1934330 – (CVE-2021-20267) CVE-2021-20267 openstack-neutron: Anti-spoofing bypass using Open vSwitch

Bug 1934330 (CVE-2021-20267) - CVE-2021-20267 openstack-neutron: Anti-spoofing bypass using Open vSwitch

Summary: CVE-2021-20267 openstack-neutron: Anti-spoofing bypass using Open vSwitch

Keywords:
Status:	MODIFIED
Alias:	CVE-2021-20267
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (3):	1962090 1962091 1962092 (view as bug list)
Depends On:	1934331 1934332 1934333 2003423
Blocks:	1895763
TreeView+	depends on / blocked

Reported:	2021-03-03 01:46 UTC by Summer Long
Modified:	2023-07-07 08:29 UTC (History)
CC List:	13 users (show)
Fixed In Version:	neutron 15.3.3, neutron 16.3.1, neutron 17.1.1
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations. Only deployments using the Open vSwitch firewall driver are affected. Source: OpenStack project
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Summer Long 2021-03-03 01:46:52 UTC

VMs can send ICMPv6 Neighbor Advertisement packets with no check on their content to mis-direct traffic to them (source address spoofing).
Pre-condition: two running VMs in the same L2 flat network with IPv6 connectivity

Upstream bug: https://bugs.launchpad.net/neutron/+bug/1902917
Upstream patch: https://review.opendev.org/c/openstack/neutron/+/776599

See also: https://bugzilla.redhat.com/show_bug.cgi?id=1345892 (same issue but for OpenVSwitch driver instead of iptables)

Comment 2 Summer Long 2021-03-03 01:48:21 UTC

Created openstack-neutron tracking bugs for this issue:

Affects: openstack-rdo [bug 1934331]

Comment 7 Summer Long 2021-03-05 02:37:06 UTC

Mitigation:

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 11 Slawek Kaplonski 2021-05-19 10:06:01 UTC

*** Bug 1962090 has been marked as a duplicate of this bug. ***

Comment 12 Slawek Kaplonski 2021-05-19 10:06:11 UTC

*** Bug 1962091 has been marked as a duplicate of this bug. ***

Comment 13 Slawek Kaplonski 2021-05-19 10:06:13 UTC

*** Bug 1962092 has been marked as a duplicate of this bug. ***

Comment 17 Slawek Kaplonski 2021-06-09 10:34:36 UTC

Fix included also in openstack-neutron-12.1.1-44.el7ost for OSP-13.0 already

Note You need to log in before you can comment on or make changes to this bug.