Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <90517d36-940a-42c3-904e-286bf2a0d98f@redhat.com>
Date: Wed, 22 Jan 2025 13:56:34 -0500
From: Mark Michelson <mmichels@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Open Virtual Network egress access control list bypass.

On 1/21/25 21:00, Mark Michelson wrote:
> Note: This release had to be fast-tracked because the security issue was 
> made public before an embargo could be lifted. We are awaiting a CVE 
> assignment and will update this advisory with the CVE number once it is 
> assigned.

CVE-2025-0650 has been assigned to this vulnerability.

> 
> Description
> ===========
> Multiple versions of OVN (Open Virtual Network) are vulnerable to 
> allowing crafted UDP packets to bypass egress access control list (ACL) 
> rules. This can result in unauthorized access to virtual machines and 
> containers running on the OVN network.
> 
> OVN provides rudimentary DNS caching as an optional feature to speed up 
> lookups of frequently-used domains. When this feature is enabled, due to 
> the OpenFlow rules that OVN installs in Open vSwitch, it is possible for 
> an attacker to craft a UDP packet that can bypass egress ACL rules. 
> Egress ACL rules are those that have the "direction" set to "to-lport".
> 
> The OVN installation is vulnerable if a logical switch has DNS records 
> set on it AND if the same switch has any egress ACLs configured on it. 
> The switch is considered to have egress ACLs configured if the switch 
> has an egress ACL configured directly on it using the "acls" column of 
> the logical switch. A switch is also considered to have egress ACLs 
> configured if any of its logical switch ports are part of a port group 
> that has egress ACLs configured in its "acls" column.
> 
> A python script (vuln_test.py) is attached to this advisory and can be 
> used to determine if your installation is vulnerable. Run it in a 
> location where "ovn-nbctl" is installed and can access the northbound 
> database. The script will print to the console whether the installation 
> is vulnerable.
> 
> Mitigation
> ==========
> If the DNS records being used in OVN are accessible over the internet 
> without using the built-in cache, then DNS caching can be disabled in 
> OVN by clearing the "dns_records" column of all logical switches in the 
> northbound database. Here is a command that can be used to accomplish this:
> 
> $ for s in $(ovn-nbctl list logical_switch | grep uuid | cut -f 2 -d 
> ':') ; do ovn-nbctl clear logical_switch "$s" dns_records ; done
> 
> Doing this will incur a latency penalty for DNS lookups since the lookup 
> will be carried out over the internet instead of being looked up in a 
> local cache.
> 
> If OVN's DNS caching is required on the deployment, then a second 
> mitigation might be to adjust ACLs from being evaluated on egress to 
> being evaluated on ingress. ACLs whose "direction" column is set to 
> "to-lport" are evaluated on egress and are vulnerable to being bypassed 
> if OVN's DNS caching is enabled. ACLs whose "direction" column is set to 
> "from-lport" are evaluated on ingress and are not vulnerable to being 
> bypassed if OVN's DNS caching is enabled. An ACL can be evaluated on 
> ingress as long as it does not attempt to match on the "outport" field. 
> Ingress ACLs are capable of matching based on the results of load 
> balancing if "options:apply-after-lb" is set to "true".
> 
> There is no one-size fits all command line solution for changing egress 
> ACLs to ingress ACLs. Each ACL rule will need to be evaluated and 
> changed over if possible.
> 
> If DNS caching is required and egress ACLs are required, then the only 
> mitigation is to adjust the topology of the virtual network so that DNS 
> caching and egress ACLs are not on the same logical switch.
> 
> Fix
> ===
> Patches to fix this vulnerability in currently supported versions of OVN 
> are as follows:
> 
> * 22.03.x: 
> https://github.com/ovn-org/ovn/commit/f22a1ba9c127795bebcfbd41d772bb071f893a6d
> * 24.03.x: 
> https://github.com/ovn-org/ovn/commit/70618a65fd49f1d1d5498927c0bed63e296dafb7
> * 24.09.x: 
> https://github.com/ovn-org/ovn/commit/249c52ad011cacb4c182dc64e88977ac7c61f668
> 
> The original patch is located at:
> https://mail.openvswitch.org/pipermail/ovs-dev/2025-January/419993.html
> 
> Recommendation
> ==============
> We recommend that users of OVN apply the linked patches, or upgrade to a 
> known patched version of OVN. These include:
> 
> v22.03.8
> v24.03.5
> v24.09.2
> 
> Acknowledgments
> ===============
> 
> The OVN team wishes to thank the reporters:
> 
>       Marius Berntsberg - marius@...pill-linpro.com
>       Trygve Vea - tv@...pill-linpro.com
>       Tore Anderson - tore@...pill-linpro.com
>       Rodolfo Alonso - ralonsoh@...hat.com
>       Jay Faulkner (Openstack VMT) - jay@....cc
>       Brian Haley (Openstack/Neutron) - haleyb.dev@...il.com
> 
> In addition, a special acknowledgment is due to the Firewall 
> Misconfiguration security research team at the University of California, 
> Riverside - firewallresearch@....edu - 
> https://firewall-research.cs.ucr.edu/misconfiguration/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.