Cloud Native / Security

Red Hat Secures Networking Flaws in OpenStack, the Linux Kernel

15 Aug 2017 5:00am, by

Red Hat has fixed an important vulnerability in the OpenStack subsystem that’s used to manage network connectivity to and from virtual machines. If left unpatched, it could allow an attacker to access network resources from virtual machines.

The vulnerability, tracked as CVE-2017-7543 in the Common Vulnerabilities and Exposures (CVE) database, is located in openstack-neutron, a “pluggable, scalable and API-driven” component of the Red Hat OpenStack Platform that’s used to provision networking services to virtual machines.

In a security advisory, Red Hat describes the flaw as a “race condition” triggered by a minor overcloud update. In OpenStack vernacular, the overcloud is the production cloud used by tenants, as opposed to the control cloud, or the undercloud, which is used to bootstrap the production cloud.

The overcloud update disabled neutron security groups by setting net.bridge.bridge-nf-call-arptables, net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables to 0. In turn, this disabled iptables, the Linux kernel firewall, creating a serious security risk.

“The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources,” Red Hat said in its advisory.

Updated neutron related packages were released for OpenStack 6.0 (Juno), 7.0 (Kilo), 8.0 (Liberty), 9.0 (Mitaka), 10.0 (Newton) and 11.0 (Ocata) to fix the vulnerability.

This week, Red Hat also released kernel patches for several editions of Red Hat Enterprise Linux 6.7 and 7.3 Extended Update Support to fix moderate and important vulnerabilities that could be exploited remotely and could lead to denial of service conditions, arbitrary code execution or privilege escalation — gaining higher privileges than the user running the affected component.

The update for Red Hat Enterprise Linux 6.7 fixes a single vulnerability tracked as CVE-2017-7895. This flaw has been known since April and is located in the kernel server implementation of the Network File System (NFS) versions 2 and 3.

If exploited the flaw could lead to arbitrary code execution, which is why it’s rated with 9.8 out of 10 in the Common Vulnerability Scoring System. The flaw has been patched in Red Hat Enterprise Linux 7.3 and 7.4 in June.

Red Hat is a sponsor of The New Stack.

Feature image via Pixabay.

A newsletter digest of the week’s most important stories & analyses.

View / Add Comments

Please stay on topic and be respectful of others. Review our Terms of Use.