CVE-2019-17134 in OpenStack Octavia
Summary
by MITRE
Amphora Images in OpenStack Octavia >=0.10.0 <2.1.2, >=3.0.0 <3.2.0, >=4.0.0 <4.1.0 allows anyone with access to the management network to bypass client-certificate based authentication and retrieve information or issue configuration commands via simple HTTP requests to the Agent on port https/9443, because the cmd/agent.py gunicorn cert_reqs option is True but is supposed to be ssl.CERT_REQUIRED.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/05/2024
The vulnerability CVE-2019-17134 represents a critical authentication bypass flaw in OpenStack Octavia's Amphora images affecting versions between 0.10.0 and 2.1.1, as well as 3.0.0 through 3.1.9 and 4.0.0 through 4.0.9. This issue stems from improper SSL certificate validation configuration within the agent component that handles management communications. The flaw specifically impacts systems where the management network is accessible to unauthorized parties, creating a significant security risk for cloud infrastructure deployments.
The technical root cause lies in the cmd/agent.py file where the gunicorn server is configured with cert_reqs set to True instead of the proper ssl.CERT_REQUIRED value. This misconfiguration allows the agent to accept connections without requiring valid client certificates, effectively disabling the intended mutual TLS authentication mechanism. When the agent operates on port 443 (https/9443), it should enforce strict certificate validation to ensure only authenticated clients can access sensitive management functions. However, the flawed configuration permits unauthenticated access through simple HTTP requests, undermining the entire certificate-based security model.
The operational impact of this vulnerability extends beyond simple information disclosure to include full administrative control over Octavia's load balancing components. An attacker with access to the management network can bypass authentication entirely and execute arbitrary configuration commands against the agent service. This capability enables unauthorized modification of load balancer configurations, potential service disruption, data exfiltration, and establishment of persistent access points within the cloud environment. The vulnerability affects the core management functionality of Octavia's Amphora appliances, which serve as the backend components for load balancing operations in OpenStack cloud deployments.
This vulnerability maps directly to CWE-295 which addresses improper certificate validation and CWE-310 which covers cryptographic issues. The attack vector aligns with ATT&CK technique T1078.004 for valid accounts and T1566 for credential access through network exploitation. Organizations using affected versions of OpenStack Octavia face significant risk of compromise when management networks are not properly segmented from public access. The vulnerability demonstrates a critical failure in secure configuration management where default settings were not properly enforced for TLS security parameters.
The recommended mitigation strategy involves upgrading to patched versions of OpenStack Octavia where the certificate validation has been properly enforced. Administrators should also ensure that management networks are properly isolated from public access and implement additional network segmentation controls. The fix requires changing the gunicorn cert_reqs parameter from True to ssl.CERT_REQUIRED in the agent configuration, ensuring that mutual TLS authentication is properly enforced. Additionally, organizations should conduct thorough security audits of their OpenStack deployments to identify any other instances of improper SSL configuration that might create similar vulnerabilities in their infrastructure.