Bug 2006347 (CVE-2023-5366)
Summary: | CVE-2023-5366 openvswitch: openvswitch don't match packets on nd_target field | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aconole, amusil, apevec, bmontgom, chrisw, ctrautma, dbecker, dfreiber, echaudro, eglynn, eparis, fleitner, jburrell, jhsiao, jjoyce, jschluet, ktraynor, lhh, lpeer, mburman, mburns, mgarciac, michal.skrivanek, mperina, nobody, nstielau, ovs-triage, pgrist, ralongi, rgatica, rkhan, rogbas, sclewis, security-response-team, sfowler, slinaber, sponnaga, tredaelli, vkumar |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2009029, 2009030, 2009025, 2009026, 2009027, 2009028, 2009031, 2010893, 2010894, 2010895, 2010896, 2010897, 2010898, 2010899, 2010900, 2014973, 2014974, 2014975, 2240831 | ||
Bug Blocks: | 2006348 |
Description
Marian Rehak
2021-09-21 14:07:48 UTC
Any update? Created openvswitch tracking bugs for this issue: Affects: fedora-all [bug 2240831] I don't have access to the original bug (bz#2005408). It seems this problem has been solved by the commit below: https://github.com/openvswitch/ovs/commit/489553b1c21692063931a9f50b6849b23128443c Do you have a reproducer to verify the fix? Thanks fbl I don't. Rob, switching the needinfo to you as the task owner. Flavio - I added you to the bz, there is a reproducer available there. *** Bug 2240833 has been marked as a duplicate of this bug. *** Important note about this issue - there are really two issues with the test and results. First, there was a bug which we resolved with commit https://github.com/openvswitch/ovs/commit/61a1f14b26be12b5643f00e1fa24f08f5ff418ee which also addresses one issue with matching an nd_target - that of an overbroad match. That is probably what could be considered as the bigger security issue because it would make IPv6 packet movement able to be controlled by a malicious attacker who knows what the rules look like. Second, there is an issue with the OpenFlow spec that doesn't specify required matching on both icmp_type and icmp_code, rather it only specifies icmp_type as the required match - however, that is really a bug. ICMP type and code are required to properly flag a neighbor discovery packet. Our products, and most products afaik will generate matches on both icmp_type and icmp_code, so for most deployments, it won't likely be hit. However, I recently did post a possible workaround to the ovs security mailing list and we are debating the right way to implement the workaround. Unfortunately, because it is really an issue with the spec, we need to make a decision and hope that a future version of the spec doesn't make our fix incompatible, so there is some discussion. When the icmp_type + icmp_code masking patch gets accepted, I'll update this bz. Correction - the correct commit is: https://github.com/openvswitch/ovs/commit/489553b1c21692063931a9f50b6849b23128443c |