[OSSA-2021-005] Arbitrary dnsmasq reconfiguration via extra_dhcp_opts (CVE-2021-40085)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Security Advisory |
Fix Released
|
High
|
Jeremy Stanley | ||
Ubuntu Cloud Archive |
New
|
Undecided
|
Unassigned | ||
Queens |
Fix Released
|
Undecided
|
Unassigned | ||
Rocky |
Fix Released
|
Undecided
|
Unassigned | ||
Stein |
Fix Released
|
Undecided
|
Unassigned | ||
Train |
Fix Released
|
Undecided
|
Unassigned | ||
Ussuri |
Fix Committed
|
Undecided
|
Unassigned | ||
Victoria |
Fix Committed
|
Undecided
|
Unassigned | ||
Wallaby |
Fix Committed
|
Undecided
|
Unassigned | ||
Xena |
New
|
Undecided
|
Unassigned | ||
neutron |
Fix Released
|
Critical
|
Slawek Kaplonski | ||
neutron (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
New
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Hirsute |
Won't Fix
|
Undecided
|
Unassigned | ||
Impish |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Application doesnt check the input values for extra_dhcp_opts port parameter allowing user to use a newline character. The values from extra_dhcp_opts are used in rendering of opts file which is passed to dnsmasq as a dhcp-optsfile. Considering this, an attacker can inject any options to that file.
The main direct impact in my opinion is that attacker can push arbitrary dhcp options to another instances connected to the same network. And due to we are able to modify our own port connected to external network, it is possible to push dhcp options to the instances of another tennants using the same external network.
If we go further, there is an known buffer overflow vulnerability in dnsmasq (https:/
Here the payload to crash dnsmasq as a proof of concept:
```
PUT /v2.0/ports/
Host: openstack
X-Auth-Token: TOKEN
Content-Type: application/json
Content-Length: 170
{"port":{
"extra_
"opt_value"
}]}}
```
Tested on ocata, train and victoria versions.
Vulnerability was found by Pavel Toporkov
CVE References
Changed in neutron: | |
importance: | Undecided → Critical |
summary: |
- Remote Code Execution via extra_dhcp_opts + Arbitrary dnsmasq reconfiguration via extra_dhcp_opts (CVE-2021-40085) |
tags: | added: neutron-proactive-backport-potential |
tags: | removed: neutron-proactive-backport-potential |
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security
reviewers for the affected project or projects confirm the bug and
discuss the scope of any vulnerability along with potential
solutions.