Bug 1998052 (CVE-2021-40085)

Summary: CVE-2021-40085 openstack-neutron: arbitrary dnsmasq reconfiguration via extra_dhcp_opts
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, bcafarel, bibryam, chazlett, chrisw, dalvarez, dbecker, drieden, ggaughan, hbraun, janstey, jjoyce, jochrist, jschluet, lhh, lpeer, mburns, mkaplan, pantinor, rhos-maint, sclewis, scohen, security-response-team, slinaber, slong, srevivo
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: neutron 16.4.1, neutron 17.2.1, neutron 18.1.1 Doc Type: If docs needed, set a value
Doc Text:
An input-validation flaw was found in openstack-neutron, where an authenticated attacker could change the dnsmasq configuration. By crafting extra_dhcp_opts values, the attacker could crash the dnsmasq, change parameters for tenants sharing the same interface, or otherwise alter that daemon’s behavior. This flaw might also be used to trigger a configuration parsing buffer overflow in versions of dnsmasq prior to 2.81. The highest threat from this vulnerability is to system availability, but also threatens data confidentiality and integrity.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-10 00:21:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1999832, 1999919, 1999920, 2000015, 2000785    
Bug Blocks: 1998050    

Description Dhananjay Arunesh 2021-08-26 11:08:35 UTC
By supplying a specially crafted extra_dhcp_opts value, an authenticated user may add arbitrary configuration to the dnsmasq process in order to crash the service, change parameters for other tenants sharing the same interface, or otherwise alter that daemon's behavior. Thi vulnerability may also be used to trigger a configuration parsing buffer overflow in versions of dnsmasq prior to 2.81, which could lead to remote code execution. All Neutron deployments are affected.

References:
https://launchpad.net/bugs/1939733

Comment 1 Guilherme de Almeida Suckevicz 2021-08-31 19:00:06 UTC
Created openstack-neutron tracking bugs for this issue:

Affects: openstack-rdo [bug 1999832]

Comment 2 Summer Long 2021-09-01 01:21:55 UTC
*** Bug 1997808 has been marked as a duplicate of this bug. ***

Comment 3 Summer Long 2021-09-01 01:35:34 UTC
Upstream patches:
    https://review.opendev.org/806750 (Ussuri)
    https://review.opendev.org/806749 (Victoria)
    https://review.opendev.org/806748 (Wallaby)
    https://review.opendev.org/806746 (Xena)

Comment 14 errata-xmlrpc 2021-09-09 14:04:09 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1

Via RHSA-2021:3481 https://access.redhat.com/errata/RHSA-2021:3481

Comment 15 Product Security DevOps Team 2021-09-10 00:21:09 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-40085

Comment 16 errata-xmlrpc 2021-09-13 10:25:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2021:3502 https://access.redhat.com/errata/RHSA-2021:3502

Comment 17 errata-xmlrpc 2021-09-13 10:36:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 - ELS
  Red Hat OpenStack Platform 13.0 (Queens) for RHEL 7.6 EUS

Via RHSA-2021:3503 https://access.redhat.com/errata/RHSA-2021:3503

Comment 18 errata-xmlrpc 2021-09-15 06:39:09 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.2

Via RHSA-2021:3488 https://access.redhat.com/errata/RHSA-2021:3488