[OSSA 2014-025] There is no quota for allowed address pair (CVE-2014-3555)

This sounds similar to nova bug 1184041 (OSSA 2013-020, CVE-2013-4185). In which OpenStack release(s) did you observe this behavior?

The OSSA tasks is set to incomplete pending for additional security detail.

Hi Jeremy Stanley ,

I think this is not the same problem with bug 1184041.

This problem happens only if neutron with allowed address pair extension.
So it can happen in Havana / Icehouse / Juno trunk.

The reproduce steps :
1. boot a vm.
2. update the vm port with the attachment script.

Then you can see about 10,000 iptables rules on compute node. and the update of iptable rule will be very slow. And I think the performance of iptables update rule will be very bad if there are too many rules.

And the root cause is that we do not have quota for allowed address pair. And a user can update unlimited allowed address pair for one port.

Regards,
Liping Mao

Hi,

I write a patch to add quota for allowed address pair, this can avoid the user to set up unlimited rules.
Thanks.

Regards,
Liping Mao

Right, I didn't mean to imply that this is the same bug as described in 1184041, merely that the vulnerability is similar enough for us to reuse some of the same impact analysis wording when publishing a security advisory.

@Tristan Cacqueray @Jeremy

Is there any other detail info need? If need , please let me know. Thanks.

Regards,
Liping Mao

At this point we're waiting on Neutron security reviewers confirm the bug and assess your proposed fix, let us know any mitigating factors, which releases are impacted, et cetera.

There is clearly a possibility of causing a denial of services using this kind of 'attack'.
In theory on would make allowed address pairs a resource with a quota, but that's not easy as they're an attribute rather than a resource.

So I would rather take the approach in the suggested patch of putting a configurable hard limit on the number of address pairs allowed on a port.
It should also possible to have both a maximum number of pairs per port and a global per-tenant maximum number of additional address pairs.

Hi Salvatore,

Thanks for your confirm and comments.

One question about the "global per-tenant maximum number of additional address pairs".

In my opinion, if we have the maximum number of the pairs per port , and we also already have the quota for ports. Then the max number of the tenant is Pair_Max_Per_Port * Port_Num. Seems like we do not need the maximum number for the tenant.

What I do in the patch is similar to "extra route" extension.
https://github.com/openstack/neutron/blob/master/neutron/db/extraroute_db.py#L100-103

It also did not limit the maximum number of route per tenant.

What do you think about this? Thanks .

Regards,
Liping Mao

Here is impact description draft #1:

Title: Denial of Service in Neutron allowed address pair
Reporter: Liping Mao (Cisco)
Products: Neutron
Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.1

Description:
Liping Mao from Cisco reported a denial of service vulnerability in Neutron's handling of address pair. By creating a large number of allowed address pair, an authenticated user may overwhelm neutron firewall rules and render compute nodes unusable. All Neutron setups are affected.

hi Tristan，

＂handling of address pair.＂
I think ＂handling of allowed address pair.＂ may be better.

Regards，
Liping Mao

Maybe "By creating a large number of allowed address pair*s*"

Thanks! Here is impact description draft #2:

Title: Denial of Service in Neutron allowed address pair
Reporter: Liping Mao (Cisco)
Products: Neutron
Versions: up to 2013.2.3, and 2014.1 versions up to 2014.1.1

Description:
Liping Mao from Cisco reported a denial of service vulnerability in Neutron's handling of allowed address pair. By creating a large number of allowed address pairs, an authenticated user may overwhelm neutron firewall rules and render compute nodes unusable. All Neutron setups are affected.

+1 on version #2

Tristan's impact description draft #2 looks good to me.

@Liping Mao, Trying to apply your patch to stable/havana says:

patching file neutron/extensions/allowedaddresspairs.py
Hunk #1 succeeded at 20 (offset 4 lines).
Hunk #2 succeeded at 49 with fuzz 1 (offset 8 lines).
patching file neutron/tests/unit/test_extension_allowedaddresspairs.py
Hunk #1 succeeded at 23 with fuzz 2 (offset 1 line).
Hunk #2 FAILED at 161.
Hunk #3 succeeded at 184 (offset -4 lines).
1 out of 3 hunks FAILED -- saving rejects to file neutron/tests/unit/test_extension_allowedaddresspairs.py.rej

And stable/icehouse:
patching file neutron/extensions/allowedaddresspairs.py
Hunk #2 succeeded at 45 with fuzz 1 (offset 4 lines).
patching file neutron/tests/unit/test_extension_allowedaddresspairs.py
Hunk #1 succeeded at 22 with fuzz 2.
Hunk #2 FAILED at 161.
Hunk #3 succeeded at 176 (offset -12 lines).
1 out of 3 hunks FAILED -- saving rejects to file neutron/tests/unit/test_extension_allowedaddresspairs.py.rej

Could you please backport your patch to make it applies cleanly to those two stable branch ?

@VMT, Considering the fix seems to apply, should I request for CVE with the imapct description draft #2 now ?

Patch for stable havana

Patch for stable icehouse

Thanks Liping Mao! ./run_tests.sh succeeded on both backports!

Though, there are those flake8 errors:

./neutron/tests/unit/test_extension_allowedaddresspairs.py:176:5: E303 too many blank lines (2)
    def test_more_than_max_allowed_address_pair(self):
    ^
./neutron/tests/unit/test_extension_allowedaddresspairs.py:215:5: E303 too many blank lines (2)
    def test_update_add_address_pairs(self):
    ^
./neutron/extensions/allowedaddresspairs.py:33:1: E302 expected 2 blank lines, found 1
class AllowedAddressPairsMissingIP(nexception.InvalidInput):
^

@neutron-coresec: Can you please review those three patches ?

Update patch for havana

Update patch for icehouse

Thanks, this patch looks good to me. +2

@Tristan

Thanks for your remind, I update the havana and icehouse patch, it should be OK now.

@Aaron

Thanks for your review.

The disclosure date have been set to
2014-07-17, 1500UTC

@Liping Mao Would you be available at that time to submit patchs to gerrit ? Else, can you please reformat your patch and add a commit message using "git am" in order for us to push them while keeping authorship.

patch for trunk with commit log

patch for havana with commit log

patch for icehouse with commit log

@Tristan Cacqueray

Thanks for your comments. And I use "git format-patch" to re-create the patch file, and this time it has commit log. Please feel free to tell me, if there is anything need to be modified.

BTW,
Do you mean that I need to commit these three patchs on 2014-07-17, 1500UTC ?
Sure , I am available to do that at that time. Although this is mid-night in my local time : -)

Regards，
Liping Mao

@limao Oh well, don't worry, I can git-review those patch for you if you want, or maybe someone else from @neutron-coresec might be around to help in case of problems ?

@Tristan Cacqueray

I think I can do it by myself :) Thanks for your help.

@Liping Mao, bug is now public, if you can please push patches now that would be just perfect!

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/107731

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/107733

Fix proposed to branch: master
Review: https://review.openstack.org/107734

@ Tristan Cacqueray

Done, and waiting for the jenkins now...

Reviewed: https://review.openstack.org/107734
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=dc6b07d4a37ef0db9906187611fec8e8753803cd
Submitter: Jenkins
Branch: master

commit dc6b07d4a37ef0db9906187611fec8e8753803cd
Author: Liping Mao <email address hidden>
Date: Tue Jul 15 14:22:46 2014 +0800

    no quota for allowed address pair

    There is no quota for allowed address pair. User can create unlimited
    allowed address pairs. I add quota for allowed address pairs.

    Change-Id: I2efb0c0f527f1fb22c4d4b07f6d280863f565648
    Closes-Bug: #1336207

Reviewed: https://review.openstack.org/107731
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=526412ee6123534bdf41039a8c4d5fada87dcf3a
Submitter: Jenkins
Branch: stable/havana

commit 526412ee6123534bdf41039a8c4d5fada87dcf3a
Author: Liping Mao <email address hidden>
Date: Tue Jul 15 14:20:15 2014 +0800

    no quota for allowed address pair

    There is no quota for allowed address pair. User can create unlimited
    allowed address pairs. I add quota for allowed address pairs.

    Change-Id: Ie672373f770a4f9fe70d87a779cabc731413711a
    Closes-Bug: #1336207
    (cherry picked from commit I2efb0c0f527f1fb22c4d4b07f6d280863f565648)

Reviewed: https://review.openstack.org/107733
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=2c4828e28a5ff6e537be9db4da0e98eca33135d5
Submitter: Jenkins
Branch: stable/icehouse

commit 2c4828e28a5ff6e537be9db4da0e98eca33135d5
Author: Liping Mao <email address hidden>
Date: Tue Jul 15 14:22:05 2014 +0800

    no quota for allowed address pair

    There is no quota for allowed address pair. User can create unlimited
    allowed address pairs. I add quota for allowed address pairs.

    Change-Id: I7fec291a4838fba96b6d400ad56dbcdba9584d0f
    Closes-Bug: #1336207
    (cherry picked from commit I2efb0c0f527f1fb22c4d4b07f6d280863f565648)