OVH vRack Security Issue

tl;dr: OVH had an issue where your second network card was connected to other servers in the datacenter. This allowed you to run a DHCP server and offer a gateway. This also allows you to MITM several machines outbound traffic, I had 35 machines responding back with DHCP Leases and about 4 routing outbound traffic to me as their router.

Discovery

I was messing around with ESXi and had an internal network with pfsense as a router VM. Attached the second NIC and noticed I got a dozen replies from servers I did not own.

Probing

Dumped ESXi and installed debian. ran a normal dnsmasq with some NATing IPTable rules. turned it on for about 10 minutes and noticed servers where starting to route outbound traffic over my machine. quickly turned off NAT and pushed down new leases without a gateway (To fix the remote machines so it would not be impacting)

Traffic was mostly API calls to remote servers, like twitter and a few outbound emails. Overall had about 4 machines sending traffic over my interface

Report

Overall I discovered this issue on April 23rd 2017. the only main method of reporting a issue like this was on their bountyfactory.io project. I submitted it at 04:00 CEST and they responded by 11:00 CEST with

Hi, We have reviewed your report and we are able to understand the vulnerability submitted.

We will keep you informed immediately after evaluation. As said in the rules, please do not disclose your find publicly until you have received our approval. Regards, OVH security department.

At 14:00 CEST They responded with

It appear that your server Vrack has been wrongly configured. We have fix your case along with other customers impacted by this bug. We also have put a special monitoring to ensure that this bug never occur again.

Thanks for your report but it appear that it is out of scope as per rules. This means that you will not be eligible to monetary rewards.

As we have fix and modify our system following your report , you have been awarded a 100€ credit to be spend on OVH.COM. Could you give me you ovh client name (like aa123456-ovh) that I could credit ? With this credit, you would be able test dedicated servers, cdn, vrack, vmware managed private cloud, VPS, license, ip, sms and “.ovh” domain name.

Not bad, 17 hours to fix. I did respond with my OVH Handle, but I never did get the credit :( Also only 100 Euros for finding a way to MITM other customers machines was a little disappointing.

I do admit they do not have a posted bug bounty for internal security issues and it was nice of them to offer the credit to services in the first place.