[nova] EC2 API - Unencrypted Submission of Credentials

[claco]

This is from the internal security review recommendations.

Severity: High

Description / Exploit: The RPC EC2 API endpoint transmits sensitive or security-critical data (API keys) in cleartext in a communication channel that can be sniffed by unauthorized actors.

Impact: Anyone can read the information by gaining access to the channel being used for communication.

Systems Vulnerable: http://198.101.133.159:8773

Suggested Mitigation: Encrypt the data with a reliable encryption scheme before transmitting (SSL, TLS).

Further References: http://cwe.mitre.org/data/definitions/319.html https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

This will likely require attribute default changes, http -> https upgrade testing, https client cert/bundle testing (see other open issues around https and client certs), and changes to novarc files, monitoring/monit checks.

Affects:

cookbooks/nova/attributes/default.rb
62:default["nova"]["services"]["ec2-admin"]["port"] = 8773
71:default["nova"]["services"]["ec2-public"]["port"] = 8773

cookbooks/openstack-monitoring/recipes/nova-api-ec2.rb
32:    # TODO(brett): health-check all the tcp ports (8773..8775 iirc)

cookbooks/openstack-monitoring/recipes/nova-api-metadata.rb
27:  # TODO(brett): health-check all the tcp ports (8773..8775 iirc)

[odyssey4me]

I have no idea whether the EC2 endpoints are properly tested in Openstack CI, so my thinking would be:

1. Use the native SSL config options to ensure that nova listens on SSL for all services;
2. Use Apache to reverse proxy nova on all ports and SSL encrypt the traffic. This has been working well for us.