Bug#993398: neutron: CVE-2021-40085: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts

[Thomas Goirand]

On 8/31/21 9:17 PM, Salvatore Bonaccorso wrote:
> Source: neutron
> Version: 2:18.1.0-2
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://launchpad.net/bugs/1939733
> X-Debbugs-Cc: car...@debian.org, Debian Security Team 
> <t...@security.debian.org>
> Control: found -1 2:17.1.1-6
> 
> Hi,
> 
> The following vulnerability was published for neutron.
> 
> CVE-2021-40085[0]:
> | An issue was discovered in OpenStack Neutron before 16.4.1, 17.x
> | before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can
> | reconfigure dnsmasq via a crafted extra_dhcp_opts value.
> 
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2021-40085
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40085
> [1] https://launchpad.net/bugs/1939733
> [2] https://www.openwall.com/lists/oss-security/2021/08/31/2
> 
> Please adjust the affected versions in the BTS as needed.
> 
> Regards,
> Salvatore

Dear Security team,

Please find attached the debdiff to close this bug in Bullseye. Let me
know if I can upload right away.

I'm preparing updates for Unstable and Buster (the patch applies kind of
cleanly in Buster as well, modulo a few tests).

Cheers,

Thomas Goirand (zigo)

diff -Nru neutron-17.1.1/debian/changelog neutron-17.1.1/debian/changelog
--- neutron-17.1.1/debian/changelog     2021-06-30 10:51:00.000000000 +0200
+++ neutron-17.1.1/debian/changelog     2021-08-25 16:53:24.000000000 +0200
@@ -1,3 +1,17 @@
+neutron (2:17.1.1-6+deb11u1) bullseye; urgency=medium
+
+  * CVE-2021-40085: By supplying a specially crafted extra_dhcp_opts value, an
+    authenticated user may add arbitrary configuration to the dnsmasq process
+    in order to crash the service, change parameters for other tenants sharing
+    the same interface, or otherwise alter that daemon's behavior. This
+    vulnerability may also be used to trigger a configuration parsing buffer
+    overflow in versions of dnsmasq prior to 2.81, which could lead to remote
+    code execution. All Neutron deployments are affected. Added upstream
+    patch: Remove dhcp_extra_opt value after first newline character.
+    (Closes: #993398)
+
+ -- Thomas Goirand <z...@debian.org>  Wed, 25 Aug 2021 16:53:24 +0200
+
 neutron (2:17.1.1-6) unstable; urgency=medium
 
   * Add fix-rootwrap-does-not-include-python-3.9.patch.
diff -Nru 
neutron-17.1.1/debian/patches/CVE-2021-40085-Remove-dhcp_extra_opt-value-after-first-newline-character.patch
 
neutron-17.1.1/debian/patches/CVE-2021-40085-Remove-dhcp_extra_opt-value-after-first-newline-character.patch
--- 
neutron-17.1.1/debian/patches/CVE-2021-40085-Remove-dhcp_extra_opt-value-after-first-newline-character.patch
        1970-01-01 01:00:00.000000000 +0100
+++ 
neutron-17.1.1/debian/patches/CVE-2021-40085-Remove-dhcp_extra_opt-value-after-first-newline-character.patch
        2021-08-25 16:53:24.000000000 +0200
@@ -0,0 +1,68 @@
+Author: Slawek Kaplonski <skapl...@redhat.com>
+Date: Mon, 23 Aug 2021 13:01:37 +0200
+Description: CVE-2021-40085 Remove dhcp_extra_opt value after first newline 
character
+ Passing newline to the dnsmasq may cause security issues, especially
+ that in case of Neutron that dhcp options' values are controlled by
+ cloud users.
+ This patch removes everything what is after first newline character
+ in the dhcp_extra_opt's values before passing them to dnsmasq.
+Closes-Bug: https://bugs.launchpad.net/neutron/+bug/1939733
+Change-Id: Ifeaf258f0b5ea86f25620ac4116d618980a7272e
+Bug-Debian: https://bugs.debian.org/993398
+Last-Update: 2021-09-01
+
+Index: neutron/neutron/agent/linux/dhcp.py
+===================================================================
+--- neutron.orig/neutron/agent/linux/dhcp.py
++++ neutron/neutron/agent/linux/dhcp.py
+@@ -1293,10 +1293,11 @@ class Dnsmasq(DhcpLocalProcess):
+         elif not option.isdigit():
+             option = 'option:%s' % option
+         if extra_tag:
+-            tags = ('tag:' + tag, extra_tag[:-1], '%s' % option)
++            tags = ['tag:' + tag, extra_tag[:-1], '%s' % option]
+         else:
+-            tags = ('tag:' + tag, '%s' % option)
+-        return ','.join(tags + args)
++            tags = ['tag:' + tag, '%s' % option]
++
++        return ','.join(tags + [v.split("\n", 1)[0] for v in args])
+ 
+     @staticmethod
+     def _convert_to_literal_addrs(ip_version, ips):
+Index: neutron/neutron/tests/unit/agent/linux/test_dhcp.py
+===================================================================
+--- neutron.orig/neutron/tests/unit/agent/linux/test_dhcp.py
++++ neutron/neutron/tests/unit/agent/linux/test_dhcp.py
+@@ -230,6 +230,9 @@ class FakeV6PortExtraOpt(object):
+         self.extra_dhcp_opts = [
+             DhcpOpt(opt_name='dns-server',
+                     opt_value='ffea:3ba5:a17a:4ba3::100',
++                    ip_version=constants.IP_VERSION_6),
++            DhcpOpt(opt_name='malicious-option',
++                    opt_value='aaa\nbbb.ccc\n',
+                     ip_version=constants.IP_VERSION_6)]
+ 
+ 
+@@ -2847,7 +2850,9 @@ class TestDnsmasq(TestBase):
+         exp_opt_data = ('tag:subnet-eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee,'
+                         'option6:domain-search,openstacklocal\n'
+                         'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,'
+-                        
'option6:dns-server,ffea:3ba5:a17a:4ba3::100').lstrip()
++                        'option6:dns-server,ffea:3ba5:a17a:4ba3::100\n'
++                        'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,'
++                        'option6:malicious-option,aaa').lstrip()
+         dm = self._get_dnsmasq(FakeV6NetworkStatelessDHCP())
+         dm._output_hosts_file()
+         dm._output_opts_file()
+Index: 
neutron/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml
+===================================================================
+--- /dev/null
++++ 
neutron/releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml
+@@ -0,0 +1,6 @@
++---
++security:
++  - |
++    Fix `bug 1939733 <https://bugs.launchpad.net/neutron/+bug/1939733>`_ by
++    dropping from the dhcp extra option values everything what is after first
++    newline (``\n``) character before passing them to the dnsmasq.
diff -Nru neutron-17.1.1/debian/patches/series 
neutron-17.1.1/debian/patches/series
--- neutron-17.1.1/debian/patches/series        2021-06-30 10:51:00.000000000 
+0200
+++ neutron-17.1.1/debian/patches/series        2021-08-25 16:53:24.000000000 
+0200
@@ -1,3 +1,4 @@
 Floating_IP_s_for_routed_networks.patch
 CVE-2021-20267_Restrict_IPv6_NA_and_DHCPv6_IP_and_MAC_source_addresses.patch
 fix-rootwrap-does-not-include-python-3.9.patch
+CVE-2021-40085-Remove-dhcp_extra_opt-value-after-first-newline-character.patch