Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <24e58df0-1efb-4832-b71c-a8548c4cdae0@redhat.com>
Date: Tue, 21 Jan 2025 21:00:34 -0500
From: Mark Michelson <mmichels@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Open Virtual Network egress access control list bypass.

Note: This release had to be fast-tracked because the security issue was 
made public before an embargo could be lifted. We are awaiting a CVE 
assignment and will update this advisory with the CVE number once it is 
assigned.

Description
===========
Multiple versions of OVN (Open Virtual Network) are vulnerable to 
allowing crafted UDP packets to bypass egress access control list (ACL) 
rules. This can result in unauthorized access to virtual machines and 
containers running on the OVN network.

OVN provides rudimentary DNS caching as an optional feature to speed up 
lookups of frequently-used domains. When this feature is enabled, due to 
the OpenFlow rules that OVN installs in Open vSwitch, it is possible for 
an attacker to craft a UDP packet that can bypass egress ACL rules. 
Egress ACL rules are those that have the "direction" set to "to-lport".

The OVN installation is vulnerable if a logical switch has DNS records 
set on it AND if the same switch has any egress ACLs configured on it. 
The switch is considered to have egress ACLs configured if the switch 
has an egress ACL configured directly on it using the "acls" column of 
the logical switch. A switch is also considered to have egress ACLs 
configured if any of its logical switch ports are part of a port group 
that has egress ACLs configured in its "acls" column.

A python script (vuln_test.py) is attached to this advisory and can be 
used to determine if your installation is vulnerable. Run it in a 
location where "ovn-nbctl" is installed and can access the northbound 
database. The script will print to the console whether the installation 
is vulnerable.

Mitigation
==========
If the DNS records being used in OVN are accessible over the internet 
without using the built-in cache, then DNS caching can be disabled in 
OVN by clearing the "dns_records" column of all logical switches in the 
northbound database. Here is a command that can be used to accomplish this:

$ for s in $(ovn-nbctl list logical_switch | grep uuid | cut -f 2 -d 
':') ; do ovn-nbctl clear logical_switch "$s" dns_records ; done

Doing this will incur a latency penalty for DNS lookups since the lookup 
will be carried out over the internet instead of being looked up in a 
local cache.

If OVN's DNS caching is required on the deployment, then a second 
mitigation might be to adjust ACLs from being evaluated on egress to 
being evaluated on ingress. ACLs whose "direction" column is set to 
"to-lport" are evaluated on egress and are vulnerable to being bypassed 
if OVN's DNS caching is enabled. ACLs whose "direction" column is set to 
"from-lport" are evaluated on ingress and are not vulnerable to being 
bypassed if OVN's DNS caching is enabled. An ACL can be evaluated on 
ingress as long as it does not attempt to match on the "outport" field. 
Ingress ACLs are capable of matching based on the results of load 
balancing if "options:apply-after-lb" is set to "true".

There is no one-size fits all command line solution for changing egress 
ACLs to ingress ACLs. Each ACL rule will need to be evaluated and 
changed over if possible.

If DNS caching is required and egress ACLs are required, then the only 
mitigation is to adjust the topology of the virtual network so that DNS 
caching and egress ACLs are not on the same logical switch.

Fix
===
Patches to fix this vulnerability in currently supported versions of OVN 
are as follows:

* 22.03.x: 
https://github.com/ovn-org/ovn/commit/f22a1ba9c127795bebcfbd41d772bb071f893a6d
* 24.03.x: 
https://github.com/ovn-org/ovn/commit/70618a65fd49f1d1d5498927c0bed63e296dafb7
* 24.09.x: 
https://github.com/ovn-org/ovn/commit/249c52ad011cacb4c182dc64e88977ac7c61f668

The original patch is located at:
https://mail.openvswitch.org/pipermail/ovs-dev/2025-January/419993.html

Recommendation
==============
We recommend that users of OVN apply the linked patches, or upgrade to a 
known patched version of OVN. These include:

v22.03.8
v24.03.5
v24.09.2

Acknowledgments
===============

The OVN team wishes to thank the reporters:

      Marius Berntsberg - marius@...pill-linpro.com
      Trygve Vea - tv@...pill-linpro.com
      Tore Anderson - tore@...pill-linpro.com
      Rodolfo Alonso - ralonsoh@...hat.com
      Jay Faulkner (Openstack VMT) - jay@....cc
      Brian Haley (Openstack/Neutron) - haleyb.dev@...il.com

In addition, a special acknowledgment is due to the Firewall 
Misconfiguration security research team at the University of California, 
Riverside - firewallresearch@....edu - 
https://firewall-research.cs.ucr.edu/misconfiguration/
View attachment "vuln_test.py" of type "text/x-python" (3063 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.