| 2021-08-12 17:40:57 |
Pavel Toporkov |
bug |
|
|
added bug |
| 2021-08-12 17:43:44 |
Pavel Toporkov |
bug |
|
|
added subscriber Anton Zhabolenko |
| 2021-08-12 18:23:58 |
Jeremy Stanley |
description |
Application doesnt check the input values for extra_dhcp_opts port parameter allowing user to use a newline character. The values from extra_dhcp_opts are used in rendering of opts file which is passed to dnsmasq as a dhcp-optsfile. Considering this, an attacker can inject any options to that file.
The main direct impact in my opinion is that attacker can push arbitrary dhcp options to another instances connected to the same network. And due to we are able to modify our own port connected to external network, it is possible to push dhcp options to the instances of another tennants using the same external network.
If we go further, there is an known buffer overflow vulnerability in dnsmasq (https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=7d04e17444793a840f98a0283968b96502b112dc) which was not considered as a security issue due to attacker cannot control dhcp opts in most cases and therefore this vulnerability is still exists in most distributives (e.g Ubuntu 20.04.1). In our case dhcp opts is exactly what attacker can modify, so we can trigger buffer overflow there. I even managed to write an exploit which lead to a remote code execution using this buffer overflow vulnerability.
Here the payload to crash dnsmasq as a proof of concept:
```
PUT /v2.0/ports/9db67e0f-537c-494a-a655-c8a0c518d57e HTTP/1.1
Host: openstack
X-Auth-Token: TOKEN
Content-Type: application/json
Content-Length: 170
{"port":{
"extra_dhcp_opts":[{"opt_name":"zzz",
"opt_value":"xxx\n128,aa:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\n120,aa.cc\n128,:"
}]}}
```
Tested on ocata, train and victoria versions.
Vulnerability was found by Pavel Toporkov |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2021-11-10 and will be made
public by or on that date even if no fix is identified.
Application doesnt check the input values for extra_dhcp_opts port parameter allowing user to use a newline character. The values from extra_dhcp_opts are used in rendering of opts file which is passed to dnsmasq as a dhcp-optsfile. Considering this, an attacker can inject any options to that file.
The main direct impact in my opinion is that attacker can push arbitrary dhcp options to another instances connected to the same network. And due to we are able to modify our own port connected to external network, it is possible to push dhcp options to the instances of another tennants using the same external network.
If we go further, there is an known buffer overflow vulnerability in dnsmasq (https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=7d04e17444793a840f98a0283968b96502b112dc) which was not considered as a security issue due to attacker cannot control dhcp opts in most cases and therefore this vulnerability is still exists in most distributives (e.g Ubuntu 20.04.1). In our case dhcp opts is exactly what attacker can modify, so we can trigger buffer overflow there. I even managed to write an exploit which lead to a remote code execution using this buffer overflow vulnerability.
Here the payload to crash dnsmasq as a proof of concept:
```
PUT /v2.0/ports/9db67e0f-537c-494a-a655-c8a0c518d57e HTTP/1.1
Host: openstack
X-Auth-Token: TOKEN
Content-Type: application/json
Content-Length: 170
{"port":{
"extra_dhcp_opts":[{"opt_name":"zzz",
"opt_value":"xxx\n128,aa:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\n120,aa.cc\n128,:"
}]}}
```
Tested on ocata, train and victoria versions.
Vulnerability was found by Pavel Toporkov |
|
| 2021-08-12 18:24:16 |
Jeremy Stanley |
bug task added |
|
ossa |
|
| 2021-08-12 18:24:26 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
| 2021-08-12 18:25:00 |
Jeremy Stanley |
bug |
|
|
added subscriber Neutron Core Security reviewers |
| 2021-08-16 13:54:57 |
Slawek Kaplonski |
neutron: assignee |
|
Slawek Kaplonski (slaweq) |
|
| 2021-08-17 11:21:55 |
Pavel Toporkov |
bug |
|
|
added subscriber PhantomII |
| 2021-08-17 13:57:33 |
Slawek Kaplonski |
attachment added |
|
Proposed fix https://bugs.launchpad.net/neutron/+bug/1939733/+attachment/5518537/+files/0001-Remove-newline-character-from-dhcp_extra_opt-values.patch |
|
| 2021-08-17 14:44:13 |
Slawek Kaplonski |
attachment added |
|
Fix v2 https://bugs.launchpad.net/neutron/+bug/1939733/+attachment/5518554/+files/0001-Remove-dhcp_extra_opt-value-after-first-newline-char.patch |
|
| 2021-08-18 17:18:25 |
Jeremy Stanley |
ossa: status |
Incomplete |
Confirmed |
|
| 2021-08-18 17:18:29 |
Jeremy Stanley |
ossa: importance |
Undecided |
High |
|
| 2021-08-18 17:18:34 |
Jeremy Stanley |
ossa: assignee |
|
Jeremy Stanley (fungi) |
|
| 2021-08-23 11:06:41 |
Slawek Kaplonski |
attachment added |
|
Fix v2 for stable/wallaby https://bugs.launchpad.net/neutron/+bug/1939733/+attachment/5519980/+files/0001-Remove-dhcp_extra_opt-value-after-first-newline-char-stable-wallaby.patch |
|
| 2021-08-23 11:07:13 |
Slawek Kaplonski |
attachment added |
|
Fix v2 for stable/victoria https://bugs.launchpad.net/neutron/+bug/1939733/+attachment/5519981/+files/0001-Remove-dhcp_extra_opt-value-after-first-newline-char-stable-victoria.patch |
|
| 2021-08-23 11:07:45 |
Slawek Kaplonski |
attachment added |
|
Fix v2 for stable/ussuri https://bugs.launchpad.net/neutron/+bug/1939733/+attachment/5519982/+files/0001-Remove-dhcp_extra_opt-value-after-first-newline-char-stable-ussuri.patch |
|
| 2021-08-25 08:28:26 |
Akihiro Motoki |
neutron: importance |
Undecided |
Critical |
|
| 2021-08-25 12:41:08 |
Jeremy Stanley |
summary |
Remote Code Execution via extra_dhcp_opts |
Arbitrary dnsmasq reconfiguration via extra_dhcp_opts (CVE-2021-40085) |
|
| 2021-08-25 14:41:39 |
Jeremy Stanley |
removed subscriber Neutron Core Security reviewers |
|
|
|
| 2021-08-25 14:42:33 |
Jeremy Stanley |
bug |
|
|
added subscriber Neutron Core Security reviewers |
| 2021-08-25 14:42:50 |
Jeremy Stanley |
bug |
|
|
added subscriber Thomas Goirand |
| 2021-08-26 12:25:28 |
Jeremy Stanley |
bug |
|
|
added subscriber Seth Arnold |
| 2021-08-26 12:38:52 |
Jeremy Stanley |
bug |
|
|
added subscriber Mohammed Naser |
| 2021-08-26 12:40:06 |
Jeremy Stanley |
bug |
|
|
added subscriber Jake Yip |
| 2021-08-31 13:38:52 |
Jeremy Stanley |
information type |
Private Security |
Public Security |
|
| 2021-08-31 13:39:32 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2021-11-10 and will be made
public by or on that date even if no fix is identified.
Application doesnt check the input values for extra_dhcp_opts port parameter allowing user to use a newline character. The values from extra_dhcp_opts are used in rendering of opts file which is passed to dnsmasq as a dhcp-optsfile. Considering this, an attacker can inject any options to that file.
The main direct impact in my opinion is that attacker can push arbitrary dhcp options to another instances connected to the same network. And due to we are able to modify our own port connected to external network, it is possible to push dhcp options to the instances of another tennants using the same external network.
If we go further, there is an known buffer overflow vulnerability in dnsmasq (https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=7d04e17444793a840f98a0283968b96502b112dc) which was not considered as a security issue due to attacker cannot control dhcp opts in most cases and therefore this vulnerability is still exists in most distributives (e.g Ubuntu 20.04.1). In our case dhcp opts is exactly what attacker can modify, so we can trigger buffer overflow there. I even managed to write an exploit which lead to a remote code execution using this buffer overflow vulnerability.
Here the payload to crash dnsmasq as a proof of concept:
```
PUT /v2.0/ports/9db67e0f-537c-494a-a655-c8a0c518d57e HTTP/1.1
Host: openstack
X-Auth-Token: TOKEN
Content-Type: application/json
Content-Length: 170
{"port":{
"extra_dhcp_opts":[{"opt_name":"zzz",
"opt_value":"xxx\n128,aa:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\n120,aa.cc\n128,:"
}]}}
```
Tested on ocata, train and victoria versions.
Vulnerability was found by Pavel Toporkov |
Application doesnt check the input values for extra_dhcp_opts port parameter allowing user to use a newline character. The values from extra_dhcp_opts are used in rendering of opts file which is passed to dnsmasq as a dhcp-optsfile. Considering this, an attacker can inject any options to that file.
The main direct impact in my opinion is that attacker can push arbitrary dhcp options to another instances connected to the same network. And due to we are able to modify our own port connected to external network, it is possible to push dhcp options to the instances of another tennants using the same external network.
If we go further, there is an known buffer overflow vulnerability in dnsmasq (https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=7d04e17444793a840f98a0283968b96502b112dc) which was not considered as a security issue due to attacker cannot control dhcp opts in most cases and therefore this vulnerability is still exists in most distributives (e.g Ubuntu 20.04.1). In our case dhcp opts is exactly what attacker can modify, so we can trigger buffer overflow there. I even managed to write an exploit which lead to a remote code execution using this buffer overflow vulnerability.
Here the payload to crash dnsmasq as a proof of concept:
```
PUT /v2.0/ports/9db67e0f-537c-494a-a655-c8a0c518d57e HTTP/1.1
Host: openstack
X-Auth-Token: TOKEN
Content-Type: application/json
Content-Length: 170
{"port":{
"extra_dhcp_opts":[{"opt_name":"zzz",
"opt_value":"xxx\n128,aa:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\n120,aa.cc\n128,:"
}]}}
```
Tested on ocata, train and victoria versions.
Vulnerability was found by Pavel Toporkov |
|
| 2021-08-31 13:39:49 |
Jeremy Stanley |
summary |
Arbitrary dnsmasq reconfiguration via extra_dhcp_opts (CVE-2021-40085) |
[OSSA-2021-005] Arbitrary dnsmasq reconfiguration via extra_dhcp_opts (CVE-2021-40085) |
|
| 2021-08-31 13:43:37 |
OpenStack Infra |
neutron: status |
New |
In Progress |
|
| 2021-08-31 13:57:53 |
OpenStack Infra |
ossa: status |
Confirmed |
In Progress |
|
| 2021-08-31 14:40:21 |
OpenStack Infra |
ossa: status |
In Progress |
Fix Released |
|
| 2021-08-31 14:40:27 |
OpenStack Infra |
cve linked |
|
2021-40085 |
|
| 2021-09-01 12:04:41 |
Chris MacNaughton |
bug task added |
|
cloud-archive |
|
| 2021-09-01 12:05:28 |
Chris MacNaughton |
nominated for series |
|
cloud-archive/victoria |
|
| 2021-09-01 12:05:28 |
Chris MacNaughton |
bug task added |
|
cloud-archive/victoria |
|
| 2021-09-01 12:05:28 |
Chris MacNaughton |
nominated for series |
|
cloud-archive/ussuri |
|
| 2021-09-01 12:05:28 |
Chris MacNaughton |
bug task added |
|
cloud-archive/ussuri |
|
| 2021-09-01 12:05:28 |
Chris MacNaughton |
nominated for series |
|
cloud-archive/xena |
|
| 2021-09-01 12:05:28 |
Chris MacNaughton |
bug task added |
|
cloud-archive/xena |
|
| 2021-09-01 12:05:28 |
Chris MacNaughton |
nominated for series |
|
cloud-archive/wallaby |
|
| 2021-09-01 12:05:28 |
Chris MacNaughton |
bug task added |
|
cloud-archive/wallaby |
|
| 2021-09-01 12:05:43 |
Chris MacNaughton |
nominated for series |
|
cloud-archive/queens |
|
| 2021-09-01 12:05:43 |
Chris MacNaughton |
bug task added |
|
cloud-archive/queens |
|
| 2021-09-01 12:05:43 |
Chris MacNaughton |
nominated for series |
|
cloud-archive/rocky |
|
| 2021-09-01 12:05:43 |
Chris MacNaughton |
bug task added |
|
cloud-archive/rocky |
|
| 2021-09-01 12:05:43 |
Chris MacNaughton |
nominated for series |
|
cloud-archive/stein |
|
| 2021-09-01 12:05:43 |
Chris MacNaughton |
bug task added |
|
cloud-archive/stein |
|
| 2021-09-01 12:05:43 |
Chris MacNaughton |
nominated for series |
|
cloud-archive/train |
|
| 2021-09-01 12:05:43 |
Chris MacNaughton |
bug task added |
|
cloud-archive/train |
|
| 2021-09-01 12:06:07 |
Chris MacNaughton |
bug task added |
|
neutron (Ubuntu) |
|
| 2021-09-01 12:06:25 |
Chris MacNaughton |
nominated for series |
|
Ubuntu Hirsute |
|
| 2021-09-01 12:06:25 |
Chris MacNaughton |
bug task added |
|
neutron (Ubuntu Hirsute) |
|
| 2021-09-01 12:06:25 |
Chris MacNaughton |
nominated for series |
|
Ubuntu Bionic |
|
| 2021-09-01 12:06:25 |
Chris MacNaughton |
bug task added |
|
neutron (Ubuntu Bionic) |
|
| 2021-09-01 12:06:25 |
Chris MacNaughton |
nominated for series |
|
Ubuntu Impish |
|
| 2021-09-01 12:06:25 |
Chris MacNaughton |
bug task added |
|
neutron (Ubuntu Impish) |
|
| 2021-09-01 12:06:25 |
Chris MacNaughton |
nominated for series |
|
Ubuntu Focal |
|
| 2021-09-01 12:06:25 |
Chris MacNaughton |
bug task added |
|
neutron (Ubuntu Focal) |
|
| 2021-09-01 12:31:52 |
Ubuntu Foundations Team Bug Bot |
tags |
|
patch |
|
| 2021-09-01 12:31:59 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Review Team |
| 2021-09-02 12:16:52 |
OpenStack Infra |
neutron: status |
In Progress |
Fix Released |
|
| 2021-09-02 14:53:36 |
OpenStack Infra |
cloud-archive/wallaby: status |
New |
Fix Committed |
|
| 2021-09-02 17:54:42 |
OpenStack Infra |
cloud-archive/victoria: status |
New |
Fix Committed |
|
| 2021-09-06 08:59:19 |
Stefan Hoffmann |
bug |
|
|
added subscriber Stefan Hoffmann |
| 2021-09-07 14:34:02 |
OpenStack Infra |
cloud-archive/ussuri: status |
New |
Fix Committed |
|
| 2021-09-09 09:21:24 |
OpenStack Infra |
cloud-archive/rocky: status |
New |
Fix Committed |
|
| 2021-09-09 09:34:34 |
OpenStack Infra |
cloud-archive/queens: status |
New |
Fix Committed |
|
| 2021-09-09 09:54:44 |
OpenStack Infra |
cloud-archive/stein: status |
New |
Fix Committed |
|
| 2021-09-09 16:07:26 |
OpenStack Infra |
cloud-archive/train: status |
New |
Fix Committed |
|
| 2021-10-10 20:15:37 |
Christian Rohmann |
bug |
|
|
added subscriber Christian Rohmann |
| 2021-11-17 15:48:21 |
Bernard Cafarelli |
tags |
patch |
neutron-proactive-backport-potential patch |
|
| 2021-12-17 09:26:39 |
Slawek Kaplonski |
tags |
neutron-proactive-backport-potential patch |
patch |
|
| 2022-01-26 22:02:44 |
Brian Murray |
neutron (Ubuntu Hirsute): status |
New |
Won't Fix |
|
| 2022-01-27 14:45:00 |
Corey Bryant |
neutron (Ubuntu): status |
New |
Fix Released |
|
| 2022-01-27 14:45:17 |
Corey Bryant |
neutron (Ubuntu Impish): status |
New |
Fix Released |
|
| 2022-01-27 14:45:33 |
Corey Bryant |
neutron (Ubuntu Focal): status |
New |
Fix Released |
|
| 2022-11-18 09:16:23 |
OpenStack Infra |
cloud-archive/queens: status |
Fix Committed |
Fix Released |
|
| 2022-11-18 09:22:05 |
OpenStack Infra |
cloud-archive/rocky: status |
Fix Committed |
Fix Released |
|
| 2022-11-18 09:27:21 |
OpenStack Infra |
cloud-archive/stein: status |
Fix Committed |
Fix Released |
|
| 2023-10-10 17:26:58 |
OpenStack Infra |
cloud-archive/train: status |
Fix Committed |
Fix Released |
|
