Bug 2006347 (CVE-2023-5366) - CVE-2023-5366 openvswitch: openvswitch don't match packets on nd_target field
Summary: CVE-2023-5366 openvswitch: openvswitch don't match packets on nd_target field
Keywords:
Status: NEW
Alias: CVE-2023-5366
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
: 2240833 (view as bug list)
Depends On: 2009029 2009030 2009025 2009026 2009027 2009028 2009031 2010893 2010894 2010895 2010896 2010897 2010898 2010899 2010900 2014973 2014974 2014975 2240831
Blocks: 2006348
TreeView+ depends on / blocked
 
Reported: 2021-09-21 14:07 UTC by Marian Rehak
Modified: 2024-03-13 11:47 UTC (History)
39 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Marian Rehak 2021-09-21 14:07:48 UTC 
It is possible that VMs can send ICMPv6 Neighbor Advertisement packets to mis-direct traffic to them. It needs to first send packet with correct IP address in the nd_target field and quickly after that send packet with spoofed IP address.

Reference:

https://bugzilla.redhat.com/show_bug.cgi?id=2005408
Comment 7 Sandro Bonazzola 2022-05-03 15:12:18 UTC 
Any update?
Comment 15 Robb Gatica 2023-09-26 20:16:36 UTC 
Created openvswitch tracking bugs for this issue:

Affects: fedora-all [bug 2240831]
Comment 16 Flavio Leitner 2023-09-29 19:34:23 UTC 
I don't have access to the original bug (bz#2005408).
It seems this problem has been solved by the commit below:
https://github.com/openvswitch/ovs/commit/489553b1c21692063931a9f50b6849b23128443c

Do you have a reproducer to verify the fix?

Thanks
fbl
Comment 17 Marian Rehak 2023-10-03 11:54:00 UTC 
I don't. Rob, switching the needinfo to you as the task owner.
Comment 18 Robb Gatica 2023-10-03 19:10:36 UTC 
Flavio - 

I added you to the bz, there is a reproducer available there.
Comment 19 Robb Gatica 2023-10-03 19:12:47 UTC 
*** Bug 2240833 has been marked as a duplicate of this bug. ***
Comment 20 Aaron Conole 2023-10-31 20:07:07 UTC 
Important note about this issue - there are really two issues with the test and results.

First, there was a bug which we resolved with commit 
https://github.com/openvswitch/ovs/commit/61a1f14b26be12b5643f00e1fa24f08f5ff418ee which
also addresses one issue with matching an nd_target - that of an overbroad match. That
is probably what could be considered as the bigger security issue because it would make
IPv6 packet movement able to be controlled by a malicious attacker who knows what the
rules look like.

Second, there is an issue with the OpenFlow spec that doesn't specify required matching
on both icmp_type and icmp_code, rather it only specifies icmp_type as the required
match - however, that is really a bug. ICMP type and code are required to properly flag
a neighbor discovery packet. Our products, and most products afaik will generate matches
on both icmp_type and icmp_code, so for most deployments, it won't likely be hit.
However, I recently did post a possible workaround to the ovs security mailing list and
we are debating the right way to implement the workaround. Unfortunately, because it is
really an issue with the spec, we need to make a decision and hope that a future
version of the spec doesn't make our fix incompatible, so there is some discussion.

When the icmp_type + icmp_code masking patch gets accepted, I'll update this bz.
Comment 21 Aaron Conole 2023-10-31 20:54:45 UTC 
Correction - the correct commit is:

https://github.com/openvswitch/ovs/commit/489553b1c21692063931a9f50b6849b23128443c
Note You need to log in before you can comment on or make changes to this bug.