Bug 1962092 - Anti-spoofing bypass using Open vSwitch (CVE-2021-20267)
Summary: Anti-spoofing bypass using Open vSwitch (CVE-2021-20267)
Status: CLOSED DUPLICATE of bug 1934330
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: ---
Assignee: RHOS Maint
QA Contact: Eran Kuris
Depends On: 1962091
TreeView+ depends on / blocked
Reported: 2021-05-19 09:59 UTC by Slawek Kaplonski
Modified: 2022-08-18 16:38 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1962091
Last Closed: 2021-05-19 10:06:17 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-3990 0 None None None 2022-08-18 16:38:58 UTC

Description Slawek Kaplonski 2021-05-19 09:59:12 UTC
+++ This bug was initially created as a clone of Bug #1962091 +++

+++ This bug was initially created as a clone of Bug #1962090 +++

Copy from LP:

"Using Open vSwitch on an ussuri setup with neutron 16.0.0, VMs can send ICMPv6 Neighbor Advertisement packets with no check on their content to mis-direct traffic to them.

This looks a lot like https://bugs.launchpad.net/neutron/+bug/1502933 except it affects Open vSwitch driver rather than iptables.


- two running VMs in the same L2 flat network with IPv6 connectivity

How to reproduce:

- manually add a custom IPv6 on one (e.g. `ip -6 address add fe80::42/64 dev eth0`)
- ping it from the other, expecting no answer (e.g. `ping -c1 -w1 "fe80::42%eth0"`)
- confirm it updated its neighbor table (e.g. `ip -6 neigh get fe80::42/64 dev eth0`)

Expected behavior:

- VMs should not be able to advertise IPv6 addresses that are not assigned to them e.g. through neighbor advertisement packets.

Affected versions:

The Openstack version I am using is Ussuri with neutron 16.0.0, with minor changes on commit df5b28c2e5. From a quick review of the diff with master, I think the issue is also present there. Network part is using Open vSwitch on flat network with Xen 4.13 as hypervisor.

Similarly, UDP packets using DHCP query ports (for DHCP v4 or v6) can be sent with arbitrary IP and MAC addresses.
And I think we are fine for other ICMP types (redirect, router renumbering for ICMPv6) as I did not managed to have such packets sent between VMs but I fail to understand how it gets filtered.

I am attaching a couple patches that I think fix the issues but include no tests and include changes that we may want to avoid (in case plugins out of neutron git repo use firewall.ICMPV6_ALLOWED_EGRESS_TYPES).

Comment 1 Slawek Kaplonski 2021-05-19 10:06:17 UTC

*** This bug has been marked as a duplicate of bug 1934330 ***

Note You need to log in before you can comment on or make changes to this bug.