All interfaces on KVM host are visible to the customer

thedaemexco's picture
Submitted by thedaemexco on Thu, 08/13/2020 - 14:06 Pro Licensee

Hi there, hope everyone is doing well and staying safe. One of our DevOps engineers discovered that the end-users are able to view all our network interfaces on the master node. The end user should not be able to view or interact with these interfaces and it is a huge security risk. More specifically, the issue is located under System Configuration > Network interfaces. This can be replicated on any KVM VPS. Then there is a drop down called "Network bridge on host" and we don't want to show this to the customer because obviously we already configured KVM to use the bridge we need it to use and all settings the user makes should be on that bridge. How can we disable this for the user? When they click the dropdown they can see all the bridges we have on the host and this is a huge issue. Looking forward to hearing back. Thanks.

Status: 
Active

Comments

Submitted by JamieCameron on Fri, 08/14/2020 - 01:20

To clarify, are these just bridges shown by the brctl show command on the host system? Or are more interfaces also shown?

thedaemexco's picture
Submitted by thedaemexco on Fri, 08/14/2020 - 20:24 Pro Licensee

Hi Jamie, we ran the brctl show command and the interfaces shown there are exactly what the user is seeing. If possible, we don't even want them to know the bridge name of the default because this isn't useful information for them. All they care about is their internet working and routing properly, they don't care about any bridges and etc... Thanks.

Submitted by JamieCameron on Fri, 08/14/2020 - 21:30

You should be able to control which bridges the system owner can select, by editing the owner and going to Limits and restrictions -> Allowed bridges on host systems.

thedaemexco's picture
Submitted by thedaemexco on Mon, 08/17/2020 - 12:21 Pro Licensee

Hi Jamie, that works just fine however there is still a problem. We do not want to be setting this for every owner individually. How can we set it on the plan itself? There is not "Allowed bridges on host systems" there. Looking forward to hearing back from you.

Submitted by JamieCameron on Tue, 08/18/2020 - 01:04

This isn't possible yet, but will be in the next Cloudmin release.

thedaemexco's picture
Submitted by thedaemexco on Thu, 08/20/2020 - 11:57 Pro Licensee

Thank you so much Jamie, and thanks for understanding. We will mark it as on hold in our task system. If you can provide us any ETA on it or updates, that would be appreciated.

thedaemexco's picture
Submitted by thedaemexco on Thu, 09/10/2020 - 17:34 Pro Licensee

Do you guys know which version specifically this is fixed in so we can what to update to? Thanks!

Submitted by JamieCameron on Fri, 09/11/2020 - 17:42

It will be fixed in version 9.6

thedaemexco's picture
Submitted by thedaemexco on Sat, 09/12/2020 - 17:11 Pro Licensee

Beautiful, thank you!

thedaemexco's picture
Submitted by thedaemexco on Tue, 10/06/2020 - 19:45 Pro Licensee

Any idea when version 9.6 will be released? This is a great security concern for us. Thank you.