Bug 1318553 (CVE-2016-2074) - CVE-2016-2074 openvswitch: MPLS buffer overflow vulnerability
Summary: CVE-2016-2074 openvswitch: MPLS buffer overflow vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-2074
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1297820 1319572 1319573 1319574 1319575 1319965 1319966 1320201 1320202 1320362 1320363 1321946 1323320 1323321 1331227 1358522
Blocks: 1318555
TreeView+ depends on / blocked
 
Reported: 2016-03-17 08:45 UTC by Andrej Nemec
Modified: 2021-02-17 04:09 UTC (History)
36 users (show)

Fixed In Version: openvswitch 2.5.0
Doc Type: Bug Fix
Doc Text:
A buffer overflow flaw was discovered in the OVS processing of MPLS labels. A remote attacker able to deliver a frame containing a malicious MPLS label that would be processed by OVS could trigger the flaw and use the resulting memory corruption to cause a denial of service (DoS) or, possibly, execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:49:47 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0523 0 normal SHIPPED_LIVE Important: openvswitch security update 2016-03-30 05:25:21 UTC
Red Hat Product Errata RHSA-2016:0524 0 normal SHIPPED_LIVE Important: openvswitch security update 2016-03-30 05:25:12 UTC
Red Hat Product Errata RHSA-2016:0537 0 normal SHIPPED_LIVE Important: openvswitch security update 2016-03-31 00:43:00 UTC
Red Hat Product Errata RHSA-2016:0615 0 normal SHIPPED_LIVE Important: openvswitch security update 2016-04-11 22:54:30 UTC

Description Andrej Nemec 2016-03-17 08:45:34 UTC 
Multiple versions of Open vSwitch are vulnerable to remote buffer
overflow attacks, in which crafted MPLS packets could overflow the
buffer reserved for MPLS labels in an OVS internal data structure.
The MPLS packets that trigger the vulnerability and the potential for
exploitation vary depending on version:

    - Open vSwitch 2.1.x and earlier are not vulnerable.

    - In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be
      exploited for arbitrary remote code execution.

    - In Open vSwitch 2.4.x, the MPLS buffer overflow does not
      obviously lead to a remote code execution exploit, but testing
      shows that it can allow a remote denial of service.

    - Open vSwitch 2.5.x is not vulnerable.

Mitigation
==========

For any version of Open vSwitch, preventing MPLS packets from reaching
Open vSwitch mitigates the vulnerability.  We do not recommend
attempting to mitigate the vulnerability this way because of the
following difficulties:

    - Open vSwitch obtains packets before the iptables host firewall,
      so iptables on the Open vSwitch host cannot ordinarily block the
      vulnerability.

    - If Open vSwitch is configured to support tunnels, MPLS packets
      encapsulated within tunnels must also be prevented from reaching
      the host.

    - If Open vSwitch runs on a hypervisor, MPLS packets from VMs can
      also trigger the vulnerability.

We believe that Open vSwitch 2.4 is subject to denial of service only
when debug logging is enabled.  By default, debug logging is not
enabled.  Users most commonly enable debug logging at runtime using
the "ovs-appctl" utility.  When this is the case, the buffer overflow
will crash the ovs-vswitchd daemon once, and then when it
automatically restarts debug logging will be disabled; thus, in this
situation, the vulnerability can only cause a single, brief
interruption in service.  Debug logging can also be enabled
persistently using a command-line flag; in this situation, a stream of
crafted MPLS packets could cause an extended denial of service.

Acknowledgments:

Name: the Open vSwitch project
Upstream: Kashyap Thimmaraju, Bhargava Shastry
Comment 13 Flavio Leitner 2016-03-29 12:31:10 UTC 
The CVE is now public:
http://openvswitch.org/pipermail/announce/2016-March/000082.html
http://openvswitch.org/pipermail/announce/2016-March/000083.html

fbl
Comment 14 Andrej Nemec 2016-03-29 12:37:37 UTC 
Created openvswitch tracking bugs for this issue:

Affects: fedora-all [bug 1321946]
Comment 16 errata-xmlrpc 2016-03-30 01:25:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 6.0 (Juno) for RHEL 7

Via RHSA-2016:0524 https://rhn.redhat.com/errata/RHSA-2016-0524.html
Comment 17 errata-xmlrpc 2016-03-30 01:26:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 5.0 (Icehouse) for RHEL 7

Via RHSA-2016:0523 https://rhn.redhat.com/errata/RHSA-2016-0523.html
Comment 18 errata-xmlrpc 2016-03-30 20:43:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux OpenStack Platform 7.0 (Kilo) for RHEL 7

Via RHSA-2016:0537 https://rhn.redhat.com/errata/RHSA-2016-0537.html
Comment 22 errata-xmlrpc 2016-04-11 18:54:45 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 3.1

Via RHSA-2016:0615 https://access.redhat.com/errata/RHSA-2016:0615
Note You need to log in before you can comment on or make changes to this bug.