Summary: An issue was reported concerning the lack of sufficient validation of BFD packets when processed in an Open Virtual Network (OVN) cluster. Specifically, there is a failure to check that BFD traffic is not actually generated by unprivileged cluster workloads (VMs/containers). It can be triggered by crafting and injecting specific BFD packets from inside unprivileged workloads (VMs/containers). Attack scenario: In an OVN cluster with at least two nodes (hypervisors) where BFD is used between hypervisors for high availability (a common configuration with RH OpenStack deployments), a VM running in a tenant network can trigger the attack by injecting specific BFD packets that advertise the BFD session as being "down". The source and destination IPs and MACs of these packets can be those of the VM and another VM in the same tenant network. These packets are allowed today because under normal operation it's expected that a VM can access other VMs in the same tenant network. Such packets will bring down the BFD session and will impact traffic forwarding (DoS) between all other tenants in the OVN cluster. Affected versions: all current versions of OVN back to 20.03.0. Per the reporter, a fix has been developed and is ready to be applied.
Created ovn tracking bugs for this issue: Affects: fedora-all [bug 2269176]
This issue has been addressed in the following products: Fast Datapath for Red Hat Enterprise Linux 8 Via RHSA-2024:4035 https://access.redhat.com/errata/RHSA-2024:4035