A flaw was found in the Linux kernel's implementation of GENEVE tunnels combined with IPsec. The traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. Reference and upstream patch: https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=34beb21594519ce64a55a498c2fe7d567bc1ca20
Mitigation: A possible workaround for this flaw is to configure IPsec for all traffic between the endpoints, instead of specifically for the UDP port used by the GENEVE tunnels. If GENEVE tunnels are not used, this flaw will not be triggered. In that case, it is possible to disable those tunnels, by unloading the "geneve" kernel module and blacklisting it (See https://access.redhat.com/solutions/41278 for a guide on how to blacklist modules).
More detailed description (and keeping comment 0 short description too): A flaw was found in the Linux kernel's implementation of GENEVE tunnels combined with IPsec. When IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel, the kernel isn't correctly routing tunneled data over the encrypted link, and sending the data unencrypted instead. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
Acknowledgments: Name: Mark Gray (Red Hat), Sabrina Dubroca (Red Hat)
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1886425]
This was resolved for Fedora with the 5.8.12 stable kernel updates.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0856 https://access.redhat.com/errata/RHSA-2021:0856
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2021:0857 https://access.redhat.com/errata/RHSA-2021:0857
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25645