Bug 1318553 (CVE-2016-2074)
| Summary: | CVE-2016-2074 openvswitch: MPLS buffer overflow vulnerability | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abaron, aconole, amuller, apevec, atragler, bleanhar, carnil, ccoleman, chrisw, dallan, dmcphers, fleitner, gkotton, gmollett, jbenc, jialiu, jkeck, jmelvin, jokerman, jschluet, lhh, lmeyer, lpeer, markmc, mmccomas, nlevinki, ovs-team, rbryant, rcernin, rkhan, sclewis, security-response-team, slong, srevivo, tdawson, tdecacqu |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | openvswitch 2.5.0 | Doc Type: | Bug Fix |
| Doc Text: |
A buffer overflow flaw was discovered in the OVS processing of MPLS labels. A remote attacker able to deliver a frame containing a malicious MPLS label that would be processed by OVS could trigger the flaw and use the resulting memory corruption to cause a denial of service (DoS) or, possibly, execute arbitrary code.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:49:47 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1297820, 1319572, 1319573, 1319574, 1319575, 1319965, 1319966, 1320201, 1320202, 1320362, 1320363, 1321946, 1323320, 1323321, 1331227, 1358522 | ||
| Bug Blocks: | 1318555 | ||
The CVE is now public: http://openvswitch.org/pipermail/announce/2016-March/000082.html http://openvswitch.org/pipermail/announce/2016-March/000083.html fbl Created openvswitch tracking bugs for this issue: Affects: fedora-all [bug 1321946] This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7 Via RHSA-2016:0524 https://rhn.redhat.com/errata/RHSA-2016-0524.html This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7 Via RHSA-2016:0523 https://rhn.redhat.com/errata/RHSA-2016-0523.html This issue has been addressed in the following products: Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7 Via RHSA-2016:0537 https://rhn.redhat.com/errata/RHSA-2016-0537.html This issue has been addressed in the following products: Red Hat OpenShift Enterprise 3.1 Via RHSA-2016:0615 https://access.redhat.com/errata/RHSA-2016:0615 |
Multiple versions of Open vSwitch are vulnerable to remote buffer overflow attacks, in which crafted MPLS packets could overflow the buffer reserved for MPLS labels in an OVS internal data structure. The MPLS packets that trigger the vulnerability and the potential for exploitation vary depending on version: - Open vSwitch 2.1.x and earlier are not vulnerable. - In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be exploited for arbitrary remote code execution. - In Open vSwitch 2.4.x, the MPLS buffer overflow does not obviously lead to a remote code execution exploit, but testing shows that it can allow a remote denial of service. - Open vSwitch 2.5.x is not vulnerable. Mitigation ========== For any version of Open vSwitch, preventing MPLS packets from reaching Open vSwitch mitigates the vulnerability. We do not recommend attempting to mitigate the vulnerability this way because of the following difficulties: - Open vSwitch obtains packets before the iptables host firewall, so iptables on the Open vSwitch host cannot ordinarily block the vulnerability. - If Open vSwitch is configured to support tunnels, MPLS packets encapsulated within tunnels must also be prevented from reaching the host. - If Open vSwitch runs on a hypervisor, MPLS packets from VMs can also trigger the vulnerability. We believe that Open vSwitch 2.4 is subject to denial of service only when debug logging is enabled. By default, debug logging is not enabled. Users most commonly enable debug logging at runtime using the "ovs-appctl" utility. When this is the case, the buffer overflow will crash the ovs-vswitchd daemon once, and then when it automatically restarts debug logging will be disabled; thus, in this situation, the vulnerability can only cause a single, brief interruption in service. Debug logging can also be enabled persistently using a command-line flag; in this situation, a stream of crafted MPLS packets could cause an extended denial of service. Acknowledgments: Name: the Open vSwitch project Upstream: Kashyap Thimmaraju, Bhargava Shastry