Bug 1318553 (CVE-2016-2074)

Summary: CVE-2016-2074 openvswitch: MPLS buffer overflow vulnerability
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abaron, aconole, amuller, apevec, atragler, bleanhar, carnil, ccoleman, chrisw, dallan, dmcphers, fleitner, gkotton, gmollett, jbenc, jialiu, jkeck, jmelvin, jokerman, jschluet, lhh, lmeyer, lpeer, markmc, mmccomas, nlevinki, ovs-team, rbryant, rcernin, rkhan, sclewis, security-response-team, slong, srevivo, tdawson, tdecacqu
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: openvswitch 2.5.0 Doc Type: Bug Fix
Doc Text:
A buffer overflow flaw was discovered in the OVS processing of MPLS labels. A remote attacker able to deliver a frame containing a malicious MPLS label that would be processed by OVS could trigger the flaw and use the resulting memory corruption to cause a denial of service (DoS) or, possibly, execute arbitrary code.
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:49:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1297820, 1319572, 1319573, 1319574, 1319575, 1319965, 1319966, 1320201, 1320202, 1320362, 1320363, 1321946, 1323320, 1323321, 1331227, 1358522    
Bug Blocks: 1318555    

Description Andrej Nemec 2016-03-17 08:45:34 UTC
Multiple versions of Open vSwitch are vulnerable to remote buffer
overflow attacks, in which crafted MPLS packets could overflow the
buffer reserved for MPLS labels in an OVS internal data structure.
The MPLS packets that trigger the vulnerability and the potential for
exploitation vary depending on version:

    - Open vSwitch 2.1.x and earlier are not vulnerable.

    - In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be
      exploited for arbitrary remote code execution.

    - In Open vSwitch 2.4.x, the MPLS buffer overflow does not
      obviously lead to a remote code execution exploit, but testing
      shows that it can allow a remote denial of service.

    - Open vSwitch 2.5.x is not vulnerable.

Mitigation
==========

For any version of Open vSwitch, preventing MPLS packets from reaching
Open vSwitch mitigates the vulnerability.  We do not recommend
attempting to mitigate the vulnerability this way because of the
following difficulties:

    - Open vSwitch obtains packets before the iptables host firewall,
      so iptables on the Open vSwitch host cannot ordinarily block the
      vulnerability.

    - If Open vSwitch is configured to support tunnels, MPLS packets
      encapsulated within tunnels must also be prevented from reaching
      the host.

    - If Open vSwitch runs on a hypervisor, MPLS packets from VMs can
      also trigger the vulnerability.

We believe that Open vSwitch 2.4 is subject to denial of service only
when debug logging is enabled.  By default, debug logging is not
enabled.  Users most commonly enable debug logging at runtime using
the "ovs-appctl" utility.  When this is the case, the buffer overflow
will crash the ovs-vswitchd daemon once, and then when it
automatically restarts debug logging will be disabled; thus, in this
situation, the vulnerability can only cause a single, brief
interruption in service.  Debug logging can also be enabled
persistently using a command-line flag; in this situation, a stream of
crafted MPLS packets could cause an extended denial of service.

Acknowledgments:

Name: the Open vSwitch project
Upstream: Kashyap Thimmaraju, Bhargava Shastry

Comment 14 Andrej Nemec 2016-03-29 12:37:37 UTC
Created openvswitch tracking bugs for this issue:

Affects: fedora-all [bug 1321946]

Comment 16 errata-xmlrpc 2016-03-30 01:25:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7

Via RHSA-2016:0524 https://rhn.redhat.com/errata/RHSA-2016-0524.html

Comment 17 errata-xmlrpc 2016-03-30 01:26:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7

Via RHSA-2016:0523 https://rhn.redhat.com/errata/RHSA-2016-0523.html

Comment 18 errata-xmlrpc 2016-03-30 20:43:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2016:0537 https://rhn.redhat.com/errata/RHSA-2016-0537.html

Comment 22 errata-xmlrpc 2016-04-11 18:54:45 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 3.1

Via RHSA-2016:0615 https://access.redhat.com/errata/RHSA-2016:0615