Bug 1883988 (CVE-2020-25645)
Summary: | CVE-2020-25645 kernel: Geneve/IPsec traffic may be unencrypted between two Geneve endpoints | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | acaringi, airlied, allarkin, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, mark.d.gray, masami256, mchehab, mcressma, mjg59, mlangsdo, mleitner, nmurray, pmatouse, ptalbert, qzhao, rt-maint, rvrbovsk, security-response-team, steved, williams |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Linux kernel 5.9-rc7 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the Linux kernel. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-03-16 19:18:58 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1885994, 1884481, 1885144, 1885145, 1885146, 1885147, 1885148, 1886425 | ||
Bug Blocks: | 1879667 |
Description
Guilherme de Almeida Suckevicz
2020-09-30 16:51:25 UTC
Mitigation: A possible workaround for this flaw is to configure IPsec for all traffic between the endpoints, instead of specifically for the UDP port used by the GENEVE tunnels. If GENEVE tunnels are not used, this flaw will not be triggered. In that case, it is possible to disable those tunnels, by unloading the "geneve" kernel module and blacklisting it (See https://access.redhat.com/solutions/41278 for a guide on how to blacklist modules). More detailed description (and keeping comment 0 short description too): A flaw was found in the Linux kernel's implementation of GENEVE tunnels combined with IPsec. When IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel, the kernel isn't correctly routing tunneled data over the encrypted link, and sending the data unencrypted instead. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. Acknowledgments: Name: Mark Gray (Red Hat), Sabrina Dubroca (Red Hat) Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1886425] This was resolved for Fedora with the 5.8.12 stable kernel updates. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0856 https://access.redhat.com/errata/RHSA-2021:0856 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0857 https://access.redhat.com/errata/RHSA-2021:0857 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25645 |