Bug 1883988 (CVE-2020-25645)

Summary: CVE-2020-25645 kernel: Geneve/IPsec traffic may be unencrypted between two Geneve endpoints
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, airlied, allarkin, bhu, blc, bmasney, brdeoliv, bskeggs, dhoward, dvlasenk, esammons, fhrbata, hdegoede, hkrzesin, iboverma, ichavero, itamar, jarodwilson, jeremy, jforbes, jglisse, jlelli, john.j5live, jonathan, josef, jross, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, mark.d.gray, masami256, mchehab, mcressma, mjg59, mlangsdo, mleitner, nmurray, pmatouse, ptalbert, qzhao, rt-maint, rvrbovsk, security-response-team, steved, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Linux kernel 5.9-rc7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-16 19:18:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1885994, 1884481, 1885144, 1885145, 1885146, 1885147, 1885148, 1886425    
Bug Blocks: 1879667    

Description Guilherme de Almeida Suckevicz 2020-09-30 16:51:25 UTC
A flaw was found in the Linux kernel's implementation of GENEVE tunnels combined with IPsec. The traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.

Reference and upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=34beb21594519ce64a55a498c2fe7d567bc1ca20

Comment 8 Alex 2020-10-06 10:58:01 UTC
Mitigation:

A possible workaround for this flaw is to configure IPsec for all traffic between the endpoints, instead of specifically for the UDP port used by the GENEVE tunnels. If GENEVE tunnels are not used, this flaw will not be triggered. In that case, it is possible to disable those tunnels, by unloading the "geneve" kernel module and blacklisting it (See https://access.redhat.com/solutions/41278 for a
guide on how to blacklist modules).

Comment 9 Alex 2020-10-06 11:01:38 UTC
More detailed description (and keeping comment 0 short description too):

A flaw was found in the Linux kernel's implementation of GENEVE tunnels combined with IPsec. When IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel, the kernel isn't correctly routing tunneled data over the encrypted link, and sending the data unencrypted instead. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.

Comment 12 Petr Matousek 2020-10-08 12:29:17 UTC
Acknowledgments:

Name: Mark Gray (Red Hat), Sabrina Dubroca (Red Hat)

Comment 13 Petr Matousek 2020-10-08 12:29:58 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1886425]

Comment 14 Justin M. Forbes 2020-10-08 18:46:04 UTC
This was resolved for Fedora with the 5.8.12 stable kernel updates.

Comment 18 errata-xmlrpc 2021-03-16 13:50:59 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0856 https://access.redhat.com/errata/RHSA-2021:0856

Comment 19 errata-xmlrpc 2021-03-16 13:51:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:0857 https://access.redhat.com/errata/RHSA-2021:0857

Comment 20 Product Security DevOps Team 2021-03-16 19:18:58 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25645