[OSSA-2021-004] Linuxbridge ARP filter bypass on Netfilter platforms (CVE-2021-38598)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Fix Released
|
High
|
Jeremy Stanley | ||
neutron |
Fix Released
|
Undecided
|
Rodolfo Alonso |
Bug Description
We are running an OpenStack cloud with linux bridge. We have found that, in certain conditions, ARP spoofing protection is not working as intended. This allows a user do bad things like spoof gratuitous ARP to DoS another user's virtual machine. More details below.
In an environment using linux bridge, neutron-
:neutronMAC-
:neutronARP-
-A PREROUTING -i tapdb545a8c-8f -j neutronMAC-
-A PREROUTING -p ARP -i tapdb545a8c-8f -j neutronARP-
-A neutronMAC-
-A neutronARP-
The neutronARP-xxx chain, however, has a problem during the creation of it. The source for that [1] looks like this:
ebtables(['-N', vif_chain, '-P', 'DROP'])
ebtables(['-F', vif_chain])
This creates a chain with default policy of DROP, and FLUSHes any existing rules.
However, we have found that in certain OS, the FLUSH reverts the default policy back to RETURN. E.g.
root@jake-focal:~# eatables -t nat -N newchain -P DROP
root@jake-focal:~# ebtables-save | grep newchain
:newchain DROP
root@jake-focal:~# ebtables -t nat -F newchain
root@jake-focal:~# ebtables-save | grep newchain
:newchain RETURN
root@jake-focal:~# ebtables --version
ebtables 1.8.4 (nf_tables)
The OSes that exhibit this issue seems to be OSes that uses ebtables-nft - Ubuntu Focal, CentOS Stream.
Ubuntu Bionic is fine. E.g.
root@jake-
root@jake-
:newchain DROP
root@jake-
root@jake-
:newchain DROP
root@jake-
ebtables v2.0.10-4 (December 2011)
I have a patch for this, but as this is a security issue I am refraining from posting it up to OpenStack's Gerrit. Also, this might have been fixed in master, but it still affects Ussuri and Victoria. Please advise on what I should do next?
CVE References
Changed in neutron: | |
assignee: | nobody → Rodolfo Alonso (rodolfo-alonso-hernandez) |
status: | New → Confirmed |
Changed in ossa: | |
status: | Incomplete → Confirmed |
importance: | Undecided → High |
assignee: | nobody → Jeremy Stanley (fungi) |
summary: |
- Linuxbridge ARP filter bypass on Netfilter platforms + Linuxbridge ARP filter bypass on Netfilter platforms (CVE-2021-38598) |
summary: |
- Linuxbridge ARP filter bypass on Netfilter platforms (CVE-2021-38598) + [OSSA-2021-004] Linuxbridge ARP filter bypass on Netfilter platforms + (CVE-2021-38598) |
Changed in neutron: | |
status: | Confirmed → Fix Released |
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.