← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1902917] Re: Anti-spoofing bypass using Open vSwitch (CVE-2021-20267)

 

Reviewed:  https://review.opendev.org/c/openstack/neutron/+/783743
Committed: https://opendev.org/openstack/neutron/commit/ca7822e2108c151bda992ef8a6d454ec2c6d890e
Submitter: "Zuul (22348)"
Branch:    master

commit ca7822e2108c151bda992ef8a6d454ec2c6d890e
Author: Slawek Kaplonski <skaplons@xxxxxxxxxx>
Date:   Mon Mar 29 22:21:15 2021 +0200

    [ovs fw] Restrict IPv6 NA and DHCP(v6) IP and MAC source addresses
    
    Neighbor Advertisments are used to inform other machines of the MAC
    address to use to reach an IPv6. This commits prevents VMs from
    pretending they are assigned IPv6 they should not use.
    
    It also prevents sending UDP packets with spoofed IP or MAC even using
    DHCP(v6) request ports.
    
    Co-authored-by: David Sinquin <david.sinquin@xxxxxxxxx>
    
    Closes-bug: #1902917
    
    Change-Id: Iffb6643359562487414460f5a7e19a7fae9f935c


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1902917

Title:
  Anti-spoofing bypass using Open vSwitch (CVE-2021-20267)

Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  In Progress

Bug description:
  Using Open vSwitch on an ussuri setup with neutron 16.0.0, VMs can
  send ICMPv6 Neighbor Advertisement packets with no check on their
  content to mis-direct traffic to them.

  This looks a lot like https://bugs.launchpad.net/neutron/+bug/1502933
  except it affects Open vSwitch driver rather than iptables.

  Pre-condition:

  - two running VMs in the same L2 flat network with IPv6 connectivity

  How to reproduce:

  - manually add a custom IPv6 on one (e.g. `ip -6 address add fe80::42/64 dev eth0`)
  - ping it from the other, expecting no answer (e.g. `ping -c1 -w1 "fe80::42%eth0"`)
  - confirm it updated its neighbor table (e.g. `ip -6 neigh get fe80::42/64 dev eth0`)

  Expected behavior:

  - VMs should not be able to advertise IPv6 addresses that are not
  assigned to them e.g. through neighbor advertisement packets.

  Affected versions:

  The Openstack version I am using is Ussuri with neutron 16.0.0, with
  minor changes on commit df5b28c2e5. From a quick review of the diff
  with master, I think the issue is also present there. Network part is
  using Open vSwitch on flat network with Xen 4.13 as hypervisor.

  Similarly, UDP packets using DHCP query ports (for DHCP v4 or v6) can be sent with arbitrary IP and MAC addresses.
  And I think we are fine for other ICMP types (redirect, router renumbering for ICMPv6) as I did not managed to have such packets sent between VMs but I fail to understand how it gets filtered.

  I am attaching a couple patches that I think fix the issues but
  include no tests and include changes that we may want to avoid (in
  case plugins out of neutron git repo use
  firewall.ICMPV6_ALLOWED_EGRESS_TYPES).

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1902917/+subscriptions