yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1502933] Re: [OSSA-2016-009] ICMPv6 anti-spoofing rules are too permissive (CVE-2015-8914)

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Tristan Cacqueray <tdecacqu@xxxxxxxxxx>
Date: Tue, 14 Jun 2016 06:54:23 -0000
Reply-to: Bug 1502933 <1502933@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Summary changed:

- ICMPv6 anti-spoofing rules are too permissive (CVE-2015-8914)
+ [OSSA-2016-009] ICMPv6 anti-spoofing rules are too permissive (CVE-2015-8914)

** Changed in: ossa
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1502933

Title:
  [OSSA-2016-009] ICMPv6 anti-spoofing rules are too permissive
  (CVE-2015-8914)

Status in neutron:
  Fix Committed
Status in OpenStack Security Advisory:
  Fix Released

Bug description:
  ICMPv6 default firewall rules are too permissive on the hypervisors
  leaving VMs able to do ICMPv6 source address spoofing.

  Pre-condition:

  - having a provider-network providing IPv6 connectivity to the VMs
  - in my case the controllers are providing statefull DHCPv6 and my physical router provides the default gateway using Router Advertisements.

  How to reproduce:

  - spin a VM and attach to it an IPv6 enabled network
  - obtain an IPv6 address using #dhclient -6
  - try to ping6 an IPv6 enabled host
  - remove your IPv6 address from the interface: #sudo ip addr del 2001:0DB8::100/32 dev eth0
  - add a forged IPv6 address to your interface, into the same subnet of the original IPv6 address: #sudo ip addr add 2001:0DB8::200/32 dev eth0
  - try to ping6 the previous IPv6 enabled host, it will still work
  - try to assign another IPv6 address to your NIC, completely outside your IPv6 assignment: sudo ip addr add 2001:dead:beef::1/64 dev eth0
  - try to ping6 the previous IPv6 enabled host -> the destination will still receive your echo requests with your forget address but you won't receive answers, they won't be router back to you.

  Expected behavior:

  - VMs should not be able to spoof their IPv6 address and issue forged
  ICMPv6 packets. The firewall rules on the hypervisor should restrict
  ICMPv6 egress to the VMs link-local and global-unicast addresses.

  Affected versions:

  - I saw the issue into OpenStack Juno, under Ubuntu 14.04. But
  according to the upstream code, the issue is still present into the
  master branch, into; neutron/agent/linux/iptables_firewall.py, into
  line 385:

  ipv6_rules += [comment_rule('-p icmpv6 -j RETURN',
  comment=ic.IPV6_ICMP_ALLOW)]

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1502933/+subscriptions