OpenStack Security Advisory: 2014-014
Date: April 22, 2014
Title: Neutron security groups bypass through invalid CIDR
Reporters: Stephen Ma (HP) and Christoph Thiel (Deutsche Telekom)
Versions: 2013.1 to 2013.2.3, and 2014.1
Stephen Ma from Hewlett Packard and Christoph Thiel from Deutsche
Telekom reported a vulnerability in Neutron security groups. By creating
a security group rule with an invalid CIDR, an authenticated user may
break openvswitch-agent process, preventing further rules from being
applied on the host. Note: removal of the faulty rule is not enough, the
openvswitch-agent must be restarted. All Neutron setups using Open
vSwitch are affected.
Juno (development branch) fix:
This fix will be included in the juno-1 development milestone and in
future 2013.2.4 and 2014.1.1 releases.
Created openstack-neutron tracking bugs for this issue:
Affects: fedora-20 [bug 1090136]
This is a DoS security issue, you can break iptables-restore with it and effectively make later security rules created not working.
Steps to reproduce:
- neutron security-group-rule-create default --direction egress --protocol tcp --port-range-min 80 --port-range-max 80 --remote-ip-prefix /32
- observe that OVS agent crashes as in https://bugs.launchpad.net/neutron/+bug/1300785
- observe that any new security rules added are not applied to firewall tables.
openstack-neutron-2013.2.3-7.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in following products:
OpenStack 4 for RHEL 6
Via RHSA-2014:0899 https://rhn.redhat.com/errata/RHSA-2014-0899.html