[Bug 1482765] Re: [MIR] neutron-vpnaas

Seth Arnold 1482765 at bugs.launchpad.net
Sat Nov 10 03:58:38 UTC 2018 

I reviewed neutron-vpnaas version 2:13.0.0-0ubuntu1 as checked into
cosmic. This shouldn't be considered a full security audit. I especially
did not audit the VPN configurations that it provides.

- No CVEs in our database
- neutron-vpnaas provides an interface for OpenStack administrators to
  create VPNs using a variety of VPN tools
- *huge* list of build-depends. I'm not going to paste them all in here,
  it's really very surprising. There's 83 packages.
- Does not itself do networking
- Does not daemonize
- pre/post inst/rm scripts autogenerated
- No initscripts
- No systemd units
- No DBus services
- No setuid files
- python3-neutron-vpn-netns-wrapper and python2-neutron-vpn-netns-wrapper
  executables in /usr/bin
- No sudoers fragments
- No udev rules
- Extensive testsuite, unknown utility
- No cronjobs

- Subprocesses extensively spawned
- File operations are normally to well-known locations
- No environment use
- Privileged operations looked racy
- Networking done mostly via spawning ssh
- All /tmp uses look to be in test or CI
- No use of WebKit
- No use of JavaScript
- No use of Policykit

neutron-vpnaas was previously in main. I don't recall it being a
maintenance burden in the past, so this audit is fairly truncated compared
to if this were a new package entirely.

It still drastically uses string-based command executions via ssh.

Whoever can use this interface should be considered to have full control
over the entire OpenStack environment. Upstream OpenStack security team
wasn't too worried about anything I reported last time around, so this is
probably also their threat model.

write_key_to_local_path() has a race condition in writing a key. Probably
OpenStack networking and compute nodes only ever have completely trusted
users interacting with the systems.

Security team ACK for promoting neutron-vpnaas to main with the provision
that the server team promises to help provide quality assurance in the
event updates are needed. We're not in a position to test all the VPNs
that this can configure.

Thanks


** Changed in: neutron-vpnaas (Ubuntu)
     Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to neutron-vpnaas in Ubuntu.
https://bugs.launchpad.net/bugs/1482765

Title:
  [MIR] neutron-vpnaas

Status in neutron-vpnaas package in Ubuntu:
  Fix Committed

Bug description:
  [Availability]
  Currently in universe

  [Rationale]
  Extension for OpenStack Neutron that provides VPNaaS.
  Note: neutron-vpnaas was promoted to main in the past and then later demoted. I believe it was demoted due to [1], however development has since picked up and we'd like to get it back into main.

  [1] http://lists.openstack.org/pipermail/openstack-
  dev/2016-November/107384.html

  [Security]
  No security history

  [Quality Assurance]
  Package works out of the box with no prompting. There are no major bugs in Ubuntu and there are no major bugs in Debian. Unit tests are run during build.

  [Dependencies]
  All are in main

  [Standards Compliance]
  FHS and Debian Policy compliant.

  [Maintenance]
  Python package that the Ubuntu Server Team will take care of.

  [Background]
  VPNaaS (VPN-as-a-Service) is a Neutron extension that introduces VPN feature set.
  https://wiki.openstack.org/wiki/Neutron/VPNaaS

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/neutron-vpnaas/+bug/1482765/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list