Insufficient validation of incoming BFD packets.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
Antelope |
Fix Committed
|
High
|
Unassigned | ||
Ovn-22.03 |
Fix Committed
|
High
|
Unassigned | ||
Zed |
Fix Committed
|
High
|
Unassigned | ||
ovn (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
As part of implementing an overlay network, OVN configures tunnel ports in Open vSwitch (OVS). To monitor the health of the tunnel and remote hypervisor the OVS Bidirectional Forwarding Detection (BFD) functionality is enabled by setting `enable` to 'true' in the `bfd` column.
In addition to monitoring the health of the tunnel, the tunnel BFD status is used to make forwarding decisions that may impact multiple nodes and users of a cluster.
The BFD packets are transmitted in-band in the tunnel, along with other traffic, and in its default configuration, OVS will consider any BFD packet with TTL 255 received on the tunnel as originating from the privileged peer on the other side of the tunnel.
Traffic from unprivileged users connected to a VIF are also transmitted in these tunnels, and it is trivial for a end user of a system using OVS/OVN to transmit BFD packets from a container or virtual machine that will be tunneled through the system with TTL 255.
Fortunately, traffic originating from or destined to a VIF is labeled with a VNI aka. tunnel key. There exists an OVS BFD option called `check_tnl_key`, which makes OVS only consider BFD packets that have a tunnel key of zero.
Setting the `check_tnl_key` option to 'true' mitigates the issue, because the OVN pipeline design ensures only the OVS generated BFD packets would have a tunnel key of zero.
The options on the tunnel ports are however managed by OVN, and any attempt of manually setting them will immediately be reverted, consequently this becomes a security issue in OVN.
CVE References
description: | updated |
summary: |
- Potential DoS vulnerability transmitting BFD packets from VIF + DoS vulnerability transmitting BFD packets from VIF |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
summary: |
- DoS vulnerability transmitting BFD packets from VIF + insufficient validation of incoming BFD |
summary: |
- insufficient validation of incoming BFD + Insufficient validation of incoming BFD packets. |
Changed in ovn (Ubuntu): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
Changed in cloud-archive: | |
status: | New → Invalid |
Changed in ovn (Ubuntu): | |
assignee: | Marc Deslauriers (mdeslaur) → nobody |
Changed in cloud-archive: | |
status: | Invalid → Fix Committed |
Thanks for the bug, please keep us updated on the progress.