Bug 1090132 (CVE-2014-0187)

Summary: CVE-2014-0187 openstack-neutron: security groups bypass through invalid CIDR
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abaron, agriffit, aortega, apevec, apevec, ayoung, chrisw, gkotton, gmollett, ihrachys, jlibosva, lhh, majopela, markmc, nyechiel, p, rbryant, rhos-maint, rk, sclewis, twilson, yeylon
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-17 04:48:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1090136, 1090137, 1099099, 1099103, 1099104    
Bug Blocks: 1090135    

Description Vincent Danen 2014-04-22 16:22:44 UTC 
OpenStack Security Advisory: 2014-014
CVE: CVE-2014-0187
Date: April 22, 2014
Title: Neutron security groups bypass through invalid CIDR
Reporters: Stephen Ma (HP) and Christoph Thiel (Deutsche Telekom)
Products: Neutron
Versions: 2013.1 to 2013.2.3, and 2014.1

Description:
Stephen Ma from Hewlett Packard and Christoph Thiel from Deutsche
Telekom reported a vulnerability in Neutron security groups. By creating
a security group rule with an invalid CIDR, an authenticated user may
break openvswitch-agent process, preventing further rules from being
applied on the host. Note: removal of the faulty rule is not enough, the
openvswitch-agent must be restarted. All Neutron setups using Open
vSwitch are affected.

Juno (development branch) fix:
https://review.openstack.org/59212

Icehouse fix:
https://review.openstack.org/88674

Havana fix:
https://review.openstack.org/88057

Notes:
This fix will be included in the juno-1 development milestone and in
future 2013.2.4 and 2014.1.1 releases.

References:
https://launchpad.net/bugs/1300785
Comment 2 Vincent Danen 2014-04-22 16:28:17 UTC 
Created openstack-neutron tracking bugs for this issue:

Affects: fedora-20 [bug 1090136]
Comment 3 Ihar Hrachyshka 2014-05-21 11:13:24 UTC 
This is a DoS security issue, you can break iptables-restore with it and effectively make later security rules created not working.

Steps to reproduce:
- neutron security-group-rule-create default --direction egress --protocol tcp --port-range-min 80 --port-range-max 80 --remote-ip-prefix /32
- observe that OVS agent crashes as in https://bugs.launchpad.net/neutron/+bug/1300785
- observe that any new security rules added are not applied to firewall tables.
Comment 4 Fedora Update System 2014-05-28 23:52:37 UTC 
openstack-neutron-2013.2.3-7.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 6 errata-xmlrpc 2014-07-17 04:28:11 UTC 
This issue has been addressed in following products:

  OpenStack 4 for RHEL 6

Via RHSA-2014:0899 https://rhn.redhat.com/errata/RHSA-2014-0899.html