From aconole at redhat.com Wed Jan 13 16:19:08 2021 From: aconole at redhat.com (Aaron Conole) Date: Wed, 13 Jan 2021 11:19:08 -0500 Subject: [ovs-announce] [ADVISORY] CVE-2015-8011: lldpd buffer overflow when decoding malformed packets Message-ID: Description =========== Multiple versions of Open vSwitch are vulnerable to remote buffer overflow attacks in which crafted LLDP packets could overflow the buffer reserved for management address information in an internal OVS data structure. Triggering the vulnerability requires LLDP processing to be enabled for a specific port. Open vSwitch versions before 2.5.x are not vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) previously assigned the identifier CVE-2015-8011 to this issue for the `lldpd` project, and is appropriate here since Open vSwitch uses the same `lldpd` code. Mitigation ========== For any version of Open vSwitch, preventing LLDP packets from reaching Open vSwitch mitigates the vulnerability. We do not recommend attempting to mitigate the vulnerability this way because of the following difficulties: - Open vSwitch obtains packets before the iptables host firewall, so ebtables on the Open vSwitch host cannot ordinarily block the vulnerability. - If Open vSwitch is configured to receive and transmit LLDP messages, the required functionality will need to be disabled potentially disrupting the network. We have found that Open vSwitch is subject to a remote code execution exploit when LLDP processing is enabled on an interface. By default, interfaces are not configured to process LLDP messages. Fix === Patches to fix these vulnerabilities in Open vSwitch 2.5.x and newer are applied to the various appropriate branches, and the original patch is located at: https://mail.openvswitch.org/pipermail/ovs-dev/2020-November/377394.html Recommendation ============== We recommend that users of Open vSwitch apply the respective patch, or upgrade to a known patched version of Open vSwitch. These include: * 2.14.1 * 2.13.2 * 2.12.2 * 2.11.5 * 2.10.6 * 2.9.8 * 2.8.10 * 2.7.12 * 2.6.9 Acknowledgments =============== The Open vSwitch team wishes to thank the reporter: Jonas Rudloff From aconole at redhat.com Wed Jan 13 16:19:15 2021 From: aconole at redhat.com (Aaron Conole) Date: Wed, 13 Jan 2021 11:19:15 -0500 Subject: [ovs-announce] [ADVISORY] CVE-2020-27827: lldp: Externally triggered memory leak. Message-ID: Description =========== Multiple versions of Open vSwitch are vulnerable to denial of service attacks in which crafted LLDP packets could cause memory to be lost when allocating data to handle specific optional TLVs. Triggering the vulnerability requires LLDP processing to be enabled for a specific port. Open vSwitch versions before 2.5.x are not vulnerable. The Common Vulnerabilities and Exposures project (cve.mitre.org) previously assigned the identifier CVE-2020-27827 to this issue for the `lldpd` project, and the Open vSwitch project. Mitigation ========== For any version of Open vSwitch, preventing LLDP packets from reaching Open vSwitch mitigates the vulnerability. We do not recommend attempting to mitigate the vulnerability this way because of the following difficulties: - Open vSwitch obtains packets before the iptables host firewall, so ebtables on the Open vSwitch host cannot ordinarily block the vulnerability. - If Open vSwitch is configured to receive and transmit LLDP messages, the required functionality will need to be disabled potentially disrupting the network. We have found that Open vSwitch is subject to a denial of service exploit when LLDP processing is enabled on an interface. By default, interfaces are not configured to process LLDP messages. Recommendation ============== We recommend that users of Open vSwitch apply the included patch, or upgrade to a known patched version of Open vSwitch. These include: * 2.14.1 * 2.13.2 * 2.12.2 * 2.11.5 * 2.10.6 * 2.9.8 * 2.8.10 * 2.7.12 * 2.6.9 Acknowledgments =============== The Open vSwitch team wishes to thank the reporter: Jonas Rudloff Fix: The patch to resolve this issue is attached. Reported-by: Jonas Rudloff Signed-off-by: Aaron Conole --- diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c index e5755307fb..18afbab9a7 100644 --- a/lib/lldp/lldp.c +++ b/lib/lldp/lldp.c @@ -513,10 +513,13 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char *frame, int s, b = xzalloc(tlv_size + 1); PEEK_BYTES(b, tlv_size); if (tlv_type == LLDP_TLV_PORT_DESCR) { + free(port->p_descr); port->p_descr = b; } else if (tlv_type == LLDP_TLV_SYSTEM_NAME) { + free(chassis->c_name); chassis->c_name = b; } else { + free(chassis->c_descr); chassis->c_descr = b; } break; --- From i.maximets at ovn.org Wed Jan 13 19:23:05 2021 From: i.maximets at ovn.org (Ilya Maximets) Date: Wed, 13 Jan 2021 14:23:05 -0500 Subject: [ovs-announce] 2.14.1, 2.13.2, 2.12.2, 2.11.5, 2.10.6, 2.9.8, 2.8.10, 2.7.12, 2.6.9 and 2.5.11 Available. Message-ID: <20210113192305.231804-1-i.maximets@ovn.org> The Open vSwitch team is pleased to announce a number of bug fix releases: Latest release: https://www.openvswitch.org/releases/openvswitch-2.14.1.tar.gz Current LTS series: https://www.openvswitch.org/releases/openvswitch-2.13.2.tar.gz Previous LTS series (EOL: Feb 2021): https://www.openvswitch.org/releases/openvswitch-2.5.11.tar.gz Other: https://www.openvswitch.org/releases/openvswitch-2.12.2.tar.gz https://www.openvswitch.org/releases/openvswitch-2.11.5.tar.gz https://www.openvswitch.org/releases/openvswitch-2.10.6.tar.gz https://www.openvswitch.org/releases/openvswitch-2.9.8.tar.gz https://www.openvswitch.org/releases/openvswitch-2.8.10.tar.gz https://www.openvswitch.org/releases/openvswitch-2.7.12.tar.gz https://www.openvswitch.org/releases/openvswitch-2.6.9.tar.gz Among other bug fixes and improvements, these releases also include fixes for LLDP security issues: CVE-2020-27827 and CVE-2015-8011. --The Open vSwitch Team Open vSwitch is a production quality, multilayer open source virtual switch. It is designed to enable massive network automation through programmatic extension, while still supporting standard management interfaces. Open vSwitch can operate both as a soft switch running within the hypervisor, and as the control stack for switching silicon. It has been ported to multiple virtualization platforms and switching chipsets.