Alert.png The wiki is deprecated and due to be decommissioned by the end of September 2022.
The content is being migrated to other supports, new updates will be ignored and lost.
If needed you can get in touch with EGI SDIS team using operations @ egi.eu.

SVG:Advisory-SVG-2016-10636

From EGIWiki
Jump to navigation Jump to search
Main page Software Security Checklist Issue Handling Advisories Notes On Risk Advisory Template More

Advisory-SVG-2016-10636



Title:       EGI SVG Advisory [TLP:WHITE] Moderate risk - OpenStack sites VM Management permissions - check [EGI-SVG-2016-10636]  

Date:        2016-04-13 
Updated:     2016-04-28 - Set to [TLP:WHITE] and placed on the wiki.


Affected Software and Risk
==========================

Some OpenStack sites have been found to have incorrect Management permissions.


Actions Required/Recommended
============================

Sites in the EGI Federated cloud should check they are correctly configured, see [R 1].

Risk category
=============

This issue has been assessed as 'Moderate' by the EGI SVG Risk Assessment Team.

More information
================

Some cloud sites running OpenStack have been found to use the default configuration where every group 
member can manage the VMs of the group. The EGI installation manual for OpenStack includes a policy to 
avoid this behaviour [R 1], although it seems not to be applied everywhere. 

This default configuration includes deleting other people's VMs (which is what some people have suffered 
from) or changing their public IPs. 

This issue is exploitable by all other members of the VO of which the VM Operator is a member. 

There was a concern that using the OpenStack APIs with this kind of permission might allow a user to 
"rescue" someone else's VM [R 2] and thereby access the original VM disks, and hence any credentials 
or other private data stored there.  However, such abuse would be prevented by the OpenStack security framework.

An incorrect configuration thus would allow denial of service and loss of (transient) data.

We ask sites to check their configuration and modify if necessary. 


URL/TLP
=======

** WHITE information - Unlimited distribution                               **
** See https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions **  

URL:   https://wiki.egi.eu/wiki/SVG:Advisory-SVG-2016-10636
   
Minor updates may be made without re-distribution to the sites

Credit
======

SVG was alerted to this vulnerability by Enol Fernandez 

References
==========

[1] https://wiki.egi.eu/wiki/MAN10#OpenStack_installation
[2] http://docs.openstack.org/cli-reference/nova.html#nova-rescue


Comments
========

Comments or questions should be sent to svg-rat  at  mailman.egi.eu

If you find or become aware of a vulnerability which is relevant to EGI you may report it by e-mail to  

report-vulnerability at egi.eu
 
the EGI Software Vulnerability Group will take a look.  


Timeline  
========
Yyyy-mm-dd  [EGI-SVG-2016-10636] 

2016-03-01 SVG alerted to this issue by Enol Fernandez
2016-03-01 Acknowledgement from the EGI SVG to the reporter
2016-03-01 Investigation of this problem began. 
2016-03-23 At SVG meeting still not clear whether or not exploit more than deleting or re-starting VMs.
2016-04-13 Advisory/Alert sent to sites as 'Amber' to check configuration
2016-04-28 Advisory placed on Wiki
Retrieved from "https://wiki.egi.eu/w/index.php?title=SVG:Advisory-SVG-2016-10636&oldid=87292"