Bug 1510015 (CVE-2017-15114)

Summary: CVE-2017-15114 rhosp-director: Passwordless access for non-libvirt related services when using shared certificate authority
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: apevec, athomas, berrange, chrisw, dbecker, emilien, gmollett, jjoyce, josorior, jpadman, jschluet, kbasil, lhh, lpeer, lyarwood, markmc, mburns, morazi, owalsh, rbryant, rhel-osp-director-maint, sclewis, security-response-team, sgordon, shardy, slinaber, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
When libvirtd is configured by OSP director (tripleo-heat-templates) to use TLS transport, it defaults to the same certificate authority as all non-libvirtd services. As no additional authentication is configured, this allows these services to connect to libvirtd (which is equivalent to root access). If a vulnerability exists in another service it could, combined with this flaw, be exploited to escalate privileges to gain control over compute nodes.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-07 05:12:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1510216    
Bug Blocks: 1510020    

Description Adam Mariš 2017-11-06 14:43:28 UTC 
It was found that if OSP-D is configured with TLS authentication for libvirtd and is using the same certificate authority for non-libvirt related services as well, these services are able to connect to libvirtd as root without any password.
Comment 1 Adam Mariš 2017-11-06 14:43:32 UTC 
Acknowledgments:

Name: Daniel P. Berrange (Red Hat)
Comment 7 Joshua Padman 2017-11-14 10:36:04 UTC 
Removed embargo as the patches were made public upstream.
https://review.openstack.org/#/c/519015/
Comment 11 Joshua Padman 2017-12-07 05:13:14 UTC 
External References:

https://bugs.launchpad.net/tripleo/+bug/1730370