[OSSA 2014-019] IPv6 prefix shouldn't be added in the NAT table (CVE-2014-4167)

Bug #1309195 reported by Baodong (Robert) Li on 2014-04-17
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
High
Tristan Cacqueray
neutron
Critical
Baodong (Robert) Li
Havana
Critical
Aaron Rosen
Icehouse
Critical
Aaron Rosen

Bug Description

SNAT rules with IPv6 prefixes are added into the NAT table, which causes failure with the call to iptables-restore:

Stderr: "iptables-restore v1.4.18: invalid mask `64' specified\nError occurred at line: 22\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"

Changed in neutron:
assignee: nobody → Baodong (Robert) Li (baoli)

Fix proposed to branch: master
Review: https://review.openstack.org/88584

Changed in neutron:
status: New → In Progress
tags: added: ipv6
Aaron Rosen (arosen) on 2014-05-27
Changed in neutron:
importance: Undecided → Critical
Changed in ossa:
status: New → Confirmed
tags: added: icehouse-backport-potential

Reviewed: https://review.openstack.org/88584
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d23bc8fa6e2d8a735a2aa75224b1bc96a3b992f5
Submitter: Jenkins
Branch: master

commit d23bc8fa6e2d8a735a2aa75224b1bc96a3b992f5
Author: Baodong Li <email address hidden>
Date: Thu Apr 24 01:47:13 2014 +0000

    Install SNAT rules for ipv4 only

    Change-Id: I37bd770aa0d54a985ac2bec708c571785084e0ec
    Closes-Bug: #1309195

Changed in neutron:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/95939
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e5fed4812633b0e7cbcb4107b6dc04710e007edf
Submitter: Jenkins
Branch: stable/havana

commit e5fed4812633b0e7cbcb4107b6dc04710e007edf
Author: Baodong Li <email address hidden>
Date: Thu Apr 24 01:47:13 2014 +0000

    Install SNAT rules for ipv4 only

    Change-Id: I37bd770aa0d54a985ac2bec708c571785084e0ec
    Closes-Bug: #1309195
    (cherry picked from commit d23bc8fa6e2d8a735a2aa75224b1bc96a3b992f5)

tags: added: in-stable-havana

Reviewed: https://review.openstack.org/95938
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=28a26dbfd7e95ad84e8c9eeac1e5aba0b111a16c
Submitter: Jenkins
Branch: stable/icehouse

commit 28a26dbfd7e95ad84e8c9eeac1e5aba0b111a16c
Author: Baodong Li <email address hidden>
Date: Thu Apr 24 01:47:13 2014 +0000

    Install SNAT rules for ipv4 only

    Change-Id: I37bd770aa0d54a985ac2bec708c571785084e0ec
    Closes-Bug: #1309195
    (cherry picked from commit d23bc8fa6e2d8a735a2aa75224b1bc96a3b992f5)

tags: added: in-stable-icehouse
Thierry Carrez (ttx) on 2014-05-29
Changed in ossa:
importance: Undecided → High

A couple of questions:
* The L3-agent was introduced with Havana, not before right ?
* I assumed the only way to fix a broken deployment is to manually remove the faulty network directly from the database. The former bug report mentioned it was not possible to remove it using "neutron net-delete" but it didn't not provide a way out of this...

Here is the impact description draft #1:

Title: Neutron L3-agent DoS through IPv6 subnet
Reporter: Thiago Martins (HP)
Products: Neutron
Versions: 2013.2 to 2013.2.3, and 2014.1

Description:
Thiago Martins from Hewlett Packard reported a vulnerability in Neutron L3-agent. By creating an IPv6 private subnet attached to a L3 router, an authenticated user may break the L3-agent, preventing further floating IPv4 from being attached for the entire cloud. Note: removal of the faulty network can not be done using the API and must be cleaned at the database level. Only Neutron setups using IPv6 and L3-agent are affected.

Changed in ossa:
assignee: nobody → Tristan Cacqueray (tristan-cacqueray)
Grant Murphy (gmurphy) wrote :

Impact description looks ok to me. Maybe don't include the note until issuing the advisory?

Alan Pevec (apevec) on 2014-06-05
tags: removed: icehouse-backport-potential in-stable-havana in-stable-icehouse
Jeremy Stanley (fungi) wrote :

Maybe say "further floating IPv4 addresses" to be a little clearer, but otherwise the draft impact description in comment #7 looks good to me.

Thierry Carrez (ttx) on 2014-06-09
Changed in ossa:
status: Confirmed → Triaged
Changed in neutron:
milestone: none → juno-1
Thierry Carrez (ttx) wrote :

Tristan: quantum/agent/l3_agent.py exists in Grizzly and seem to have code looking like the affected code.
Otherwise with fungi's suggestions, impact desc looks good.

Thierry Carrez (ttx) on 2014-06-12
Changed in neutron:
status: Fix Committed → Fix Released

Thanks for the comments,
* @grant, we used to keep such notes in impact description, so leaving it here
* @ttx, I updated the affected versions to include Grizzly

here is the impact description draft #2:

Title: Neutron L3-agent DoS through IPv6 subnet
Reporter: Thiago Martins (HP)
Products: Neutron
Versions: up to 2013.2.3, and 2014.1

Description:
Thiago Martins from Hewlett Packard reported a vulnerability in Neutron L3-agent. By creating an IPv6 private subnet attached to a L3 router, an authenticated user may break the L3-agent, preventing further floating IPv4 address from being attached for the entire cloud. Note: removal of the faulty network can not be done using the API and must be cleaned at the database level. Only Neutron setups using IPv6 and L3-agent are affected.

Oups, didn't get the whole fungi's correction.

here is the impact description draft #3:

Title: Neutron L3-agent DoS through IPv6 subnet
Reporter: Thiago Martins (HP)
Products: Neutron
Versions: up to 2013.2.3, and 2014.1

Description:
Thiago Martins from Hewlett Packard reported a vulnerability in Neutron L3-agent. By creating an IPv6 private subnet attached to a L3 router, an authenticated user may break the L3-agent, preventing further floating IPv4 addresses from being attached for the entire cloud. Note: removal of the faulty network can not be done using the API and must be cleaned at the database level. Only Neutron setups using IPv6 and L3-agent are affected.

Thierry Carrez (ttx) wrote :

+1 for #3

Jeremy Stanley (fungi) on 2014-06-17
summary: - IPv6 prefix shouldn't be added in the NAT table
+ IPv6 prefix shouldn't be added in the NAT table (CVE-2014-4167)
summary: - IPv6 prefix shouldn't be added in the NAT table (CVE-2014-4167)
+ [OSSA 2014-019] IPv6 prefix shouldn't be added in the NAT table
+ (CVE-2014-4167)
Changed in ossa:
status: Triaged → Fix Committed
Changed in ossa:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-10-16
Changed in neutron:
milestone: juno-1 → 2014.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers