Date: Wed, 10 Feb 2021 11:53:47 -0300 From: Flavio Leitner <fbl@...hat.com> To: oss-security@...ts.openwall.com, ovs-announce@...nvswitch.org, ovs-discuss@...nvswitch.org Cc: fbl@...hat.com, Ilya Maximets <i.maximets@....org> Subject: CVE-2020-35498: Open vSwitch: Packet parsing vulnerability Description =========== Multiple versions of Open vSwitch are vulnerable to potential problems like denial of service attacks, in which crafted network packets could cause the packet lookup to ignore network header fields from layers 3 and 4. Both kernel and userspace datapaths are affected, including DPDK enabled Open vSwitch (OVS-DPDK) as an example of the latter. The crafted network packet is an ordinary IPv4 or IPv6 packet with Ethernet padding length above 255 bytes. This causes the packet sanity check to abort parsing header fields after layer 2. When that situation happens, the classifier will use an unexpected set of header fields. This could cause the packet lookup to either match on unintended flows or return the default table miss action 'drop'. As a consequence, the datapath can be instructed to match on an incorrect range of packets with an action to drop them, for example. Further legit traffic could hit the cached flow preventing it to expire extending the situation. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the identifier CVE-2020-35498 to this issue. Mitigation ========== For any version of Open vSwitch, preventing such packets to be received by Open vSwitch or removing the excess of padding before they are received by Open vSwitch mitigates the vulnerability. We do not recommend attempting to mitigate the vulnerability this way because of the following difficulties: - Open vSwitch obtains packets before the iptables or nftables host firewall, so iptables or nftables on the Open vSwitch host cannot ordinarily block the vulnerability. - If Open vSwitch is configured to support tunnels, such packets encapsulated within tunnels must also be prevented from reaching the host. - If Open vSwitch runs on a hypervisor, such packets from VMs can also trigger the vulnerability. Fix === Patches to fix these vulnerabilities in Open vSwitch 2.5.x and newer are applied to the various appropriate branches: * master https://github.com/openvswitch/ovs/commit/79349cbab0b2a755140eedb91833ad2760520a83 * 2.15 https://github.com/openvswitch/ovs/commit/0625dc79aec73b966f206e55655a2816696246d0 * 2.14 https://github.com/openvswitch/ovs/commit/59b588604b89e85b463984ba08a99badb4fcba15 * 2.13 https://github.com/openvswitch/ovs/commit/3512fb512c76a1f08eba4005aa2eb69160d0840e * 2.12 https://github.com/openvswitch/ovs/commit/53c1b8b166f3dd217bc391d707885f789e9ecc49 * 2.11 https://github.com/openvswitch/ovs/commit/abd7a457652e6734902720fe6a5dddb3fc0d1e3b * 2.10 https://github.com/openvswitch/ovs/commit/79cec1a736b91548ec882d840986a11affda1068 * 2.9 https://github.com/openvswitch/ovs/commit/48ceca0446b1c2c2c03e7551048c5b19ed23cc97 * 2.8 https://github.com/openvswitch/ovs/commit/35c280072c1c3ed58202745b7d27fbbd0736999b * 2.7 https://github.com/openvswitch/ovs/commit/ad0d22f6435b43ecfc30c0e877d490d36721f200 * 2.6 https://github.com/openvswitch/ovs/commit/673c08eee8c8d4f2999ddd31524de7ff0f72b559 * 2.5 https://github.com/openvswitch/ovs/commit/354e7d860e444fd1472541b0fdc3b8678aa74828 Recommendation ============== We recommend that users of Open vSwitch apply the included patch, or upgrade to a known patched version of Open vSwitch. These include: * 2.14.2 * 2.13.3 * 2.12.3 * 2.11.6 * 2.10.7 * 2.9.9 * 2.8.11 * 2.7.13 * 2.6.10 * 2.5.12 Acknowledgments =============== The Open vSwitch team wishes to thank the reporter: Joakim Hindersson <joakim.hindersson@...stx.se> Download attachment "OpenPGP_signature" of type "application/pgp-signature" (496 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.