OpenStack Security Advisory

  1. Bug #1902917
  2. Comment #31

Comment 31 for bug 1902917

Revision history for this message
David Sinquin (david-5-1) wrote : Re: Anti-spoofing bypass using Open vSwitch (CVE-2021-20267)

I think the patch I had attached to this bug report had a working fix for that using nd_target param in _add_flow method.

The code is mostly:

self._add_flow(
    table=ovs_consts.BASE_EGRESS_TABLE,
    priority=95,
    in_port=port.ofport,
    reg_port=port.ofport,
    dl_type=lib_const.ETHERTYPE_IPV6,
    nw_proto=lib_const.PROTO_NUM_IPV6_ICMP,
    icmp_type=n_const.ICMPV6_TYPE_NA,
    nd_target=allowed_ip_addr,
    actions='resubmit(,%d)' % (
        ovs_consts.ACCEPTED_EGRESS_TRAFFIC_NORMAL_TABLE)
)

and results in the following Open vSwitch rule:

table=71, hard_age=65534, priority=95,icmp6,reg5=0x4,in_port=4,icmp_type=136,nd_target=fe80::f816:3eff:fed3:1eb4,actions=resubmit(,94)

The above is as-is allowing the VM to use an IPv6 it does not own to announce its own IPs but can likely be restricted further and does not prevent it from announcing a MAC address it does not own but this requires privileges inside the VM and these privileges are anyway enough to make many other DoS for the VM itself.