[ovs-announce] [ADVISORY] CVE-2020-35498: Packet parsing vulnerability.
fbl at redhat.com
Wed Feb 10 14:53:47 UTC 2021
Multiple versions of Open vSwitch are vulnerable to potential problems
like denial of service attacks, in which crafted network packets could
cause the packet lookup to ignore network header fields from layers 3
Both kernel and userspace datapaths are affected, including DPDK enabled
Open vSwitch (OVS-DPDK) as an example of the latter.
The crafted network packet is an ordinary IPv4 or IPv6 packet with
Ethernet padding length above 255 bytes. This causes the packet sanity
check to abort parsing header fields after layer 2.
When that situation happens, the classifier will use an unexpected set
of header fields. This could cause the packet lookup to either match
on unintended flows or return the default table miss action 'drop'.
As a consequence, the datapath can be instructed to match on an
incorrect range of packets with an action to drop them, for example.
Further legit traffic could hit the cached flow preventing it to
expire extending the situation.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
assigned the identifier CVE-2020-35498 to this issue.
For any version of Open vSwitch, preventing such packets to be
received by Open vSwitch or removing the excess of padding before
they are received by Open vSwitch mitigates the vulnerability. We
do not recommend attempting to mitigate the vulnerability this way
because of the following difficulties:
- Open vSwitch obtains packets before the iptables or nftables
host firewall, so iptables or nftables on the Open vSwitch host
cannot ordinarily block the vulnerability.
- If Open vSwitch is configured to support tunnels, such packets
encapsulated within tunnels must also be prevented from reaching
- If Open vSwitch runs on a hypervisor, such packets from VMs can
also trigger the vulnerability.
Patches to fix these vulnerabilities in Open vSwitch 2.5.x and newer are
applied to the various appropriate branches:
We recommend that users of Open vSwitch apply the included patch, or
upgrade to a known patched version of Open vSwitch. These include:
The Open vSwitch team wishes to thank the reporter:
Joakim Hindersson <joakim.hindersson at elastx.se>
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 495 bytes
Desc: OpenPGP digital signature
More information about the announce