neutron

[OSSA 2015-001] L3 agent DoS vulnerability (CVE-2014-8153)

  1. Series juno
  2. Bug #1399172
Bug #1399172 reported by Thierry Carrez
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Security Advisory
Fix Released
Medium
Unassigned
neutron
Fix Released
Undecided
Unassigned
neutron 2015.1.0 "kilo"
Icehouse
Invalid
Undecided
Unassigned
Juno
Fix Committed
Undecided
Unassigned

Bug Description

Reported by Ihar Hrachyshka via email:

we've found a bug [1] in Openstack Neutron Juno (2014.2) release that
(it seems) may be utilized to make Neutron L3 agent non-functional
during the following scenario (initially reported in downstream as [2]):

- a tenant (user) creates 8 routers;
- for each router, a tenant assigns a ipv6 non-provider subnet.

=> L3 agent limits the number of threads that process updates to
router state to 8 [3]. Since the bug makes the thread lock if the
release is used with radvd 2.0+, it's enough to have those 8 failing
routers to completely block any kind of router updates processing for
all tenants.

The vulnerability is limited to setups that run on top of radvd 2.0+.
There are few distributions that currently ship radvd 2.0+,
so the scope of the vulnerability is not very wide (in Red Hat world,
it's mostly Fedora Rawhide).

The bug in question is public, though I haven't raised its potential
security status in any public or private communications before.

[1]: https://launchpad.net/bugs/1398779
[2]: https://bugzilla.redhat.com/show_bug.cgi?id=1169408
[3]: https://github.com/openstack/neutron/blob/master/neutron/agent/l3_agent.py#L1831

CVE References

Thierry Carrez (ttx)
Changed in ossa:
status: New → Incomplete
Revision history for this message
Salvatore Orlando (salvatore-orlando) wrote :

The security implication seems appropriate. I have not reproduced it, but looking at the code it is pretty obvious what will happen with the different behaviour of radvd 2

Revision history for this message
Thierry Carrez (ttx) wrote :

Confirming based on Salvatore's analysis.
Would Icehouse also be affected ?

Changed in ossa:
importance: Undecided → Medium
status: Incomplete → Confirmed
Revision history for this message
Thierry Carrez (ttx) wrote :

master fix in progress at https://review.openstack.org/138688

Changed in neutron:
status: New → In Progress
Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

In Icehouse, we didn't have radvd support, so there should be no issue.

Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote :

Fix is merged in Kilo, and backport for Juno is requested: https://review.openstack.org/141575

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Here is impact description draft #1

Title: L3 agent denial of service with radvd 2.0+
Reporter: Ihar Hrachyshka (RH)
Products: Neutron
Versions: 2014.2 version up to 2014.2.1

Description:
Ihar Hrachyshka from Red Hat reported a vulnerability in Neutron. By creating 8 routers and assigning each of them a non-provider ipv6 subnet, a malicious user may blocks router update processing for all tenants. Only Neutron setups running with radvd 2.0+ are affected.

Revision history for this message
Grant Murphy (gmurphy) wrote :

+1 impact description

Revision history for this message
Thierry Carrez (ttx) wrote :

blocks -> block
maybe add "for all tenants, potentially resulting in a Denial of Service." ?

Changed in ossa:
status: Confirmed → Triaged
Changed in neutron:
status: In Progress → Fix Committed
Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Thanks for the reviews, here is impact description draft #2:

Title: L3 agent denial of service with radvd 2.0+
Reporter: Ihar Hrachyshka (RH)
Products: Neutron
Versions: 2014.2 version up to 2014.2.1

Description:
Ihar Hrachyshka from Red Hat reported a vulnerability in Neutron. By creating 8 routers and assigning each of them a non-provider ipv6 subnet, a malicious user may block router update processing for all tenants, potentially resulting in a Denial of Service. Only Neutron setups running with radvd 2.0+ are affected.

Revision history for this message
Thierry Carrez (ttx) wrote :

Impact desc +1

Tristan Cacqueray (tristan-cacqueray)
summary: - L3 agent DoS vulnerability
+ L3 agent DoS vulnerability (CVE-2014-8153)
Thierry Carrez (ttx)
Changed in ossa:
status: Triaged → In Progress
Revision history for this message
Ihar Hrachyshka (ihar-hrachyshka) wrote : Re: L3 agent DoS vulnerability (CVE-2014-8153)

FYI fix is merged in all affected branches (Juno+).

Revision history for this message
Tristan Cacqueray (tristan-cacqueray) wrote :

Proposed public disclosure date/time:
2015-01-08, 1500UTC

Changed in ossa:
status: In Progress → Fix Committed
Tristan Cacqueray (tristan-cacqueray)
information type: Private Security → Public Security
summary: - L3 agent DoS vulnerability (CVE-2014-8153)
+ [OSSA 2015-001] L3 agent DoS vulnerability (CVE-2014-8153)
Thierry Carrez (ttx)
Changed in ossa:
status: Fix Committed → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to ossa (master)

Reviewed: https://review.openstack.org/145810
Committed: https://git.openstack.org/cgit/openstack/ossa/commit/?id=82756ab36e8abc2c25ef47c8ab614a3158e3b9f2
Submitter: Jenkins
Branch: master

commit 82756ab36e8abc2c25ef47c8ab614a3158e3b9f2
Author: Tristan Cacqueray <email address hidden>
Date: Thu Jan 15 20:50:58 2015 +0000

    Adds OSSA-2015-001

    Related-Bug: #1399172
    Change-Id: I135c9278bc97cd9d731675ac8d155f9a3b1a2f33

Thierry Carrez (ttx)
Changed in neutron:
milestone: none → kilo-2
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in neutron:
milestone: kilo-2 → 2015.1.0
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.