Mirantis OpenStack

CVE-2016-2074: MPLS buffer overflow vulnerabilities in Open vSwitch

Bug #1563753 reported by Dmitry Teselkin on 2016-03-30

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Mirantis OpenStack	Fix Released	High	Albert Syriy	Mirantis OpenStack 8.0-updates
7.0.x	Won't Fix	Medium	MOS Maintenance	Mirantis OpenStack 7.0-updates
8.0.x	Won't Fix	Medium	MOS Maintenance	Mirantis OpenStack 8.0-updates
9.x	Fix Released	High	Albert Syriy	Mirantis OpenStack 9.0

Bug Description

Multiple versions of Open vSwitch are vulnerable to remote buffer
overflow attacks, in which crafted MPLS packets could overflow the
buffer reserved for MPLS labels in an OVS internal data structure.
The MPLS packets that trigger the vulnerability and the potential for
exploitation vary depending on version:

- Open vSwitch 2.1.x and earlier are not vulnerable.

- In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be
exploited for arbitrary remote code execution.

    - In Open vSwitch 2.4.x, the MPLS buffer overflow does not
      obviously lead to a remote code execution exploit, but testing
      shows that it can allow a remote denial of service. See the
      mitigation section for details.

- Open vSwitch 2.5.x is not vulnerable.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-2074 to this issue.

http://seclists.org/oss-sec/2016/q1/706

See original description

Tags:

CVE References

2016-2074

Dmitry Teselkin (teselkin-d) on 2016-03-30

description:	updated
Changed in mos:
assignee:	nobody → MOS Linux (mos-linux)

Dmitry Teselkin (teselkin-d) on 2016-03-30

information type:

Private Security → Public Security

Dina Belova (dbelova) on 2016-03-30

tags:	added: area-linux
Changed in mos:
status:	New → Confirmed
importance:	Undecided → High
milestone:	none → 9.0

Revision history for this message

Bug Checker Bot (bug-checker) wrote on 2016-03-30: Autochecker

(This check performed automatically)
Please, make sure that bug description contains the following sections filled in with the appropriate data related to the bug you are describing:

actual result

expected result

steps to reproduce

For more detailed information on the contents of each of the listed sections see https://wiki.openstack.org/wiki/Fuel/How_to_contribute#Here_is_how_you_file_a_bug

tags:

added: need-info

Dmitry Teselkin (teselkin-d) on 2016-03-30

tags:

removed: need-info

Revision history for this message

Alexey Stupnikov (astupnikov) wrote on 2016-03-30:

Dmitry, please consider the following objections to this bug. I don't see and opportunity for an attacker to use this vulnerability for the following reasons:
- MPLS PDUs are not transmitted over traditional IP networks, so it is impossible to deliver them to cloud's OVS switches from external networks;
- we have a SG implemented on closest-to VMs linux bridges, so it is impossible to inject MPLS traffic from VMs.

Maybe we have to doublecheck attack vectors for this issue?

Revision history for this message

Vitaly Sedelnik (vsedelnik) wrote on 2016-03-31:

Setting to Incomplete, Dmitry T - please provide specific scenario how MOS cloud is affected by the issue.

Revision history for this message

Adam Heczko (aheczko-mirantis) wrote on 2016-04-01:

IMO one could disable Neutron port security mechanism and inject MPLS packets.
https://specs.openstack.org/openstack/neutron-specs/specs/kilo/ml2-ovs-portsecurity.html
Of course MOS is vulnerable, the vulnerability is there but the attack vector is limited.

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-06: Fix proposed to packages/centos7/openvswitch (master)

Fix proposed to branch: master
Change author: Albert Syriy <email address hidden>
Review: https://review.fuel-infra.org/19317

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-06: Fix proposed to packages/trusty/openvswitch (master)

Fix proposed to branch: master
Change author: Albert Syriy <email address hidden>
Review: https://review.fuel-infra.org/19343

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-06: Fix proposed to packages/trusty/openvswitch-dpdk (master)

Fix proposed to branch: master
Change author: Albert Syriy <email address hidden>
Review: https://review.fuel-infra.org/19352

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-07: Fix merged to packages/centos7/openvswitch (master)

Reviewed: https://review.fuel-infra.org/19317
Submitter: Pkgs Jenkins <email address hidden>
Branch: master

Commit: 23b67a5c2233c2a8103ad874f1931dbe38188935
Author: Albert Syriy <email address hidden>
Date: Thu Apr 7 12:02:13 2016

Fix for CVE-2016-2074. MPLS buffer overflow vulnerabilities in Open vSwitch.

Change-Id: I4c89760425bd12fb2c39c3e06c77eff117fd8ca8
Closes-Bug: #1563753

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-07: Fix merged to packages/trusty/openvswitch (master)

Reviewed: https://review.fuel-infra.org/19343
Submitter: Pkgs Jenkins <email address hidden>
Branch: master

Commit: 30470f49fea68ac3986304bf9c8ddec67409faf6
Author: Albert Syriy <email address hidden>
Date: Thu Apr 7 11:59:04 2016

CVE-2016-2074 fix: MPLS buffer overflow vulnerabilities in Open vSwitch.

Change-Id: I3599e76208ecd7c356165601d1cfe1d3bffa0b09
Closes-Bug: #1563753

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-07: Fix proposed to packages/centos7/openvswitch (9.0)

#10

Fix proposed to branch: 9.0
Change author: Albert Syriy <email address hidden>
Review: https://review.fuel-infra.org/19401

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-07: Fix proposed to packages/trusty/openvswitch (9.0)

#11

Fix proposed to branch: 9.0
Change author: Albert Syriy <email address hidden>
Review: https://review.fuel-infra.org/19402

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-07: Fix merged to packages/trusty/openvswitch-dpdk (master)

#12

Reviewed: https://review.fuel-infra.org/19352
Submitter: Pkgs Jenkins <email address hidden>
Branch: master

Commit: 1e228a7f2b607b62bc7e9c0d8b01a440bece7d46
Author: Albert Syriy <email address hidden>
Date: Thu Apr 7 11:58:04 2016

CVE-2016-2074 fix: MPLS buffer overflow vulnerabilities in Open vSwitch.

Change-Id: I0e68a72829b48157c6bdb84e8ce91e8baa007243
Closes-Bug: #1563753

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-07: Fix proposed to packages/trusty/openvswitch-dpdk (9.0)

#13

Fix proposed to branch: 9.0
Change author: Albert Syriy <email address hidden>
Review: https://review.fuel-infra.org/19404

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-08: Fix merged to packages/trusty/openvswitch (9.0)

#14

Reviewed: https://review.fuel-infra.org/19402
Submitter: Pkgs Jenkins <email address hidden>
Branch: 9.0

Commit: cba606998e4fffd18a9a6dd8632274451517df76
Author: Albert Syriy <email address hidden>
Date: Thu Apr 7 16:52:46 2016

CVE-2016-2074 fix: MPLS buffer overflow vulnerabilities in Open vSwitch.

Change-Id: I3599e76208ecd7c356165601d1cfe1d3bffa0b09
Closes-Bug: #1563753
(cherry picked from commit 30470f49fea68ac3986304bf9c8ddec67409faf6)

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-08: Fix merged to packages/trusty/openvswitch-dpdk (9.0)

#15

Reviewed: https://review.fuel-infra.org/19404
Submitter: Pkgs Jenkins <email address hidden>
Branch: 9.0

Commit: cd316a7bb66d974de5941c5644380f5d741bac18
Author: Albert Syriy <email address hidden>
Date: Thu Apr 7 17:08:15 2016

CVE-2016-2074 fix: MPLS buffer overflow vulnerabilities in Open vSwitch.

Change-Id: I0e68a72829b48157c6bdb84e8ce91e8baa007243
Closes-Bug: #1563753
(cherry picked from commit 1e228a7f2b607b62bc7e9c0d8b01a440bece7d46)

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-04-08: Fix merged to packages/centos7/openvswitch (9.0)

#16

Reviewed: https://review.fuel-infra.org/19401
Submitter: Pkgs Jenkins <email address hidden>
Branch: 9.0

Commit: 5efb645987c6a2d258606fe476ebeaf4e46503e2
Author: Albert Syriy <email address hidden>
Date: Thu Apr 7 16:52:20 2016

Fix for CVE-2016-2074. MPLS buffer overflow vulnerabilities in Open vSwitch.

Change-Id: I4c89760425bd12fb2c39c3e06c77eff117fd8ca8
Closes-Bug: #1563753
(cherry picked from commit 23b67a5c2233c2a8103ad874f1931dbe38188935)

Revision history for this message

Albert Syriy (asyriy) wrote on 2016-04-08:

#17

Fix has been comited into Ubuntu/Centos openvswitch packages.

Revision history for this message

Alexander Gubanov (ogubanov) wrote on 2016-04-15:

#18

I've verified it (MOS 9.0 build 201) as mentioned at http://seclists.org/oss-sec/2016/q1/706 - Open vSwitch is not vulnerable.
Proof: http://pastebin.com/jWNXWCMq

Moved to "Fix Release".

Revision history for this message

Denis Meltsaykin (dmeltsaykin) wrote on 2016-09-02:

#19

Closing as Won't Fix as this is a medium importance non-customer-found bug.

Revision history for this message

Fuel Devops McRobotson (fuel-devops-robot) wrote on 2016-11-16: Change abandoned on packages/trusty/openvswitch (9.0)

#20

Change abandoned by Dmitry Teselkin <email address hidden> on branch: 9.0
Review: https://review.fuel-infra.org/25435
Reason: Merged in https://review.fuel-infra.org/#/q/topic:group/prod-7907

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.