search

rcbops / chef-cookbooks

RCB OPS - Chef Cookbooks
Other
118 stars 102 forks source link

[cinder] Cinder API - Unencrypted Submission of Credentials #889

Open claco opened 10 years ago

claco commented 10 years ago

This is from the internal security review recommendations.

Severity: High

Description / Exploit: The RPC Cinder API endpoint transmits sensitive or security-critical data (API keys) in cleartext in a communication channel that can be sniffed by unauthorized actors.

Impact: Anyone can read the information by gaining access to the channel being used for communication.

Systems Vulnerable: http://198.101.133.159:8776

Suggested Mitigation: Encrypt the data with a reliable encryption scheme before transmitting (SSL, TLS).

Further References: http://cwe.mitre.org/data/definitions/319.html https://owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet

This will likely require attribute default changes, http -> https upgrade testing, https client cert/bundle testing (see other open issues around https and client certs), and changes to novarc files, monitoring/monit checks.

Affects:

cookbooks/cinder/attributes/default.rb
38:default["cinder"]["services"]["api"]["port"] = 8776
47:default["cinder"]["services"]["internal-api"]["port"] = 8776
52:default["cinder"]["services"]["admin-api"]["port"] = 8776

cookbooks/nova/attributes/default.rb
97:default["nova"]["services"]["volume"]["port"] = 8776
odyssey4me commented 10 years ago

The only Openstack CI testing I'm aware of for Apache/wsgi configuration for SSL endpoints is for nova & keystone, so I would recommend going with one of the following options here:

  1. Use the native configuration to configure the SSL endpoint;
  2. Use an Apache reverse proxy instead of Apache/wsgi.
brc commented 10 years ago

So in the case of mod_proxy, we could bind the native, non-https service (cinder) to localhost and let apache terminate ssl and proxy packets back to localhost?

Something like:

+-------------------------------------------+     
|                                           |             +---------------+
| cinder(lo:8776) <-- httpd(eth0:8776/ssl) <--------------|   API call    |
|                                           |    HTTPS    +---------------+
+-------------------------------------------+               cinder client
               Controller

Just making sure I'm on the same page before doing anything with this, as I've spent the last couple days trying to make glance run out of mod_wsgi, to which you left interesting comments. :)

odyssey4me commented 10 years ago

Yes, that's exactly right. :+1:

It may be worth exploring the idea of ensuring that all services on the same server should talk directly to each other (without SSL termination), whereas if they need to talk between servers they should use the appropriate SSL terminated endpoints. I'm not sure that this'll be worth the effort though.