Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 12 Mar 2024 15:00:08 +0100
From: Dumitru Ceara <dceara@...hat.com>
To: oss-security@...ts.openwall.com, ovs-announce@...nvswitch.org,
 ovs-discuss <ovs-discuss@...nvswitch.org>
Cc: Mark Michelson <mmichels@...hat.com>,
 Frode Nordahl <frode.nordahl@...onical.com>,
 Ilya Maximets <i.maximets@....org>,
 Lorenzo Bianconi <lorenzo.bianconi@...hat.com>
Subject: [ADVISORY] CVE-2024-2182: Open Virtual Network: Insufficient
 validation of incoming BFD packets.

Description
===========

Multiple versions of OVN (Open Virtual Network) are vulnerable to
crafted BFD packets potentially causing denial of service.

OVN supports configuration of gateway chassis and high-availability
chassis groups (via the Gateway_Chassis and HA_Chassis_Group tables in
the OVN_Northbound database).  These group cluster nodes (chassis)
together and provide high availability to them.  OVN logical switch and
router ports can be configured to reference such groups.  In this case
the traffic forwarding decision is influenced by the liveness of the
chassis listed in the group.

In such scenarios OVN automatically enables the OVS Bidirectional
Forwarding Detection (BFD) functionality to monitor the health of remote
nodes and tunnels between them.

BFD packets are transmitted in-band in tunnels that connect OVN chassis,
along with other traffic.  And, by default, OVS will process any BFD
packets received on a tunnel port with BFD enabled.  That makes it
possible for a VM or container connected to an OVN logical switch port
to send BFD packets that will be tunneled to another node and processed
by OVS, potentially changing the BFD state and affecting the forwarding
decisions.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the CVE-2024-2182 identifier to this issue.

A way to determine if BFD will be used is to issue the following
commands on the node that runs the OVN central components:

  $ ovn-nbctl --columns name,gateway_chassis list logical_router_port

If the above command returns more than a single gateway chassis
reference for a given port that means OVS BFD has been automatically
enabled.

  $ ovn-nbctl --columns name,ha_chassis list ha_chassis_group

The same applies if the above command returns groups that contain more
than one chassis.

Mitigation
==========

For any version of OVN, in order to prevent the issue, an ACL (Access
Control List) rule can be added to drop BFD packets originated from
logical ports.

For example, the following shell script would configure ACLs on all
existing OVN logical switches:

  for sw in $(ovn-nbctl --bare --columns name list logical_switch); do
      ovn-nbctl acl-add $sw from-lport 32767 'udp && udp.dst == 3784' drop
  done

If OVN is configured by a Cloud Management System (CMS, e.g., OpenStack)
then it is the responsibility of the CMS to program ACLs.  Manual user
configuration might otherwise be overwritten by the CMS.

We do not recommend attempting to mitigate the vulnerability this way
because this will also drop legitimate BFD traffic originated by the
workloads connected to logical switch ports, e.g., BFD sessions
established with external entities.

Fix
===

Patches to fix this vulnerability in currently supported versions of
OVN:

 * 22.03.x:
   https://github.com/ovn-org/ovn/commit/4fdfb2ba84dbc05492a4e37efc1e7af62185ed05
 * 23.03.x:
   https://github.com/ovn-org/ovn/commit/fec1ad85a29b714e42e2dac7e7290f3fb37895f7
 * 23.06.x:
   https://github.com/ovn-org/ovn/commit/adcd6be30098060bc4253d648b86946a63e6297b
 * 23.09.x:
   https://github.com/ovn-org/ovn/commit/c966c35f1b1cd8c5351ccac3051843fbf765c2ae
 * 24.03.x:
   https://github.com/ovn-org/ovn/commit/7852fccb60d0ae780163eac041b1457690c1e3f5

Original patch is located at:
  https://mail.openvswitch.org/pipermail/ovs-dev/2024-March/412425.html

Recommendation
==============

We recommend that users of OVN apply the linked patches, or upgrade to
a known patched version of OVN.  These include:

 * v22.03.7
 * v23.03.3
 * v23.06.3
 * v23.09.3
 * v24.03.1

Acknowledgments
===============

The OVN team wishes to thank the reporter:

  Frode Nordahl <frode.nordahl@...onical.com>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.