Animation an/ausschalten
Dieser Beitrag wurde archiviert. Aktuelle Neuigkeiten und Veranstaltungen finden Sie hier.

Sovereign Cloud Stack Security Advisory OvS proto 0 DoS (CVE-2023-1668)

  • Christian Berendt, Kurt Garloff, Felix Kronlage-Dammers

The vulnerability

David Marchand (RedHat) reported an issue with Open vSwitch (OvS) where the failure to properly execute ‘set’ actions for specifically crafted network packets with IP protocol number 0 could lead to a succesful remote Denial-of-Service (DoS) attack.

The vulnerability is long-standing and affects Open vSwitch going back until at least 1.5.0. (Current is 3.1.1, which has this issue fixed.)

The vulnerability has been assigned CVE-2023-1668; a more detailed description can be found in the Openwall OSS security advisory.

Impact on the SCS reference implementation

Open vSwitch is used in almost all OpenStack setups – specifically all SCS setups known to us use OvS. This includes both the OVN configurations (the SCS default) as well as those that rely on OvS alone.

Mitigation

It is possible to set flow rules that block IP protocol 0 packets by adding 3 flow rules as highest priority rules to every OvS bridge. Care is needed to ensure this happens automatically on every single bridge, which is a non-trivial endeavor.

There are patches available to fix the issue. These patches are included in the current OvS version 3.1.1. They have also been backported into older versions 3.0.4, 2.17.6, 2.16.7, 2.15.8, 2.14.9, 2.13.11.

SCS releases

Due to ongoing work on improving the network stack, OSISM had released version 5.1.0 on Apr 7, which includes OvS version 3.1.1 that includes the fix. Due to the networking improvements, the SCS project had advised all SCS partners to move from OSISM-4.x (SCS Release 3) or from 5.0.0 (SCS Release 4) to 5.1.0 even without being aware of CVE-2023-1668.

SCS release 3 (OSISM-4.x) is only officially supported until the end of April 2023 – we advise all our partners to move to R4 with OSISM-5.1.0 or later as soon as possible.

OSISM has worked on preparing a version 4.3.0 that includes a patched OvS version for those partners that can not yet move to R4/OSISM-5.x. A release of this is planned for next week. No further updates are planned after this final release of R3/OSISM-4.x., users should move to R4/OSISM-5.x.

Patch status of SCS clouds

The networking improvements for OSISM-5.1.0 were done in close alignement between plusserver and OSISM – unsurprisingly, all regions of the pluscloud open had been upgraded to OSISM-5.1.0 in calendar week 15 already.

The Betacloud runs the rolling tag (latest) images and thus has picked up the fixes the day after they became available.

The WaveStack operators are planning to do the upgrade to R4/OSISM-5.1+ next week. For now, their inbound firewalls protect them from remote attacks with evil proto 0 packets.

The regio tech cloud has deployed OSISM-5.1.0 last week already.

Thanks

The authors would like to thank David Marchand who reported the vulnerability, the upstream OvS community and Jens Harbott at OSISM for working on addressing the issue.

Sovereign Cloud Stack Security Contact

SCS security contact is security@scs.community, as published on https://scs.community/.well-known/security.txt.

Version history

  • Initial Draft, v0.9, 2023-04-21, 08:30 CEST.
  • Patch status for beta, wave, regio included, updated OSISM-4.3.0 plans, v1.0, 2023-04-21, 15:45 CEST.