[ovs-dev] [ADVISORY] CVE-2015-8011: lldpd buffer overflow when decoding malformed packets

Aaron Conole aconole at redhat.com
Wed Jan 13 16:19:08 UTC 2021 

Description
===========

Multiple versions of Open vSwitch are vulnerable to remote buffer
overflow attacks in which crafted LLDP packets could overflow the
buffer reserved for management address information in an internal
OVS data structure.  Triggering the vulnerability requires LLDP
processing to be enabled for a specific port.  Open vSwitch
versions before 2.5.x are not vulnerable.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
previously assigned the identifier CVE-2015-8011 to this issue for
the `lldpd` project, and is appropriate here since Open vSwitch uses
the same `lldpd` code.


Mitigation
==========

For any version of Open vSwitch, preventing LLDP packets from
reaching Open vSwitch mitigates the vulnerability.  We do not recommend
attempting to mitigate the vulnerability this way because of the
following difficulties:

    - Open vSwitch obtains packets before the iptables host firewall,
      so ebtables on the Open vSwitch host cannot ordinarily block the
      vulnerability.

    - If Open vSwitch is configured to receive and transmit LLDP
      messages, the required functionality will need to be disabled
      potentially disrupting the network.

We have found that Open vSwitch is subject to a remote code execution
exploit when LLDP processing is enabled on an interface.  By default,
interfaces are not configured to process LLDP messages.


Fix
===

Patches to fix these vulnerabilities in Open vSwitch 2.5.x and newer are
applied to the various appropriate branches, and the original patch is
located at:

   https://mail.openvswitch.org/pipermail/ovs-dev/2020-November/377394.html


Recommendation
==============

We recommend that users of Open vSwitch apply the respective patch, or
upgrade to a known patched version of Open vSwitch.  These include:

* 2.14.1
* 2.13.2
* 2.12.2
* 2.11.5
* 2.10.6
* 2.9.8
* 2.8.10
* 2.7.12
* 2.6.9


Acknowledgments
===============

The Open vSwitch team wishes to thank the reporter:

  Jonas Rudloff <jonas.t.rudloff at gmail.com>

More information about the dev mailing list