Bug 1934330 (CVE-2021-20267)

Summary: CVE-2021-20267 openstack-neutron: Anti-spoofing bypass using Open vSwitch
Product: [Other] Security Response Reporter: Summer Long <slong>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: MODIFIED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: chrisw, dbecker, jjoyce, jschluet, lhh, lpeer, mburns, rhos-maint, sclewis, scohen, skaplons, slinaber, srevivo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: neutron 15.3.3, neutron 16.3.1, neutron 17.1.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations. Only deployments using the Open vSwitch firewall driver are affected. Source: OpenStack project
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1934331, 1934332, 1934333, 2003423    
Bug Blocks: 1895763    

Description Summer Long 2021-03-03 01:46:52 UTC 
VMs can send ICMPv6 Neighbor Advertisement packets with no check on their content to mis-direct traffic to them (source address spoofing).
Pre-condition: two running VMs in the same L2 flat network with IPv6 connectivity

Upstream bug: https://bugs.launchpad.net/neutron/+bug/1902917
Upstream patch: https://review.opendev.org/c/openstack/neutron/+/776599

See also: https://bugzilla.redhat.com/show_bug.cgi?id=1345892 (same issue but for OpenVSwitch driver instead of iptables)
Comment 2 Summer Long 2021-03-03 01:48:21 UTC 
Created openstack-neutron tracking bugs for this issue:

Affects: openstack-rdo [bug 1934331]
Comment 7 Summer Long 2021-03-05 02:37:06 UTC 
Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Comment 11 Slawek Kaplonski 2021-05-19 10:06:01 UTC 
*** Bug 1962090 has been marked as a duplicate of this bug. ***
Comment 12 Slawek Kaplonski 2021-05-19 10:06:11 UTC 
*** Bug 1962091 has been marked as a duplicate of this bug. ***
Comment 13 Slawek Kaplonski 2021-05-19 10:06:13 UTC 
*** Bug 1962092 has been marked as a duplicate of this bug. ***
Comment 17 Slawek Kaplonski 2021-06-09 10:34:36 UTC 
Fix included also in openstack-neutron-12.1.1-44.el7ost for OSP-13.0 already