-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Cinder SSH Pool will auto-accept SSH host signatures by default - ---
### Summary### In OpenStack releases prior to Juno, the SSH connection pool used by Cinder drivers to control SAN hosts will silently auto-accept SSH host fingerprints. This potentially allows for a man in the middle attack through the impersonation of a legitimate storage host. ### Affected Services / Software ### Cinder, Icehouse, Havana, Grizzly, Folsom ### Discussion ### Cinder drivers for controlling SAN hardware communicate with storage hosts over SSH. To facilitate creation of these drivers, Cinder provides a utility mechanism to manage pooled SSH connections. This connection pool is using a policy that will silently accept the SSH fingerprint of any unknown host when it first connects. However, it is not properly maintaing the list of known hosts and will thus permit connections to a host regardless of the SSH fingerprint presented. This impacts all drivers built using the utility. At the time of writing these drivers include, but may not be limited to: - - Solaris ISCSI driver - - HP LeftHand SAN ISCSI driver - - Huawei OceanStor T series and Dorado series storage arrays - - Dell EqualLogic Storage - - IBM Storwize SVC In the event that a malicious adversary has a point of presence on the storage network, they could undermine network communications between Cinder and the SAN host. Should an adversary manage to impersonate the storage host, Cinder will silently accept the newly presented fingerprint of the bogus host and allow the connection. This behaviour constitutes a typical Man in the Middle attack that could intercept and manipulate communications with the storage host, possibly leaking login credentials. If login credentials can be acquired, then direct interaction with the legitimate storage host becomes possible. This could result in Cinder volumes being accessed or modified to export compromised code and data to other services. The presence of this defect can be detected by initially connecting to a storage host and then re-generating that hosts local SSH details. Cinder will still allow connections to the host despite its now modified fingerprint. This is the default configuration. ### Recommended Actions ### Deployers should pay attention to the SSH interface between the Cinder driver and the SAN host and take appropriate measures to defend the storage network. These measures could include physical network isolation or placing an Intrusion Detection System on the network. The IDS should detect attacks such as ARP table poisoning, DHCP spoofing or DNS forgery that could be used to impersonate a SAN host and enact an Man in the Middle attack. ### Contacts / References ### This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0019 Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1320056 OpenStack Security ML : openstack-secur...@lists.openstack.org OpenStack Security Group : https://launchpad.net/~openstack-ossg -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTsbC4AAoJEJa+6E7Ri+EVK44IAKmfcak6QIBtd9QT4bC013/8 083WqUa6rnhX7jGtRkwm6lELVDw5Vk8jUpNYqnu7W7X+7+q24S4R/52UrxJBE8f7 dkxIcTS6Nx9qxGeoVVWFa4QLEuuG82K0PYhyEasbn7m8e672QeqLVHxUzAH7L1Yg hyXyZvxpN3bz38PpOKjf2Sj4lG3g1DZkZTL1cW2HIla9ZFiqZ9IMa5f2FItrgLEJ epLtsEhkhM/M/Nk9Qqbvvn0Ir3WTFN0l43hGJP4iF+frEsSewZqDXwNafVXl8k9v 4He6I1gpR2bpmYGIv4Bd+9jnjuiujFUfIIZKQg4LvNpH0FB+DqvCGUS5A0D1WjU= =SGiN -----END PGP SIGNATURE----- _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
