Bug 1428240 (CVE-2017-2637) - CVE-2017-2637 rhosp-director:libvirtd is deployed with no authentication
Summary: CVE-2017-2637 rhosp-director:libvirtd is deployed with no authentication
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-2637
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1428241 1428590 1428591 1428592 1428593
Blocks: 1425413
TreeView+ depends on / blocked
 
Reported: 2017-03-02 06:18 UTC by Summer Long
Modified: 2019-09-29 14:07 UTC (History)
36 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A design flaw issue was found in the Red Hat OpenStack Platform director use of TripleO to enable libvirtd based live-migration. Libvirtd is deployed by default (by director) listening on 0.0.0.0 (all interfaces) with no-authentication or encryption. Anyone able to make a TCP connection to any compute host IP address, including 127.0.0.1, other loopback interface addresses, or in some cases possibly addresses that have been exposed beyond the management interface, could use this to open a virsh session to the libvirtd instance and gain control of virtual machine instances or possibly take over the host.
Clone Of:
Environment:
Last Closed: 2017-06-21 00:07:30 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 3022771 None None None 2017-05-17 20:42:19 UTC
Red Hat Product Errata RHSA-2017:1242 normal SHIPPED_LIVE Important: Red Hat OpenStack Platform director security update 2017-05-17 16:19:05 UTC
Red Hat Product Errata RHSA-2017:1504 normal SHIPPED_LIVE Important: Red Hat OpenStack Platform director security update 2017-06-19 18:45:36 UTC
Red Hat Product Errata RHSA-2017:1537 normal SHIPPED_LIVE Important: Red Hat OpenStack Platform director security update 2017-06-20 16:23:41 UTC
Red Hat Product Errata RHSA-2017:1546 normal SHIPPED_LIVE Important: Red Hat OpenStack Platform director security update 2017-06-20 16:44:42 UTC

Description Summer Long 2017-03-02 06:18:56 UTC
OSP director was found to deploy libvirtd listening on 0.0.0.0 with no-authentication and in some cases no network ACL's. Anyone able to make a tcp connection to any compute host IP address, including 127.0.0.1, other loopback interface addresses or in some cases even those exposed beyond the management interface, could use this to open a virsh session to the libvirtd instance and gain control of virtual machine instances or possibly take over the host.

External References:

https://access.redhat.com/solutions/3022771
https://wiki.openstack.org/wiki/OSSN/OSSN-0007

Comment 3 Daniel Berrangé 2017-03-07 12:11:46 UTC
(In reply to Summer Long from comment #0)
> OSP director was found to deploy libvirtd listening on 0.0.0.0 with
> no-authentication and in some cases no network ACL's. Anyone able to make a
> tcp connection to any compute host IP address, including those exposed
> beyond the management interface, could use this to open a virsh session to
> the libvirtd instance and gain control of virtual machine instances or
> possibly take over the host.

It is not merely remote attackers that are a problem. Local unprivileged processes can connect to 127.0.0.1, avoiding any firewalls, and use this to elevate their privileges to root. ie local privilege escalation even if a firewall is present.

Comment 4 Garth Mollett 2017-03-07 22:57:02 UTC
(In reply to Daniel Berrange from comment #3)
> (In reply to Summer Long from comment #0)
> > OSP director was found to deploy libvirtd listening on 0.0.0.0 with
> > no-authentication and in some cases no network ACL's. Anyone able to make a
> > tcp connection to any compute host IP address, including those exposed
> > beyond the management interface, could use this to open a virsh session to
> > the libvirtd instance and gain control of virtual machine instances or
> > possibly take over the host.
> 
> It is not merely remote attackers that are a problem. Local unprivileged
> processes can connect to 127.0.0.1, avoiding any firewalls, and use this to
> elevate their privileges to root. ie local privilege escalation even if a
> firewall is present.

Thanks Dan. I modified the text to add "(including 127.0.0.1 or other loopback interface addresses)". I think that should make the local escalation path clear.

Comment 5 Ollie Walsh 2017-03-09 15:29:51 UTC
Dan raise this issue for the upstream docs long ago https://bugs.launchpad.net/openstack-manuals/+bug/1287194

Which resulted in https://wiki.openstack.org/wiki/OSSN/OSSN-0007

Comment 13 Summer Long 2017-03-29 23:00:18 UTC
Acknowledgments:

Name: David Gurtner (Red Hat)

Comment 30 errata-xmlrpc 2017-05-17 12:23:24 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2017:1242 https://access.redhat.com/errata/RHSA-2017:1242

Comment 31 Garth Mollett 2017-05-17 20:35:31 UTC
Mitigation:

A KCS article with more details on this flaw is available at: https://access.redhat.com/solutions/3022771

Comment 32 errata-xmlrpc 2017-06-19 14:46:52 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 9.0 (Mitaka) director

Via RHSA-2017:1504 https://access.redhat.com/errata/RHSA-2017:1504

Comment 33 errata-xmlrpc 2017-06-20 12:25:53 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform director 7.0 for RHEL 7

Via RHSA-2017:1537 https://access.redhat.com/errata/RHSA-2017:1537

Comment 34 errata-xmlrpc 2017-06-20 12:46:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 8.0 (Liberty) director

Via RHSA-2017:1546 https://access.redhat.com/errata/RHSA-2017:1546

Comment 35 Stephen Gordon 2017-06-20 19:18:15 UTC
(In reply to Garth Mollett from comment #31)
> Mitigation:
> 
> A KCS article with more details on this flaw is available at:
> https://access.redhat.com/solutions/3022771

I've updated the article to reflect that the relevant erratum have been released for Red Hat OpenStack Platform 7, 8, 9.


Note You need to log in before you can comment on or make changes to this bug.