OpenStack Compute (nova)

VMware: possible collision of VNC ports

Bug #1255609 reported by Radoslav Gerganov on 2013-11-27

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack Compute (nova)	Fix Released	High	Radoslav Gerganov	OpenStack Compute (nova) 2014.1 "icehouse"
Havana	Fix Released	High	Tracy Jones	OpenStack Compute (nova) 2013.2.3
VMwareAPI-Team	In Progress	High	Unassigned

Bug Description

We assign VNC ports to VM instances with the following method:

def _get_vnc_port(vm_ref):
    """Return VNC port for an VM."""
    vm_id = int(vm_ref.value.replace('vm-', ''))
    port = CONF.vmware.vnc_port + vm_id % CONF.vmware.vnc_port_total
    return port

the vm_id is a simple counter in vSphere which increments fast and there is a chance to get the same port number if the vm_ids are equal modulo vnc_port_total (10000 by default).

A report was received that if the port number is reused you may get access to the VNC console of another tenant. We need to fix the implementation to always choose a port number which is not taken or report an error if there are no free ports available.

Tags:

Radoslav Gerganov (rgerganov) on 2013-11-27

Changed in nova:
assignee:	nobody → Radoslav Gerganov (rgerganov)

Revision history for this message

Jeremy Stanley (fungi) wrote on 2013-11-27:

Is this exploitable, or only something which occurrs by random chance? If the latter, I feel like we'd be better off opening the bug and fixing this in public as a security hardening improvement (possibly with an accompanying OSSN).

I've added the Nova security reviewers for confirmation of the issue, and to comment on any proposed patches in case this remains under embargo.

Changed in ossa:
status:	New → Incomplete

Revision history for this message

Andrew Laski (alaski) wrote on 2013-11-27:

If vm_id is an incremental counter then this is an issue but would occur by random chance from my reading. And it would need to be incrementing pretty quickly, > 10000 times during the life of a console session, in order to cause this. I would agree with opening this up as a public bug.

Changed in nova:
status:	New → Confirmed
importance:	Undecided → Low

Revision history for this message

Radoslav Gerganov (rgerganov) wrote on 2013-11-28:

This is not exploitable and the chances to hit this are very small. I am working on patch which fix this by querying the allocated ports and selecting one which is not taken:

https://review.openstack.org/#/c/58994

Radoslav Gerganov (rgerganov) on 2013-11-28

information type:

Private Security → Public

OpenStack Infra (hudson-openstack) on 2013-11-28

Changed in nova:
status:	Confirmed → In Progress

Thierry Carrez (ttx) on 2013-11-29

no longer affects:

ossa

Shawn Hartsock (hartsock) on 2013-12-04

Changed in nova:
milestone:	none → icehouse-1
milestone:	icehouse-1 → icehouse-2

Shawn Hartsock (hartsock) on 2013-12-04

Changed in nova:
importance:	Low → High
importance:	High → Medium

Gary Kotton (garyk) on 2013-12-23

Changed in nova:
importance:	Medium → High
Changed in openstack-vmwareapi-team:
importance:	Undecided → High
tags:	added: havana-backport-potential

Tracy Jones (tjones-i) on 2014-01-10

Changed in openstack-vmwareapi-team:
status:	New → In Progress

Thierry Carrez (ttx) on 2014-01-22

Changed in nova:
milestone:	icehouse-2 → icehouse-3

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-02-25: Fix merged to nova (master)

Reviewed: https://review.openstack.org/58994
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=2f49ed4b5dbb5c954fc7a9b42ee7b170c38c775c
Submitter: Jenkins
Branch: master

commit 2f49ed4b5dbb5c954fc7a9b42ee7b170c38c775c
Author: Radoslav Gerganov <email address hidden>
Date: Thu Nov 28 13:37:53 2013 +0200

VMware: fix the VNC port allocation

    There is small chance for VNC port collisions with the current
    implementation which choose the port number based on the MoRef id
    of the VM.
    This patch fixes this by running a query for all allocated ports
    and then selects one which is not taken.

Change-Id: If7c3b14dd49ed05c5fde819c5a36d5608650cbbc
Closes-Bug: #1255609

Changed in nova:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-02-27: Fix proposed to nova (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/76722

Thierry Carrez (ttx) on 2014-03-05

Changed in nova:
status:	Fix Committed → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-03-18: Fix merged to nova (stable/havana)

Reviewed: https://review.openstack.org/76722
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=2edf6fffe1e7757dbeaa1a25f75f124687f4b232
Submitter: Jenkins
Branch: stable/havana

commit 2edf6fffe1e7757dbeaa1a25f75f124687f4b232
Author: Radoslav Gerganov <email address hidden>
Date: Thu Nov 28 13:37:53 2013 +0200

VMware: fix the VNC port allocation

Closes-Bug: #1255609
(cherry picked from commit 2f49ed4b5dbb5c954fc7a9b42ee7b170c38c775c)

Conflicts:

     nova/exception.py
     nova/tests/virt/vmwareapi/test_vmwareapi.py
     nova/tests/virt/vmwareapi/test_vmwareapi_vm_util.py
     nova/virt/vmwareapi/vm_util.py
     nova/virt/vmwareapi/vmops.py

Change-Id: If7c3b14dd49ed05c5fde819c5a36d5608650cbbc

tags:

added: in-stable-havana

Alan Pevec (apevec) on 2014-04-04

tags:

removed: havana-backport-potential in-stable-havana

Thierry Carrez (ttx) on 2014-04-17

Changed in nova:
milestone:	icehouse-3 → 2014.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.