neutron

Security Groups do not prevent MAC spoofing with non-IP traffic

Bug #1558674 reported by Dustin Lundquist on 2016-03-17

This bug report is a duplicate of: Bug #1558658: [OSSA-2016-009] Security Groups do not prevent MAC and/or IPv4 spoofing in DHCP requests (CVE-2016-5362 and CVE-2016-5363). Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	New	Undecided	Unassigned

Bug Description

The IptablesFirewallDriver does not prevent spoofing other instances or a routers MAC addresses. Iptables and ip6tables are used to verify the source MAC of IP traffic, but anti-spoofing measures are not implemented for non-IP traffic. Presently ebtables is used to prevent ARP spoofing, but not used to enforce the source address of all Ethernet frames.

If L2population is not used, an instance can spoof the Neutron router's MAC address and cause the switches to learn a MAC move, allowing the instance to intercept other instances traffic potentially belonging to other tenants if this is shared network.

A solution for this is to use ebtables restrict the source MAC address from frames accepted from the instance to MAC addresses assigned to the Neutron port. Using a rule such as this:

-i tap29f34cfc-a7 --among-src ! fa:16:3e:e0:b1:ba, -j DROP

Should be sufficient, and allow removing MAC address verification within iptables and ip6tables rules managed by Neutron.

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2016-03-27:

Marking as duplicate because the other bug is a result of the same non-enforcement of MACs.

Tristan Cacqueray (tristan-cacqueray) on 2016-04-05

information type:

Private Security → Public

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1558658 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.