)<br />
* Further discussion of the issue:<br />
** http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html<br />
** https://www.smacktls.com/<br />
** https://www.openssl.org/news/secadv_20150108.txt<br />
* Tools:<br />
** SSLScan: http://sourceforge.net/projects/sslscan/<br />
** SSL Server Test: https://www.ssllabs.com/ssltest/<br />
* Resources for configuring TLS options:<br />
** In OpenStack: http://docs.openstack.org/security-guide/content/tls-proxies-and-http-services.html</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=74748Security Notes2015-03-02T21:08:15Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0044|OSSN-0044]] - Older versions of noVNC allow session theft (2 Mar 2015)<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] -Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0044&diff=74747OSSN/OSSN-00442015-03-02T21:07:36Z<p>Nkinder: Created page with "__NOTOC__ == Older versions of noVNC allow session theft == === Summary === Commonly packaged versions of noVNC allow an attacker to hijack user sessions even when TLS is ena..."</p>
<hr />
<div>__NOTOC__<br />
<br />
== Older versions of noVNC allow session theft ==<br />
=== Summary ===<br />
Commonly packaged versions of noVNC allow an attacker to hijack user<br />
sessions even when TLS is enabled. noVNC fails to set the secure flag<br />
when setting cookies containing an authentication token.<br />
<br />
=== Affected Services / Software ===<br />
Nova, when embedding noVNC prior to v0.5<br />
<br />
=== Discussion ===<br />
Versions of noVNC prior to October 28, 2013 do not properly set the<br />
secure flag on cookies for pages served over TLS. Since noVNC stores<br />
authentication tokens in these cookies, an attacker who can modify<br />
user traffic can steal these tokens and connect to the VNC session.<br />
<br />
Affected deployments can be identified by looking for the "secure"<br />
flag on the token cookie set by noVNC on TLS-enabled installations. If<br />
the secure flag is missing, the installation is vulnerable.<br />
<br />
At the time of writing, Debian, Ubuntu and Fedora do not provide<br />
versions of this package with the appropriate patch.<br />
<br />
=== Recommended Actions ===<br />
noVNC should be updated to version 0.5 or later. If this is not<br />
possible, the upstream patch should be applied individually.<br />
<br />
Upstream patch:<br />
https://github.com/kanaka/noVNC/commit/ad941faddead705cd611921730054767a0b32dcd<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0044<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/nova/+bug/1420942<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg<br />
* CVE: in progress-http://www.openwall.com/lists/oss-security/2015/02/17/1</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=73151Security Notes2015-02-06T16:37:24Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0043|OSSN-0043]] - glibc 'Ghost' vulnerability can allow remote code execution (5 Feb 2015)<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] -Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0043&diff=73044OSSN/OSSN-00432015-02-05T12:49:06Z<p>Nkinder: Created page with "__NOTOC__ == glibc 'GHOST' vulnerability can allow remote code execution == === Summary === A serious vulnerability in the GNU C library (glibc) gethostbyname* functions can..."</p>
<hr />
<div>__NOTOC__<br />
<br />
== glibc 'GHOST' vulnerability can allow remote code execution ==<br />
<br />
=== Summary ===<br />
A serious vulnerability in the GNU C library (glibc) gethostbyname*<br />
functions can allow an attacker to perform remote code execution with<br />
the privileges of the application that calls the gethostbyname*<br />
function. The vulnerable functions are used by a vast number of<br />
programs, effectively any time a network socket is used in a linux<br />
system, so the full exploitability of this vulnerability will not<br />
become known immediately.<br />
<br />
The publishers of this vulnerability, Qualys, have announced a proof of<br />
concept exploit for the Exim mail server, which bypasses operating<br />
system protections such as ASLR and DEP.<br />
<br />
<br />
=== Affected Services / Software ===<br />
All versions running on Linux installations with a vulnerable glibc<br />
library.<br />
<br />
=== Discussion ===<br />
The GNU C library (glibc), from versions 2.2 to 2.17 inclusive, has<br />
a group of vulnerable functions for hostname/address resolution. There<br />
is a buffer overflow in the __nss_hostname_digits_dots() function which<br />
is used by the gethostbyname*() group of functions. The maximum amount<br />
of memory that can be overwritten is sizeof(char *), i.e. 4 bytes on<br />
typical 32-bit systems and 8 bytes on typical 64-bit systems.<br />
<br />
These low-level functions are linked by many other C/C++ programs and<br />
interpreted languages like Python, Perl and Bash, so this vulnerability<br />
is insidious and will appear in cases where it would not at first seem<br />
obvious. There are many cases in a typical Linux installation where<br />
these functions will be used, generally wherever a hostname is resolved<br />
to an IP address, although in newer applications an IPv6 compatible<br />
function, getaddinfo() may be used instead.<br />
<br />
This vulnerability could let an attacker remotely execute code in cases<br />
where they control the input to a function that performs hostname<br />
resolution. There are no currently-known OpenStack-specific<br />
exploitation paths associated with this vulnerability. However, the<br />
Python socket library presents a gethostbyname() wrapper around the<br />
glibc function, and there are various ways in which this could be<br />
exposed.<br />
<br />
=== Recommended Actions ===<br />
The glibc library is loaded into memory when a process that uses it<br />
starts up, so to fix the vulnerability, glibc should be updated to a<br />
non-vulnerable version (2.18 or newer) and all services which use glibc<br />
should be restarted to replace the version in memory. Due to the number<br />
of places where these vulnerable functions are used, this effectively<br />
means that vulnerable systems must be restarted after updating glibc.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0043<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1415416<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg<br />
* CVE: CVE-2015-0235<br />
* Source advisory: https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=70721Security Notes2014-12-18T06:41:10Z<p>Nkinder: </p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] -Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker (17 Dec 2014)<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0038&diff=70706OSSN/OSSN-00382014-12-18T02:06:32Z<p>Nkinder: Created page with "__NOTOC__ == Suds client subject to cache poisoning by local attacker == === Summary === Suds is a Python SOAP client for consuming Web Services. Its default cache implement..."</p>
<hr />
<div>__NOTOC__<br />
<br />
== Suds client subject to cache poisoning by local attacker ==<br />
<br />
=== Summary ===<br />
Suds is a Python SOAP client for consuming Web Services. Its default<br />
cache implementation stores pickled objects to a predictable path in<br />
/tmp. This can be used by a local attacker to redirect SOAP requests via<br />
symlinks or run a privilege escalation or code execution attack.<br />
<br />
=== Affected Services / Software ===<br />
Cinder, Nova, Grizzly, Havana, Icehouse<br />
<br />
=== Discussion ===<br />
The Python 'suds' package is used by oslo.vmware to interface with SOAP<br />
service APIs and both Cinder and Nova have dependencies on oslo.vmware<br />
when using VMware drivers. By default suds uses an on-disk cache that<br />
places pickle files, serialised Python objects, into a known location<br />
'/tmp/suds'. A local attacker could use symlinks or place crafted files<br />
into this location that will later be deserialised by suds.<br />
<br />
By manipulating the content of the cached pickle files, an attacker can<br />
redirect or modify SOAP requests. Alternatively, pickle may be used to<br />
run injected Python code during the deserialisation process. This can<br />
allow the spawning of a shell to execute arbitrary OS level commands<br />
with the permissions of the service using suds, thus leading to possible<br />
privilege escalation.<br />
<br />
At the time of writing, the suds package appears largely unmaintained<br />
upstream. However, vendors have released patched versions that do not<br />
suffer from the predictable cache path problem. Ubuntu is known to offer<br />
one such patched version (python-suds_0.4.1-2ubuntu1.1).<br />
<br />
=== Recommended Actions ===<br />
The recommended solution to this issue is to disable cache usage in the<br />
configuration as shown:<br />
<br />
client.set_options(cache=None)<br />
<br />
A fix has been released to oslo.vmware (0.6.0) that disables the use of<br />
the disk cache by default. Cinder and Nova have both adjusted their<br />
requirements to include this fixed version. Deployers wishing to re-enable<br />
the cache should ascertain whether or not their vendor shipped suds package<br />
is susceptible and consider the above advice.<br />
<br />
=== Contacts / References ===<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0038<br />
* Original Launchpad Bug : https://bugs.launchpad.net/ossn/+bug/1341954<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg<br />
* Suds: https://pypi.python.org/pypi/suds<br />
* CVE: CVE-2013-2217</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=70662Security Notes2014-12-17T16:17:48Z<p>Nkinder: /* Published Security Notes */</p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] -Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ('''work in progress''')<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ('''work in progress''')<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker ('''work in progress''')<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security_Notes&diff=70661Security Notes2014-12-17T16:16:54Z<p>Nkinder: </p>
<hr />
<div>The OpenStack Security Group (OSSG) publishes Security Notes to advise users of security related issues. Security notes are similar to advisories; they address vulnerabilities in 3rd party tools typically used within OpenStack deployments and provide guidance on common configuration mistakes that can result in an insecure operating environment.<br />
<br />
For advice on how to write OpenStack Security Notes see the [[Security/Security_Note_Process|Security Note Process]] documentation.<br />
<br />
=== Published Security Notes ===<br />
* [[OSSN/OSSN-0042|OSSN-0042]] - Keystone token scoping provides no security benefit (17 Dec 2014)<br />
* [[OSSN/OSSN-0041|OSSN-0041]] -Linux ISCSI Admin Utility (tgtadm) does not work with Cinder ("work in progress")<br />
* [[OSSN/OSSN-0040|OSSN-0040]] - Neutron LBaaS VIP port does not enforce security groups when used with Open VSwitch ("work in progress")<br />
* [[OSSN/OSSN-0039|OSSN-0039]] - Configuring OpenStack deployments to prevent POODLE attacks (21 Oct 2014)<br />
* [[OSSN/OSSN-0038|OSSN-0038]] - Suds client subject to cache poisoning by local attacker ('''work in progress''')<br />
* [[OSSN/OSSN-0037|OSSN-0037]] - Configure Horizon to mitigate BREACH/CRIME attacks (19 Sep 2013)<br />
* [[OSSN/OSSN-0036|OSSN-0036]] - Horizon does not set Secure Attribute in cookies (19 Sep 2013)<br />
* [[OSSN/OSSN-0035|OSSN-0035]] - HTTP Strict Transport Security not enabled on Horizon Dashboard (19 Sep 2013)<br />
* [[OSSN/OSSN-0034|OSSN-0034]] - Restarting memcached loses revoked token list (19 Sep 2013)<br />
* [[OSSN/OSSN-0033|OSSN-0033]] - Some SSL-Enabled connections fail to perform basic certificate checks (19 Sep 2013)<br />
* [[OSSN/OSSN-0032|OSSN-0032]] - Disabling a tenant does not disable a user token (30 Aug 2013)<br />
* [[OSSN/OSSN-0031|OSSN-0031]] - Nova Baremetal exposes previous tenant data (2 Jul 2013)<br />
* [[OSSN/OSSN-0030|OSSN-0030]] - Bash 'shellshock' bug can lead to code injection vulnerability (26 Sep 2014)<br />
* [[OSSN/OSSN-0029|OSSN-0029]] - Neutron firewall rules lack port restrictions when using protocol 'any' (24 Sep 2014)<br />
* [[OSSN/OSSN-0028|OSSN-0028]] - Nova leaks compute host SMBIOS serial number to guests (3 Oct 2014)<br />
* [[OSSN/OSSN-0027|OSSN-0027]] - Neutron ARP cache poisoning vulnerability (16 Sep 2014)<br />
* [[OSSN/OSSN-0026|OSSN-0026]] - Unrestricted write permission to config files can allow code execution (5 Sep 2014)<br />
* [[OSSN/OSSN-0025|OSSN-0025]] - Swift can allow images to be accessed by anyone on the same network when using delay_auth_decision (21 Oct 2014)<br />
* [[OSSN/OSSN-0024|OSSN-0024]] - Sensitive data exposure by logging in python-keystoneclient (25 Sep 2014)<br />
* [[OSSN/OSSN-0023|OSSN-0023]] - Keystone logs auth tokens in URLs at the INFO log level (4 Sep 2014)<br />
* [[OSSN/OSSN-0022|OSSN-0022]] - Nova Networking does not enforce security group rules following a soft reboot of an instance (11 Aug 2014)<br />
* [[OSSN/OSSN-0021|OSSN-0021]] - Users of compromised accounts should verify Keystone trusts (25 July 2014)<br />
* [[OSSN/OSSN-0020|OSSN-0020]] - Disassociating floating IP from a VM does not terminate NAT connections (15 Sep 2014)<br />
* [[OSSN/OSSN-0019|OSSN-0019]] - Cinder SSH Pool will auto-accept SSH host signatures by default (30 Jun 2014)<br />
* [[OSSN/OSSN-0018|OSSN-0018]] - Nova Network configuration allows guest VMs to connect to host services (25 Jun 2014)<br />
* [[OSSN/OSSN-0017|OSSN-0017]] - Session-fixation vulnerability in Horizon when using the default signed cookie sessions (20 Jun 2014)<br />
* [[OSSN/OSSN-0016|OSSN-0016]] - Cinder wipe fails in an insecure manner on Grizzly (3 Jun 2014)<br />
* [[OSSN/OSSN-0015|OSSN-0015]] - Glance allows non-admin users to create public images (31 May 2014)<br />
* [[OSSN/OSSN-0014|OSSN-0014]] - Cinder drivers set insecure file permissions (31 May 2014)<br />
* [[OSSN/OSSN-0013|OSSN-0013]] - Some versions of Glance do not apply property protections as expected (7 May 2014)<br />
* [[OSSN/OSSN-0012|OSSN-0012]] - OpenSSL Heartbleed vulnerability can lead to OpenStack compromise (10 Apr 2014)<br />
* [[OSSN/OSSN-0011|OSSN-0011]] - Heat templates with invalid references allows unintended network access (4 Apr 2014)<br />
* [[OSSN/OSSN-0010|OSSN-0010]] - Sample Keystone v3 policy exposes privilege escalation vulnerability (17 Apr 2014)<br />
* [[OSSN/OSSN-0009|OSSN-0009]] - Potential token revocation abuse via group membership (2 Apr 2014)<br />
* [[OSSN/OSSN-0008|OSSN-0008]] - DoS style attack on noVNC server can lead to service interruption or disruption (9 Mar 2014)<br />
* [[OSSN/OSSN-0007|OSSN-0007]] - Live migration instructions recommend unsecured libvirt remote access (6 Mar 2014)<br />
* [[OSSN/1254619|OSSN-0006]] - Keystone can allow user impersonation when using REMOTE_USER for external authentication (17 Jan 2014)<br />
* [[OSSN/1226078|OSSN-0005]] - Glance allows sharing of images between projects without consumer project approval (11 Dec 2013)<br />
* [[OSSN/1237989|OSSN-0004]] - Authenticated users are able to update passwords without providing their current password (22 Nov 2013)<br />
* [[OSSN/1168252|OSSN-0003]] - Keystone configuration should not be world readable (13 May 2013)<br />
* [[OSSN/1155566|OSSN-0002]] - HTTP POST limiting advised to avoid Essex/Folsom Keystone DoS (23 Apr 2013)<br />
* [[OSSN/1098582|OSSN-0001]] - Selecting LXC as Nova Virtualization Driver can lead to data compromise (15 Mar 2013)</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=OSSN/OSSN-0042&diff=70514OSSN/OSSN-00422014-12-17T01:42:47Z<p>Nkinder: Created page with "__NOTOC__ == Keystone token scoping provides no security benefit == === Summary === Keystone provides "scoped" tokens that are constrained to use by a single project. A user..."</p>
<hr />
<div>__NOTOC__<br />
== Keystone token scoping provides no security benefit ==<br />
<br />
=== Summary ===<br />
Keystone provides "scoped" tokens that are constrained to use by a<br />
single project. A user may expect that their scoped token can only be<br />
used to perform operations for the project it is scoped to, which is not<br />
the case. A service or other party who obtains the scoped token can use<br />
it to obtain a token for a different authorized scope, which may be<br />
considered a privilege escalation.<br />
<br />
=== Affected Services / Software ===<br />
Keystone, Diablo, Essex, Folsom, Grizzly, Havana, Icehouse, Juno, Kilo<br />
<br />
=== Discussion ===<br />
This is not a bug in keystone, it's a design feature that some users may<br />
expect to bring security enhancement when it does not. The OSSG is<br />
issuing this security note to highlight the issue.<br />
<br />
Many operations in OpenStack will take a token from the user and pass it<br />
to another service to perform some portion of the intended operation.<br />
This token is very powerful and can be used to perform many actions for<br />
the user. Scoped tokens appear to limit their use to the project and<br />
roles they were granted for but can also be used to request tokens with<br />
other scopes. It's important to note that this only works with currently<br />
valid tokens. Once a token expires it cannot be used to gain a new<br />
token.<br />
<br />
Token scoping helps avoid accidental leakage of tokens because using<br />
tokens with other services requires the extra step of requesting a new<br />
re-scoped token from keystone. Scoping can help with audit trails and<br />
promote good code practices. There's currently no way to create a<br />
tightly scoped token that cannot be used to request a re-scoped token. A<br />
scoped token cannot be relied upon to restrict actions to only that<br />
scope.<br />
<br />
=== Recommended Action ===<br />
Users and deployers of OpenStack must not rely on the scope of tokens<br />
to limit what actions can be performed using them.<br />
<br />
Concerned users are encouraged to read (OSSG member) Nathan Kinder's<br />
blog post on this issue and some of the potential future solutions.<br />
<br />
=== Contacts / References ===<br />
* Nathan Kinder on Token Scoping : https://blog-nkinder.rhcloud.com/?p=101<br />
* This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0042<br />
* Original LaunchPad Bug : https://bugs.launchpad.net/ossn/+bug/1341816<br />
* OpenStack Security ML : openstack-security@lists.openstack.org<br />
* OpenStack Security Group : https://launchpad.net/~openstack-ossg</div>Nkinderhttps://wiki.openstack.org/w/index.php?title=Security/Kilo/Keystone&diff=66690Security/Kilo/Keystone2014-10-23T17:38:22Z<p>Nkinder: Created page with "This page documents security related details for the Keystone project in the OpenStack Kilo release. === Implemented Crypto === Keystone doesn't have an home-brewed encryption..."</p>
<hr />
<div>This page documents security related details for the Keystone project in the OpenStack Kilo release.<br />
=== Implemented Crypto ===<br />
Keystone doesn't have an home-brewed encryption implementations, everything is used from Python Standard libraries or third party libraries.<br />
<br />
=== Used Crypto ===<br />
==== Libraries ====<br />
* oauthlib (uses hashlib)<br />
* OpenSSL<br />
* PassLib<br />
* PyCrypto<br />
* Python hashlib<br />
* python-ldap (ultimately uses GnuTLS, NSS, or OpenSSL depending on the platform)<br />
* Requests (for keystoneclient HTTPS usage - '''need to investigate underlying crypto usage''')<br />
** uses stdlib - https://github.com/kennethreitz/requests/blob/master/requests/packages/urllib3/connection.py<br />
<br />
==== Encryption Algorithms ====<br />
{| class="wikitable sortable"<br />
|-<br />
! Algorithm !! Purpose !! Configurable !! Implementation !! Details !! Source<br />
|-<br />
| AES || Memcache backend encryption|| No || PyCrypto ||<br />
* Optionally used for encrypting the token backend.<br />
||<br />
* keystoneclient.middleware.memcache_crypt.py<br />
|-<br />
| RSA || PKI token signing || Yes || OpenSSL ||<br />
* 2048, sha1 defaults<br />
* Configurable via openssl.conf.<br />
* Keys/Certs can be created outside of Keystone and dropped into place.<br />
||<br />
* keystone.common.openssl.py<br />
* keystoneclient.common.cms.py<br />
|}<br />
<br />
==== Hashing Algorithms ====<br />
{| class="wikitable sortable"<br />
|-<br />
! Algorithm !! Purpose !! Configurable !! Implementation !! Details !! Source<br />
|-<br />
| md5 || Token hashing || No || hashlib ||<br />
* Hash is used as an internal identifier in the token backend.<br />
* The data being hashed is the entire cryptographically signed token (which uses the configured signing key). The chance for collisions should be low.<br />
||<br />
* keystoneclient.utils.py<br />
* keystoneclient.common.cms.py<br />
|-<br />
| sha1 || S3 credentials || No || hashlib ||<br />
* Used for signature validation of S3 credentials.<br />
* Required for S3 compatibility, so it can't be configurable.<br />
||<br />
* keystone.contrib.s3.core.py<br />
|-<br />
| sha1 || OAuth1 || No || oauthlib ||<br />
* Used for signature validation of OAuth1 tokens.<br />
* Keystone only uses the HMAC-SHA1 signature for OAuth1 tokens (as described in [http://tools.ietf.org/html/rfc5849 RFC 5849]).<br />
* OAuth support can be disabled.<br />
* Likely uses hashlib for the actual algorithm.<br />
||<br />
* keystone.contrib.oauth1.core.py<br />
* keystone.contrib.oauth1.verifier.py<br />
|-<br />
| sha256 || EC2 tokens || No || hashlib ||<br />
* Required for EC2 compatibility, so it can't be configurable.<br />
||<br />
* keystone.credential.controllers.py<br />
* keystone.common.utils.py<br />
* keystoneclient.contrib.ec2.utils.py<br />
|-<br />
| sha384 || Memcache signing || No || hashlib ||<br />
* Used for signing and verification when memcache encryption is enabled.<br />
||<br />
* keystoneclient.middleware.memcache_crypt.py<br />
|-<br />
| sha512 || Password hashing || No || PassLib ||<br />
* The algorithm is non-configurable, but the number of rounds is configurable via CONF.crypt_strength (default=40000).<br />
||<br />
* keystone.common.utils.py<br />
|}<br />
<br />
=== Sensitive Data ===<br />
==== Keys/Certificates ====<br />
* PKI signing key - Protected via filesystem ownership/permissions.<br />
* SSL/TLS key - Protected via filesystem ownership/permissions.<br />
==== Passwords ====<br />
* SSL/TLS must be enabled in Keystone to prevent clients from sending passwords over the network in clear-text.<br />
* Strict password checking is performed prior to hashing. If it is set to true, the operation will fail with an HTTP 403 Forbidden error; if it is set to false, passwords are automatically truncated to the predefined maximum length.<br />
** Configurable via CONF.strict_password_check (default=False)<br />
** Configurable via CONF.identity.max_password_length (default=4096)<br />
* SQL Identity<br />
** Password hashes are stored in SQL database.<br />
** SSL/TLS can be used to protect the connection to the database.<br />
* LDAP Identity<br />
** SSL/TLS must be used for connections to LDAP to prevent Keystone from sending passwords over the network in clear-text.<br />
<br />
==== Tokens ====<br />
*Signed tokens are stored in their entirety in one of the following backends:<br />
** KVS<br />
** Memcached<br />
*** Ephemeral storage.<br />
*** Able to use AES encryption and sha384 signing.<br />
** SQL (default)<br />
*** Persistent storage.<br />
***SSL/TLS can be used to protect the connection to the database.<br />
* Expired tokens are not automatically removed from the backend. The "keystone-manage token_flush" command should be used to periodically remove expired tokens (via cron).<br />
=== Potential Improvements ===<br />
* Allow all hashing schemes to be configurable where not restricted by compatibility requirements (such as S3 and EC2)<br />
* The use of md5 for token hashing is the biggest concern, as it's use is discouraged (or disallowed in the case of FIPS). Changes are [https://review.openstack.org/#/c/80401/ in progress] to make this configurable in Juno. The default should be sha256 if possible.<br />
* Allow support for LDAP SASL bind methods(such as DIGEST-MD5 and GSSAPI).<br />
* Allow other forms of external authentication to avoid using passwords (Kerberos, SAML).<br />
=== Notable changes since Juno ===<br />
* ?</div>Nkinder