Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <e49accc1-7fe2-5427-b26a-8497c52384b4@redhat.com>
Date: Wed, 10 Feb 2021 11:53:47 -0300
From: Flavio Leitner <fbl@...hat.com>
To: oss-security@...ts.openwall.com, ovs-announce@...nvswitch.org,
 ovs-discuss@...nvswitch.org
Cc: fbl@...hat.com, Ilya Maximets <i.maximets@....org>
Subject: CVE-2020-35498: Open vSwitch: Packet parsing vulnerability

Description
===========

Multiple versions of Open vSwitch are vulnerable to potential problems
like denial of service attacks, in which crafted network packets could
cause the packet lookup to ignore network header fields from layers 3
and 4.

Both kernel and userspace datapaths are affected, including DPDK enabled
Open vSwitch (OVS-DPDK) as an example of the latter.

The crafted network packet is an ordinary IPv4 or IPv6 packet with
Ethernet padding length above 255 bytes. This causes the packet sanity
check to abort parsing header fields after layer 2.

When that situation happens, the classifier will use an unexpected set
of header fields. This could cause the packet lookup to either match
on unintended flows or return the default table miss action 'drop'.

As a consequence, the datapath can be instructed to match on an
incorrect range of packets with an action to drop them, for example.
Further legit traffic could hit the cached flow preventing it to
expire extending the situation.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the identifier CVE-2020-35498 to this issue.

Mitigation
==========

For any version of Open vSwitch, preventing such packets to be
received by Open vSwitch or removing the excess of padding before
they are received by Open vSwitch mitigates the vulnerability. We
do not recommend attempting to mitigate the vulnerability this way
because of the following difficulties:

      - Open vSwitch obtains packets before the iptables or nftables
        host firewall, so iptables or nftables on the Open vSwitch host
        cannot ordinarily block the vulnerability.

      - If Open vSwitch is configured to support tunnels, such packets
        encapsulated within tunnels must also be prevented from reaching
        the host.

      - If Open vSwitch runs on a hypervisor, such packets from VMs can
        also trigger the vulnerability.


Fix
===

Patches to fix these vulnerabilities in Open vSwitch 2.5.x and newer are
applied to the various appropriate branches:

* master
https://github.com/openvswitch/ovs/commit/79349cbab0b2a755140eedb91833ad2760520a83

* 2.15
https://github.com/openvswitch/ovs/commit/0625dc79aec73b966f206e55655a2816696246d0

* 2.14
https://github.com/openvswitch/ovs/commit/59b588604b89e85b463984ba08a99badb4fcba15

* 2.13
https://github.com/openvswitch/ovs/commit/3512fb512c76a1f08eba4005aa2eb69160d0840e

* 2.12
https://github.com/openvswitch/ovs/commit/53c1b8b166f3dd217bc391d707885f789e9ecc49

* 2.11
https://github.com/openvswitch/ovs/commit/abd7a457652e6734902720fe6a5dddb3fc0d1e3b

* 2.10
https://github.com/openvswitch/ovs/commit/79cec1a736b91548ec882d840986a11affda1068

* 2.9
https://github.com/openvswitch/ovs/commit/48ceca0446b1c2c2c03e7551048c5b19ed23cc97

* 2.8
https://github.com/openvswitch/ovs/commit/35c280072c1c3ed58202745b7d27fbbd0736999b

* 2.7
https://github.com/openvswitch/ovs/commit/ad0d22f6435b43ecfc30c0e877d490d36721f200

* 2.6
https://github.com/openvswitch/ovs/commit/673c08eee8c8d4f2999ddd31524de7ff0f72b559

* 2.5
https://github.com/openvswitch/ovs/commit/354e7d860e444fd1472541b0fdc3b8678aa74828


Recommendation
==============

We recommend that users of Open vSwitch apply the included patch, or
upgrade to a known patched version of Open vSwitch.  These include:

* 2.14.2
* 2.13.3
* 2.12.3
* 2.11.6
* 2.10.7
* 2.9.9
* 2.8.11
* 2.7.13
* 2.6.10
* 2.5.12


Acknowledgments
===============

The Open vSwitch team wishes to thank the reporter:

     Joakim Hindersson <joakim.hindersson@...stx.se>






Download attachment "OpenPGP_signature" of type "application/pgp-signature" (496 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.