[ovs-announce] [ADVISORY] CVE-2023-1668: Open vSwitch: Remote traffic denial of service via crafted packets with IP proto 0

Ilya Maximets i.maximets at ovn.org
Thu Apr 6 17:55:29 UTC 2023


On 4/6/23 19:37, Ilya Maximets wrote:
> Description
> ===========
> 
> Multiple versions of Open vSwitch are vulnerable to crafted IP packets
> with ip proto set to 0 causing a potential denial of service.
> Triggering the vulnerability will require an attacker to send a crafted
> IP packet with protocol field set to 0 and the flow rules to contain
> 'set' actions on other fields in the IP protocol header.  The resulting
> flows will omit required actions, and fail to mask the IP protocol field,
> resulting in a large bucket which captures all IP packets.
> 
> All versions of Open vSwitch at least as early as 1.5.0 are affected.
> 
> The Common Vulnerabilities and Exposures project (cve.mitre.org) has
> assigned the identifier CVE-2023-1668 to this issue.
> 
> 
> Mitigation
> ==========
> 
> For any version of Open vSwitch, preventing packets with network
> protocol number '0' from reaching Open vSwitch will prevent the issue.
> This is difficult to achieve because Open vSwitch obtains packets before
> the iptables or nftables host firewall, so iptables or nftables on the
> Open vSwitch host cannot ordinarily block the vulnerability.
> 
> Another method would be to add a high priority rule to the flow table
> explicitly matching on nw protocol '0' and handling that traffic
> separately:
> 
>     table=0 priority=32768,ip,nw_proto=0,actions=drop
>     table=0 priority=32768,ipv6,nw_proto=0,actions=drop
>     table=0 priority=32768,arp,arp_op=0,actions=drop

Correction:

  Priorities for these flows should be set to 65535 instead.
  i.e. The maximum priority that can be set with OpenFlow.

> 
> All 3 OpenFlow rules should be added to every OVS bridge.  This can
> be difficult to maintain during the service restart.
> 
> 
> Fix
> ===
> 
> Patches to fix these vulnerabilities in Open vSwitch 2.13.x and newer:
> 
> * 3.1.x:
>   https://github.com/openvswitch/ovs/commit/61b39d8c4797f1b668e4d5e5350d639fca6082a9
> * 3.0.x:
>   https://github.com/openvswitch/ovs/commit/0ec9af260ad84225e758d249fa32151ddf8a6520
> * 2.17.x:
>   https://github.com/openvswitch/ovs/commit/27fb5db7f727ffc056f024f9ba4936facccb5f40
> * 2.16.x:
>   https://github.com/openvswitch/ovs/commit/42f2b4b9b9a3c11d38f180bf1e35c47b77cd4ce8
> * 2.15.x:
>   https://github.com/openvswitch/ovs/commit/f36509fd64e339ffd33593451099be6baa12ffe6
> * 2.14.x:
>   https://github.com/openvswitch/ovs/commit/b46505f4d26cd4612a533687e7884efcb7a74111
> * 2.13.x:
>   https://github.com/openvswitch/ovs/commit/7fa0106e8594c34f9e16efd87a58e38a947c6c5b
> 
> 
> Recommendation
> ==============
> 
> We recommend that users of Open vSwitch apply the linked patches, or
> upgrade to a known patched version of Open vSwitch.  These include:
> 
> * 3.1.1
> * 3.0.4
> * 2.17.6
> * 2.16.7
> * 2.15.8
> * 2.14.9
> * 2.13.11
> 
> 
> Acknowledgements
> ================
> 
> The Open vSwitch team wishes to thank the reporter:
> 
>       David Marchand <dmarchan at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xB9F7EC77C829BF96.asc
Type: application/pgp-keys
Size: 4739 bytes
Desc: OpenPGP public key
URL: <http://mail.openvswitch.org/pipermail/ovs-announce/attachments/20230406/6b12d550/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://mail.openvswitch.org/pipermail/ovs-announce/attachments/20230406/6b12d550/attachment-0001.sig>


More information about the announce mailing list