chef-cookbooks icon indicating copy to clipboard operation
chef-cookbooks copied to clipboard

Published 20 hours ago verified publisher icon rcbops

[cinder] Cinder API - Unencrypted Submission of Credentials

Open claco opened this issue 10 years ago • 3 comments

This is from the internal security review recommendations.

Severity: High

Description / Exploit: The RPC Cinder API endpoint transmits sensitive or security-critical data (API keys) in cleartext in a communication channel that can be sniffed by unauthorized actors.

Impact: Anyone can read the information by gaining access to the channel being used for communication.

Systems Vulnerable: http://198.101.133.159:8776

Suggested Mitigation: Encrypt the data with a reliable encryption scheme before transmitting (SSL, TLS).

Further References: http://cwe.mitre.org/data/definitions/319.html https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

This will likely require attribute default changes, http -> https upgrade testing, https client cert/bundle testing (see other open issues around https and client certs), and changes to novarc files, monitoring/monit checks.

Affects:

cookbooks/cinder/attributes/default.rb
38:default["cinder"]["services"]["api"]["port"] = 8776
47:default["cinder"]["services"]["internal-api"]["port"] = 8776
52:default["cinder"]["services"]["admin-api"]["port"] = 8776

cookbooks/nova/attributes/default.rb
97:default["nova"]["services"]["volume"]["port"] = 8776

claco avatar Mar 17 '14 17:03 claco

The only Openstack CI testing I'm aware of for Apache/wsgi configuration for SSL endpoints is for nova & keystone, so I would recommend going with one of the following options here:

  1. Use the native configuration to configure the SSL endpoint;
  2. Use an Apache reverse proxy instead of Apache/wsgi.

odyssey4me avatar Mar 26 '14 13:03 odyssey4me

So in the case of mod_proxy, we could bind the native, non-https service (cinder) to localhost and let apache terminate ssl and proxy packets back to localhost?

Something like:

+-------------------------------------------+     
|                                           |             +---------------+
| cinder(lo:8776) <-- httpd(eth0:8776/ssl) <--------------|   API call    |
|                                           |    HTTPS    +---------------+
+-------------------------------------------+               cinder client
               Controller

Just making sure I'm on the same page before doing anything with this, as I've spent the last couple days trying to make glance run out of mod_wsgi, to which you left interesting comments. :)

brc avatar Mar 26 '14 17:03 brc

Yes, that's exactly right. :+1:

It may be worth exploring the idea of ensuring that all services on the same server should talk directly to each other (without SSL termination), whereas if they need to talk between servers they should use the appropriate SSL terminated endpoints. I'm not sure that this'll be worth the effort though.

odyssey4me avatar Mar 26 '14 20:03 odyssey4me