[OSSA 2014-019] IPv6 prefix shouldn't be added in the NAT table (CVE-2014-4167)
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | OpenStack Security Advisory |
High
|
Tristan Cacqueray | ||
| | neutron |
Critical
|
Baodong (Robert) Li | ||
| | Havana |
Critical
|
Aaron Rosen | ||
| | Icehouse |
Critical
|
Aaron Rosen | ||
Bug Description
SNAT rules with IPv6 prefixes are added into the NAT table, which causes failure with the call to iptables-restore:
Stderr: "iptables-restore v1.4.18: invalid mask `64' specified\nError occurred at line: 22\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"
CVE References
| Changed in neutron: | |
| assignee: | nobody → Baodong (Robert) Li (baoli) |
| Changed in neutron: | |
| status: | New → In Progress |
| tags: | added: ipv6 |
| Changed in neutron: | |
| importance: | Undecided → Critical |
| Changed in ossa: | |
| status: | New → Confirmed |
| tags: | added: icehouse-backport-potential |
Fix proposed to branch: stable/icehouse
Review: https:/
Fix proposed to branch: stable/havana
Review: https:/
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: master
commit d23bc8fa6e2d8a7
Author: Baodong Li <email address hidden>
Date: Thu Apr 24 01:47:13 2014 +0000
Install SNAT rules for ipv4 only
Change-Id: I37bd770aa0d54a
Closes-Bug: #1309195
| Changed in neutron: | |
| status: | In Progress → Fix Committed |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/havana
commit e5fed4812633b0e
Author: Baodong Li <email address hidden>
Date: Thu Apr 24 01:47:13 2014 +0000
Install SNAT rules for ipv4 only
Change-Id: I37bd770aa0d54a
Closes-Bug: #1309195
(cherry picked from commit d23bc8fa6e2d8a7
| tags: | added: in-stable-havana |
Reviewed: https:/
Committed: https:/
Submitter: Jenkins
Branch: stable/icehouse
commit 28a26dbfd7e95ad
Author: Baodong Li <email address hidden>
Date: Thu Apr 24 01:47:13 2014 +0000
Install SNAT rules for ipv4 only
Change-Id: I37bd770aa0d54a
Closes-Bug: #1309195
(cherry picked from commit d23bc8fa6e2d8a7
| tags: | added: in-stable-icehouse |
| Changed in ossa: | |
| importance: | Undecided → High |
| Tristan Cacqueray (tristan-cacqueray) wrote : Re: IPv6 prefix shouldn't be added in the NAT table | #7 |
A couple of questions:
* The L3-agent was introduced with Havana, not before right ?
* I assumed the only way to fix a broken deployment is to manually remove the faulty network directly from the database. The former bug report mentioned it was not possible to remove it using "neutron net-delete" but it didn't not provide a way out of this...
Here is the impact description draft #1:
Title: Neutron L3-agent DoS through IPv6 subnet
Reporter: Thiago Martins (HP)
Products: Neutron
Versions: 2013.2 to 2013.2.3, and 2014.1
Description:
Thiago Martins from Hewlett Packard reported a vulnerability in Neutron L3-agent. By creating an IPv6 private subnet attached to a L3 router, an authenticated user may break the L3-agent, preventing further floating IPv4 from being attached for the entire cloud. Note: removal of the faulty network can not be done using the API and must be cleaned at the database level. Only Neutron setups using IPv6 and L3-agent are affected.
| Changed in ossa: | |
| assignee: | nobody → Tristan Cacqueray (tristan-cacqueray) |
| Grant Murphy (gmurphy) wrote : | #8 |
Impact description looks ok to me. Maybe don't include the note until issuing the advisory?
| tags: | removed: icehouse-backport-potential in-stable-havana in-stable-icehouse |
| Jeremy Stanley (fungi) wrote : | #9 |
Maybe say "further floating IPv4 addresses" to be a little clearer, but otherwise the draft impact description in comment #7 looks good to me.
| Changed in ossa: | |
| status: | Confirmed → Triaged |
| Changed in neutron: | |
| milestone: | none → juno-1 |
| Thierry Carrez (ttx) wrote : | #10 |
Tristan: quantum/
Otherwise with fungi's suggestions, impact desc looks good.
| Changed in neutron: | |
| status: | Fix Committed → Fix Released |
Thanks for the comments,
* @grant, we used to keep such notes in impact description, so leaving it here
* @ttx, I updated the affected versions to include Grizzly
here is the impact description draft #2:
Title: Neutron L3-agent DoS through IPv6 subnet
Reporter: Thiago Martins (HP)
Products: Neutron
Versions: up to 2013.2.3, and 2014.1
Description:
Thiago Martins from Hewlett Packard reported a vulnerability in Neutron L3-agent. By creating an IPv6 private subnet attached to a L3 router, an authenticated user may break the L3-agent, preventing further floating IPv4 address from being attached for the entire cloud. Note: removal of the faulty network can not be done using the API and must be cleaned at the database level. Only Neutron setups using IPv6 and L3-agent are affected.
Oups, didn't get the whole fungi's correction.
here is the impact description draft #3:
Title: Neutron L3-agent DoS through IPv6 subnet
Reporter: Thiago Martins (HP)
Products: Neutron
Versions: up to 2013.2.3, and 2014.1
Description:
Thiago Martins from Hewlett Packard reported a vulnerability in Neutron L3-agent. By creating an IPv6 private subnet attached to a L3 router, an authenticated user may break the L3-agent, preventing further floating IPv4 addresses from being attached for the entire cloud. Note: removal of the faulty network can not be done using the API and must be cleaned at the database level. Only Neutron setups using IPv6 and L3-agent are affected.
| Thierry Carrez (ttx) wrote : | #13 |
+1 for #3
| summary: |
- IPv6 prefix shouldn't be added in the NAT table + IPv6 prefix shouldn't be added in the NAT table (CVE-2014-4167) |
| summary: |
- IPv6 prefix shouldn't be added in the NAT table (CVE-2014-4167) + [OSSA 2014-019] IPv6 prefix shouldn't be added in the NAT table + (CVE-2014-4167) |
| Changed in ossa: | |
| status: | Triaged → Fix Committed |
| Changed in ossa: | |
| status: | Fix Committed → Fix Released |
| Changed in neutron: | |
| milestone: | juno-1 → 2014.2 |
Fix proposed to branch: master
Review: https:/