neutron

[OSSA 2014-019] IPv6 prefix shouldn't be added in the NAT table (CVE-2014-4167)

Bug #1309195 reported by Baodong (Robert) Li on 2014-04-17

This bug affects 3 people

	Status	Importance	Assigned to	Milestone
OpenStack Security Advisory	Fix Released	High	Tristan Cacqueray
neutron	Fix Released	Critical	Baodong (Robert) Li	neutron 2014.2 "juno"
Havana	Fix Released	Critical	Aaron Rosen	neutron 2013.2.4
Icehouse	Fix Released	Critical	Aaron Rosen	neutron 2014.1.1

Bug Description

SNAT rules with IPv6 prefixes are added into the NAT table, which causes failure with the call to iptables-restore:

Stderr: "iptables-restore v1.4.18: invalid mask `64' specified\nError occurred at line: 22\nTry `iptables-restore -h' or 'iptables-restore --help' for more information.\n"

Tags:

Related branches

lp://staging/ubuntu/saucy-security/neutron

lp://staging/ubuntu/trusty-security/neutron

CVE References

2014-4167

Baodong (Robert) Li (baoli) on 2014-04-17

Changed in neutron:
assignee:	nobody → Baodong (Robert) Li (baoli)

Revision history for this message

Openstack Gerrit (openstack-gerrit) wrote on 2014-04-18: Fix proposed to neutron (master)

Fix proposed to branch: master
Review: https://review.openstack.org/88584

Changed in neutron:
status:	New → In Progress

Sean M. Collins (scollins) on 2014-05-19

tags:

added: ipv6

Aaron Rosen (arosen) on 2014-05-27

Changed in neutron:
importance:	Undecided → Critical
Changed in ossa:
status:	New → Confirmed
tags:	added: icehouse-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-27: Fix proposed to neutron (stable/icehouse)

Fix proposed to branch: stable/icehouse
Review: https://review.openstack.org/95938

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-27: Fix proposed to neutron (stable/havana)

Fix proposed to branch: stable/havana
Review: https://review.openstack.org/95939

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-28: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/88584
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d23bc8fa6e2d8a735a2aa75224b1bc96a3b992f5
Submitter: Jenkins
Branch: master

commit d23bc8fa6e2d8a735a2aa75224b1bc96a3b992f5
Author: Baodong Li <email address hidden>
Date: Thu Apr 24 01:47:13 2014 +0000

Install SNAT rules for ipv4 only

Change-Id: I37bd770aa0d54a985ac2bec708c571785084e0ec
Closes-Bug: #1309195

Changed in neutron:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-28: Fix merged to neutron (stable/havana)

Reviewed: https://review.openstack.org/95939
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=e5fed4812633b0e7cbcb4107b6dc04710e007edf
Submitter: Jenkins
Branch: stable/havana

commit e5fed4812633b0e7cbcb4107b6dc04710e007edf
Author: Baodong Li <email address hidden>
Date: Thu Apr 24 01:47:13 2014 +0000

Install SNAT rules for ipv4 only

    Change-Id: I37bd770aa0d54a985ac2bec708c571785084e0ec
    Closes-Bug: #1309195
    (cherry picked from commit d23bc8fa6e2d8a735a2aa75224b1bc96a3b992f5)

tags:

added: in-stable-havana

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-05-28: Fix merged to neutron (stable/icehouse)

Reviewed: https://review.openstack.org/95938
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=28a26dbfd7e95ad84e8c9eeac1e5aba0b111a16c
Submitter: Jenkins
Branch: stable/icehouse

commit 28a26dbfd7e95ad84e8c9eeac1e5aba0b111a16c
Author: Baodong Li <email address hidden>
Date: Thu Apr 24 01:47:13 2014 +0000

Install SNAT rules for ipv4 only

    Change-Id: I37bd770aa0d54a985ac2bec708c571785084e0ec
    Closes-Bug: #1309195
    (cherry picked from commit d23bc8fa6e2d8a735a2aa75224b1bc96a3b992f5)

tags:

added: in-stable-icehouse

Thierry Carrez (ttx) on 2014-05-29

Changed in ossa:
importance:	Undecided → High

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2014-05-30: Re: IPv6 prefix shouldn't be added in the NAT table

A couple of questions:
* The L3-agent was introduced with Havana, not before right ?
* I assumed the only way to fix a broken deployment is to manually remove the faulty network directly from the database. The former bug report mentioned it was not possible to remove it using "neutron net-delete" but it didn't not provide a way out of this...

Here is the impact description draft #1:

Title: Neutron L3-agent DoS through IPv6 subnet
Reporter: Thiago Martins (HP)
Products: Neutron
Versions: 2013.2 to 2013.2.3, and 2014.1

Description:
Thiago Martins from Hewlett Packard reported a vulnerability in Neutron L3-agent. By creating an IPv6 private subnet attached to a L3 router, an authenticated user may break the L3-agent, preventing further floating IPv4 from being attached for the entire cloud. Note: removal of the faulty network can not be done using the API and must be cleaned at the database level. Only Neutron setups using IPv6 and L3-agent are affected.

Tristan Cacqueray (tristan-cacqueray) on 2014-05-30

Changed in ossa:
assignee:	nobody → Tristan Cacqueray (tristan-cacqueray)

Revision history for this message

Grant Murphy (gmurphy) wrote on 2014-06-02:

Impact description looks ok to me. Maybe don't include the note until issuing the advisory?

Alan Pevec (apevec) on 2014-06-05

tags:

removed: icehouse-backport-potential in-stable-havana in-stable-icehouse

Revision history for this message

Jeremy Stanley (fungi) wrote on 2014-06-09:

Maybe say "further floating IPv4 addresses" to be a little clearer, but otherwise the draft impact description in comment #7 looks good to me.

Thierry Carrez (ttx) on 2014-06-09

Changed in ossa:
status:	Confirmed → Triaged

Eugene Nikanorov (enikanorov) on 2014-06-09

Changed in neutron:
milestone:	none → juno-1

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-06-12:

#10

Tristan: quantum/agent/l3_agent.py exists in Grizzly and seem to have code looking like the affected code.
Otherwise with fungi's suggestions, impact desc looks good.

Thierry Carrez (ttx) on 2014-06-12

Changed in neutron:
status:	Fix Committed → Fix Released

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2014-06-16:

#11

Thanks for the comments,
* @grant, we used to keep such notes in impact description, so leaving it here
* @ttx, I updated the affected versions to include Grizzly

here is the impact description draft #2:

Title: Neutron L3-agent DoS through IPv6 subnet
Reporter: Thiago Martins (HP)
Products: Neutron
Versions: up to 2013.2.3, and 2014.1

Description:
Thiago Martins from Hewlett Packard reported a vulnerability in Neutron L3-agent. By creating an IPv6 private subnet attached to a L3 router, an authenticated user may break the L3-agent, preventing further floating IPv4 address from being attached for the entire cloud. Note: removal of the faulty network can not be done using the API and must be cleaned at the database level. Only Neutron setups using IPv6 and L3-agent are affected.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2014-06-16:

#12

Oups, didn't get the whole fungi's correction.

here is the impact description draft #3:

Title: Neutron L3-agent DoS through IPv6 subnet
Reporter: Thiago Martins (HP)
Products: Neutron
Versions: up to 2013.2.3, and 2014.1

Description:
Thiago Martins from Hewlett Packard reported a vulnerability in Neutron L3-agent. By creating an IPv6 private subnet attached to a L3 router, an authenticated user may break the L3-agent, preventing further floating IPv4 addresses from being attached for the entire cloud. Note: removal of the faulty network can not be done using the API and must be cleaned at the database level. Only Neutron setups using IPv6 and L3-agent are affected.

Revision history for this message

Thierry Carrez (ttx) wrote on 2014-06-16:

#13

+1 for #3

Jeremy Stanley (fungi) on 2014-06-17

summary:

- IPv6 prefix shouldn't be added in the NAT table
+ IPv6 prefix shouldn't be added in the NAT table (CVE-2014-4167)

Tristan Cacqueray (tristan-cacqueray) on 2014-06-18

summary:	- IPv6 prefix shouldn't be added in the NAT table (CVE-2014-4167) + [OSSA 2014-019] IPv6 prefix shouldn't be added in the NAT table + (CVE-2014-4167)
Changed in ossa:
status:	Triaged → Fix Committed

Tristan Cacqueray (tristan-cacqueray) on 2014-06-18

Changed in ossa:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2014-10-16

Changed in neutron:
milestone:	juno-1 → 2014.2

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

Bug #1322945

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.