yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #89958
[Bug 1502933] Re: [OSSA-2016-009] ICMPv6 anti-spoofing rules are too permissive (CVE-2015-8914)
** Changed in: neutron
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1502933
Title:
[OSSA-2016-009] ICMPv6 anti-spoofing rules are too permissive
(CVE-2015-8914)
Status in neutron:
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Bug description:
ICMPv6 default firewall rules are too permissive on the hypervisors
leaving VMs able to do ICMPv6 source address spoofing.
Pre-condition:
- having a provider-network providing IPv6 connectivity to the VMs
- in my case the controllers are providing statefull DHCPv6 and my physical router provides the default gateway using Router Advertisements.
How to reproduce:
- spin a VM and attach to it an IPv6 enabled network
- obtain an IPv6 address using #dhclient -6
- try to ping6 an IPv6 enabled host
- remove your IPv6 address from the interface: #sudo ip addr del 2001:0DB8::100/32 dev eth0
- add a forged IPv6 address to your interface, into the same subnet of the original IPv6 address: #sudo ip addr add 2001:0DB8::200/32 dev eth0
- try to ping6 the previous IPv6 enabled host, it will still work
- try to assign another IPv6 address to your NIC, completely outside your IPv6 assignment: sudo ip addr add 2001:dead:beef::1/64 dev eth0
- try to ping6 the previous IPv6 enabled host -> the destination will still receive your echo requests with your forget address but you won't receive answers, they won't be router back to you.
Expected behavior:
- VMs should not be able to spoof their IPv6 address and issue forged
ICMPv6 packets. The firewall rules on the hypervisor should restrict
ICMPv6 egress to the VMs link-local and global-unicast addresses.
Affected versions:
- I saw the issue into OpenStack Juno, under Ubuntu 14.04. But
according to the upstream code, the issue is still present into the
master branch, into; neutron/agent/linux/iptables_firewall.py, into
line 385:
ipv6_rules += [comment_rule('-p icmpv6 -j RETURN',
comment=ic.IPV6_ICMP_ALLOW)]
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1502933/+subscriptions