| 2023-08-05 19:50:06 |
Dr. Jens Harbott |
bug |
|
|
added bug |
| 2023-08-05 19:50:45 |
Dr. Jens Harbott |
tags |
ovn |
dns ovn |
|
| 2023-08-07 00:49:42 |
Brian Haley |
bug |
|
|
added subscriber Brian Haley |
| 2023-08-07 16:35:28 |
Jeremy Stanley |
description |
When a client sends a query via TCP instead of UDP, OVN does not generate an answer. The query is instead forwarded to the configured external resolvers. Example:
debian@vm1:~$ dig +tcp vm1
; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +tcp vm1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24091
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;vm1. IN A
;; AUTHORITY SECTION:
. 2468 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023080500 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (TCP)
;; WHEN: Sat Aug 05 19:44:16 UTC 2023
;; MSG SIZE rcvd: 107
For comparison check the same query via UDP:
debian@vm1:~$ dig +noedns vm1
; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +noedns vm1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41575
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;vm1. IN A
;; ANSWER SECTION:
vm1. 3600 IN A 10.128.0.77
;; Query time: 0 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Sat Aug 05 19:45:39 UTC 2023
;; MSG SIZE rcvd: 40
(Note that the latter response does not actually come from the external server, but is spoofed by OVN.)
Marking as security bug since this may unexpectedly leak internal information (hostnames) to external third parties. Also see https://bugs.launchpad.net/neutron/+bug/2030294 for a related issue requiring the +noedns option needing to be used in the second example (it doesn't change the outcome for the first example). |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2023-11-05 and will be made
public by or on that date even if no fix is identified.
When a client sends a query via TCP instead of UDP, OVN does not generate an answer. The query is instead forwarded to the configured external resolvers. Example:
debian@vm1:~$ dig +tcp vm1
; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +tcp vm1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24091
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;vm1. IN A
;; AUTHORITY SECTION:
. 2468 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023080500 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (TCP)
;; WHEN: Sat Aug 05 19:44:16 UTC 2023
;; MSG SIZE rcvd: 107
For comparison check the same query via UDP:
debian@vm1:~$ dig +noedns vm1
; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +noedns vm1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41575
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;vm1. IN A
;; ANSWER SECTION:
vm1. 3600 IN A 10.128.0.77
;; Query time: 0 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Sat Aug 05 19:45:39 UTC 2023
;; MSG SIZE rcvd: 40
(Note that the latter response does not actually come from the external server, but is spoofed by OVN.)
Marking as security bug since this may unexpectedly leak internal information (hostnames) to external third parties. Also see https://bugs.launchpad.net/neutron/+bug/2030294 for a related issue requiring the +noedns option needing to be used in the second example (it doesn't change the outcome for the first example). |
|
| 2023-08-07 16:35:37 |
Jeremy Stanley |
bug task added |
|
ossa |
|
| 2023-08-07 16:35:42 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
| 2023-08-07 16:35:56 |
Jeremy Stanley |
bug |
|
|
added subscriber Neutron Core Security reviewers |
| 2023-08-07 19:04:04 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under
embargo. Please do not make any public mention of embargoed
(private) security vulnerabilities before their coordinated
publication by the OpenStack Vulnerability Management Team in the
form of an official OpenStack Security Advisory. This includes
discussion of the bug or associated fixes in public forums such as
mailing lists, code review systems and bug trackers. Please also
avoid private disclosure to other individuals not already approved
for access to this information, and provide this same reminder to
those who are made aware of the issue prior to publication. All
discussion should remain confined to this private bug report, and
any proposed fixes should be added to the bug as attachments. This
embargo shall not extend past 2023-11-05 and will be made
public by or on that date even if no fix is identified.
When a client sends a query via TCP instead of UDP, OVN does not generate an answer. The query is instead forwarded to the configured external resolvers. Example:
debian@vm1:~$ dig +tcp vm1
; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +tcp vm1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24091
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;vm1. IN A
;; AUTHORITY SECTION:
. 2468 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023080500 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (TCP)
;; WHEN: Sat Aug 05 19:44:16 UTC 2023
;; MSG SIZE rcvd: 107
For comparison check the same query via UDP:
debian@vm1:~$ dig +noedns vm1
; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +noedns vm1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41575
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;vm1. IN A
;; ANSWER SECTION:
vm1. 3600 IN A 10.128.0.77
;; Query time: 0 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Sat Aug 05 19:45:39 UTC 2023
;; MSG SIZE rcvd: 40
(Note that the latter response does not actually come from the external server, but is spoofed by OVN.)
Marking as security bug since this may unexpectedly leak internal information (hostnames) to external third parties. Also see https://bugs.launchpad.net/neutron/+bug/2030294 for a related issue requiring the +noedns option needing to be used in the second example (it doesn't change the outcome for the first example). |
When a client sends a query via TCP instead of UDP, OVN does not generate an answer. The query is instead forwarded to the configured external resolvers. Example:
debian@vm1:~$ dig +tcp vm1
; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +tcp vm1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24091
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;vm1. IN A
;; AUTHORITY SECTION:
. 2468 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2023080500 1800 900 604800 86400
;; Query time: 0 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (TCP)
;; WHEN: Sat Aug 05 19:44:16 UTC 2023
;; MSG SIZE rcvd: 107
For comparison check the same query via UDP:
debian@vm1:~$ dig +noedns vm1
; <<>> DiG 9.18.16-1~deb12u1-Debian <<>> +noedns vm1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41575
;; flags: qr rd ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;vm1. IN A
;; ANSWER SECTION:
vm1. 3600 IN A 10.128.0.77
;; Query time: 0 msec
;; SERVER: 9.9.9.9#53(9.9.9.9) (UDP)
;; WHEN: Sat Aug 05 19:45:39 UTC 2023
;; MSG SIZE rcvd: 40
(Note that the latter response does not actually come from the external server, but is spoofed by OVN.)
Marking as security bug since this may unexpectedly leak internal information (hostnames) to external third parties. Also see https://bugs.launchpad.net/neutron/+bug/2030294 for a related issue requiring the +noedns option needing to be used in the second example (it doesn't change the outcome for the first example). |
|
| 2023-08-07 19:04:14 |
Jeremy Stanley |
information type |
Private Security |
Public |
|
| 2023-08-07 19:04:21 |
Jeremy Stanley |
ossa: status |
Incomplete |
Won't Fix |
|
| 2023-08-07 19:04:31 |
Jeremy Stanley |
tags |
dns ovn |
dns ovn security |
|
