Date: Thu, 6 Apr 2023 19:37:53 +0200 From: Ilya Maximets <i.maximets@....org> To: oss-security@...ts.openwall.com, ovs-announce@...nvswitch.org, ovs-discuss <ovs-discuss@...nvswitch.org> Cc: i.maximets@....org, Aaron Conole <aconole@...hat.com>, Flavio Leitner <fbl@...hat.com>, David Marchand <david.marchand@...hat.com> Subject: [ADVISORY] CVE-2023-1668: Open vSwitch: Remote traffic denial of service via crafted packets with IP proto 0 Description =========== Multiple versions of Open vSwitch are vulnerable to crafted IP packets with ip proto set to 0 causing a potential denial of service. Triggering the vulnerability will require an attacker to send a crafted IP packet with protocol field set to 0 and the flow rules to contain 'set' actions on other fields in the IP protocol header. The resulting flows will omit required actions, and fail to mask the IP protocol field, resulting in a large bucket which captures all IP packets. All versions of Open vSwitch at least as early as 1.5.0 are affected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2023-1668 to this issue. Mitigation ========== For any version of Open vSwitch, preventing packets with network protocol number '0' from reaching Open vSwitch will prevent the issue. This is difficult to achieve because Open vSwitch obtains packets before the iptables or nftables host firewall, so iptables or nftables on the Open vSwitch host cannot ordinarily block the vulnerability. Another method would be to add a high priority rule to the flow table explicitly matching on nw protocol '0' and handling that traffic separately: table=0 priority=32768,ip,nw_proto=0,actions=drop table=0 priority=32768,ipv6,nw_proto=0,actions=drop table=0 priority=32768,arp,arp_op=0,actions=drop All 3 OpenFlow rules should be added to every OVS bridge. This can be difficult to maintain during the service restart. Fix === Patches to fix these vulnerabilities in Open vSwitch 2.13.x and newer: * 3.1.x: https://github.com/openvswitch/ovs/commit/61b39d8c4797f1b668e4d5e5350d639fca6082a9 * 3.0.x: https://github.com/openvswitch/ovs/commit/0ec9af260ad84225e758d249fa32151ddf8a6520 * 2.17.x: https://github.com/openvswitch/ovs/commit/27fb5db7f727ffc056f024f9ba4936facccb5f40 * 2.16.x: https://github.com/openvswitch/ovs/commit/42f2b4b9b9a3c11d38f180bf1e35c47b77cd4ce8 * 2.15.x: https://github.com/openvswitch/ovs/commit/f36509fd64e339ffd33593451099be6baa12ffe6 * 2.14.x: https://github.com/openvswitch/ovs/commit/b46505f4d26cd4612a533687e7884efcb7a74111 * 2.13.x: https://github.com/openvswitch/ovs/commit/7fa0106e8594c34f9e16efd87a58e38a947c6c5b Recommendation ============== We recommend that users of Open vSwitch apply the linked patches, or upgrade to a known patched version of Open vSwitch. These include: * 3.1.1 * 3.0.4 * 2.17.6 * 2.16.7 * 2.15.8 * 2.14.9 * 2.13.11 Acknowledgements ================ The Open vSwitch team wishes to thank the reporter: David Marchand <dmarchan@...hat.com> Download attachment "OpenPGP_0xB9F7EC77C829BF96.asc" of type "application/pgp-keys" (4740 bytes) Download attachment "OpenPGP_signature" of type "application/pgp-signature" (841 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.