Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 10 Feb 2021 11:53:47 -0300
From: Flavio Leitner <fbl@...hat.com>
To: oss-security@...ts.openwall.com, ovs-announce@...nvswitch.org,
 ovs-discuss@...nvswitch.org
Cc: fbl@...hat.com, Ilya Maximets <i.maximets@....org>
Subject: CVE-2020-35498: Open vSwitch: Packet parsing vulnerability

Description
===========

Multiple versions of Open vSwitch are vulnerable to potential problems
like denial of service attacks, in which crafted network packets could
cause the packet lookup to ignore network header fields from layers 3
and 4.

Both kernel and userspace datapaths are affected, including DPDK enabled
Open vSwitch (OVS-DPDK) as an example of the latter.

The crafted network packet is an ordinary IPv4 or IPv6 packet with
Ethernet padding length above 255 bytes. This causes the packet sanity
check to abort parsing header fields after layer 2.

When that situation happens, the classifier will use an unexpected set
of header fields. This could cause the packet lookup to either match
on unintended flows or return the default table miss action 'drop'.

As a consequence, the datapath can be instructed to match on an
incorrect range of packets with an action to drop them, for example.
Further legit traffic could hit the cached flow preventing it to
expire extending the situation.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the identifier CVE-2020-35498 to this issue.

Mitigation
==========

For any version of Open vSwitch, preventing such packets to be
received by Open vSwitch or removing the excess of padding before
they are received by Open vSwitch mitigates the vulnerability. We
do not recommend attempting to mitigate the vulnerability this way
because of the following difficulties:

      - Open vSwitch obtains packets before the iptables or nftables
        host firewall, so iptables or nftables on the Open vSwitch host
        cannot ordinarily block the vulnerability.

      - If Open vSwitch is configured to support tunnels, such packets
        encapsulated within tunnels must also be prevented from reaching
        the host.

      - If Open vSwitch runs on a hypervisor, such packets from VMs can
        also trigger the vulnerability.


Fix
===

Patches to fix these vulnerabilities in Open vSwitch 2.5.x and newer are
applied to the various appropriate branches:

* master
https://github.com/openvswitch/ovs/commit/79349cbab0b2a755140eedb91833ad2760520a83

* 2.15
https://github.com/openvswitch/ovs/commit/0625dc79aec73b966f206e55655a2816696246d0

* 2.14
https://github.com/openvswitch/ovs/commit/59b588604b89e85b463984ba08a99badb4fcba15

* 2.13
https://github.com/openvswitch/ovs/commit/3512fb512c76a1f08eba4005aa2eb69160d0840e

* 2.12
https://github.com/openvswitch/ovs/commit/53c1b8b166f3dd217bc391d707885f789e9ecc49

* 2.11
https://github.com/openvswitch/ovs/commit/abd7a457652e6734902720fe6a5dddb3fc0d1e3b

* 2.10
https://github.com/openvswitch/ovs/commit/79cec1a736b91548ec882d840986a11affda1068

* 2.9
https://github.com/openvswitch/ovs/commit/48ceca0446b1c2c2c03e7551048c5b19ed23cc97

* 2.8
https://github.com/openvswitch/ovs/commit/35c280072c1c3ed58202745b7d27fbbd0736999b

* 2.7
https://github.com/openvswitch/ovs/commit/ad0d22f6435b43ecfc30c0e877d490d36721f200

* 2.6
https://github.com/openvswitch/ovs/commit/673c08eee8c8d4f2999ddd31524de7ff0f72b559

* 2.5
https://github.com/openvswitch/ovs/commit/354e7d860e444fd1472541b0fdc3b8678aa74828


Recommendation
==============

We recommend that users of Open vSwitch apply the included patch, or
upgrade to a known patched version of Open vSwitch.  These include:

* 2.14.2
* 2.13.3
* 2.12.3
* 2.11.6
* 2.10.7
* 2.9.9
* 2.8.11
* 2.7.13
* 2.6.10
* 2.5.12


Acknowledgments
===============

The Open vSwitch team wishes to thank the reporter:

     Joakim Hindersson <joakim.hindersson@...stx.se>






Download attachment "OpenPGP_signature" of type "application/pgp-signature" (496 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.