yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1797575] Re: Security vulnerability with SR-IOV ports

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Jeremy Stanley <1797575@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Feb 2021 20:16:42 -0000
Reply-to: Bug 1797575 <1797575@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Since nobody has disputed Sean's assertions in the nearly half a year
since his comment #8 above, I'm going to assume the VMT no longer needs
to track this and is unlikely to issue any security advisory about it,
so am marking our advisory task Won't Fix.

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1797575

Title:
  Security vulnerability with SR-IOV ports

Status in neutron:
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  As explain in http://www.mulix.org/pubs/misc/sriovsec-tr.pdf an
  attacker that has been assigned a VF of a NIC for its VM can block the
  network access for all the VMs using a VF of the same card by sending
  control flow PAUSE commands at the right interval.

  The attack is described as hard to detect, easy to implement and
  absolutely efficient (throughput drops to 0).

  A VF of a SR-IOV virtualized NIC can be assigned via pci aliases or
  with neutron ports.

  I suppose with a VF assigned via a nova pci-passthrough these PAUSE
  commands would block the network. Would it be the case as well using
  the neutron port method ?

  I don't have enough knowledge on neutron's functioning to see if these
  threats are serious or not, and I do not have the set up to test this
  myself.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1797575/+subscriptions