A race-condition flaw was discovered in openstack-neutron where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources.
To determine whether your system is impacted, run:
$ sudo sysctl net.bridge.bridge-nf-call-ip6tables
$ sudo sysctl net.bridge.bridge-nf-call-iptables
Both should be set to 1
To reset security groups to '1':
1. Apply the following configuration modification:
$ sudo sed -i.back -e 's/reapply_sysctl = 0/reapply_sysctl = 1/' /etc/tuned/tuned-main.conf
2. Ensure the modification was successful:
$ grep reapply_sysctl /etc/tuned/tuned-main.conf
should be "reapply_sysctl = 1"
3. Check whether tuned is running:
$ sudo systemctl status tuned
4. Restart tuned to apply the new configuration:
$ sudo systemctl restart tuned
5. Recheck your security groups and the status of 'reapply_sysctl'.