Bug 2267840 (CVE-2024-2182)

Summary: CVE-2024-2182 ovn: insufficient validation of BFD packets may lead to denial of service
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, echaudro, fleitner, jburrell, ktraynor, musman, rkhan, security-response-team, sidakwo, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ovn 22.03.7, ovn 23.03.3, ovn 23.06.3, ovn 23.09.3, ovn 24.03.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Open Virtual Network (OVN). In OVN clusters where BFD is used between hypervisors for high availability, an attacker can inject specially crafted BFD packets from inside unprivileged workloads, including virtual machines or containers, that can trigger a denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2269176    
Bug Blocks: 2267837    

Description Robb Gatica 2024-03-05 00:59:43 UTC 
Summary: 
An issue was reported concerning the lack of sufficient validation of BFD packets when processed in an Open Virtual Network (OVN) cluster. Specifically, there is a failure to check that BFD traffic is not actually generated by unprivileged cluster workloads (VMs/containers). It can be triggered by crafting and injecting specific BFD packets from inside unprivileged workloads (VMs/containers).

Attack scenario:
In an OVN cluster with at least two nodes (hypervisors) where BFD is used between hypervisors for high availability (a common configuration with RH OpenStack deployments), a VM running in a tenant network can trigger the attack by injecting specific BFD packets that advertise the BFD session as being "down". The source and destination IPs and MACs of these packets can be those of the VM and another VM in the same tenant network. These packets are allowed today because under normal operation it's expected that a VM can access other VMs in the same tenant network. Such packets will bring down the BFD session and will impact traffic forwarding (DoS) between all other tenants in the OVN cluster.

Affected versions:
all current versions of OVN back to 20.03.0. Per the reporter, a fix has been developed and is ready to be applied.
Comment 4 Anten Skrabec 2024-03-12 15:40:08 UTC 
Created ovn tracking bugs for this issue:

Affects: fedora-all [bug 2269176]
Comment 25 errata-xmlrpc 2024-06-20 16:22:41 UTC 
This issue has been addressed in the following products:

  Fast Datapath for Red Hat Enterprise Linux 8

Via RHSA-2024:4035 https://access.redhat.com/errata/RHSA-2024:4035