On 4/6/23 19:37, Ilya Maximets wrote: > Description > =========== > > Multiple versions of Open vSwitch are vulnerable to crafted IP packets > with ip proto set to 0 causing a potential denial of service. > Triggering the vulnerability will require an attacker to send a crafted > IP packet with protocol field set to 0 and the flow rules to contain > 'set' actions on other fields in the IP protocol header. The resulting > flows will omit required actions, and fail to mask the IP protocol field, > resulting in a large bucket which captures all IP packets. > > All versions of Open vSwitch at least as early as 1.5.0 are affected. > > The Common Vulnerabilities and Exposures project (cve.mitre.org) has > assigned the identifier CVE-2023-1668 to this issue. > > > Mitigation > ========== > > For any version of Open vSwitch, preventing packets with network > protocol number '0' from reaching Open vSwitch will prevent the issue. > This is difficult to achieve because Open vSwitch obtains packets before > the iptables or nftables host firewall, so iptables or nftables on the > Open vSwitch host cannot ordinarily block the vulnerability. > > Another method would be to add a high priority rule to the flow table > explicitly matching on nw protocol '0' and handling that traffic > separately: > > table=0 priority=32768,ip,nw_proto=0,actions=drop > table=0 priority=32768,ipv6,nw_proto=0,actions=drop > table=0 priority=32768,arp,arp_op=0,actions=drop
Correction: Priorities for these flows should be set to 65535 instead. i.e. The maximum priority that can be set with OpenFlow. > > All 3 OpenFlow rules should be added to every OVS bridge. This can > be difficult to maintain during the service restart. > > > Fix > === > > Patches to fix these vulnerabilities in Open vSwitch 2.13.x and newer: > > * 3.1.x: > > https://github.com/openvswitch/ovs/commit/61b39d8c4797f1b668e4d5e5350d639fca6082a9 > * 3.0.x: > > https://github.com/openvswitch/ovs/commit/0ec9af260ad84225e758d249fa32151ddf8a6520 > * 2.17.x: > > https://github.com/openvswitch/ovs/commit/27fb5db7f727ffc056f024f9ba4936facccb5f40 > * 2.16.x: > > https://github.com/openvswitch/ovs/commit/42f2b4b9b9a3c11d38f180bf1e35c47b77cd4ce8 > * 2.15.x: > > https://github.com/openvswitch/ovs/commit/f36509fd64e339ffd33593451099be6baa12ffe6 > * 2.14.x: > > https://github.com/openvswitch/ovs/commit/b46505f4d26cd4612a533687e7884efcb7a74111 > * 2.13.x: > > https://github.com/openvswitch/ovs/commit/7fa0106e8594c34f9e16efd87a58e38a947c6c5b > > > Recommendation > ============== > > We recommend that users of Open vSwitch apply the linked patches, or > upgrade to a known patched version of Open vSwitch. These include: > > * 3.1.1 > * 3.0.4 > * 2.17.6 > * 2.16.7 > * 2.15.8 > * 2.14.9 > * 2.13.11 > > > Acknowledgements > ================ > > The Open vSwitch team wishes to thank the reporter: > > David Marchand <dmarc...@redhat.com>
OpenPGP_0xB9F7EC77C829BF96.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
