On 3/13/19 8:19 PM, Salvatore Bonaccorso wrote:
> Source: neutron
> Version: 2:13.0.2-10
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://bugs.launchpad.net/neutron/+bug/1818385
> 
> Hi,
> 
> The following vulnerability was published for neutron.
> 
> CVE-2019-9735[0]:
> | An issue was discovered in the iptables firewall module in OpenStack
> | Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x
> | before 13.0.3. By setting a destination port in a security group rule
> | along with a protocol that doesn't support that option (for example,
> | VRRP), an authenticated user may block further application of security
> | group rules for instances from any project/tenant on the compute hosts
> | to which it's applied. (Only deployments using the iptables security
> | group driver are affected.)
> 
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
> 
> For further information see:
> 
> [0] https://security-tracker.debian.org/tracker/CVE-2019-9735
>     https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9735
> [1] https://bugs.launchpad.net/neutron/+bug/1818385
> 
> Please adjust the affected versions in the BTS as needed.

I've uploaded the fix to Sid, and ask the release team for unblock.
Please see attached debdiff for the fix in Stretch. I do believe this
problem deserves a DSA, as it may potentially corrupt the iptables for
the instances.

Cheers,

Thomas Goirand (zigo)
diff -Nru neutron-9.1.1/debian/changelog neutron-9.1.1/debian/changelog
--- neutron-9.1.1/debian/changelog      2017-04-03 16:11:13.000000000 +0000
+++ neutron-9.1.1/debian/changelog      2019-03-14 09:41:17.000000000 +0000
@@ -1,3 +1,11 @@
+neutron (2:9.1.1-3+deb9u1) stretch-security; urgency=medium
+
+  * CVE-2019-9735: it's possible to add a security group rule for VRRP with a
+    dport. Apply upstream patch: When converting sg rules to iptables, do not
+    emit dport if not supported. (Closes: #924508).
+
+ -- Thomas Goirand <z...@debian.org>  Thu, 14 Mar 2019 10:41:17 +0100
+
 neutron (2:9.1.1-3) unstable; urgency=medium
 
   * Dutch translation of debconf messages (Closes: #841651).
diff -Nru 
neutron-9.1.1/debian/patches/CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch
 
neutron-9.1.1/debian/patches/CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch
--- 
neutron-9.1.1/debian/patches/CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch
    1970-01-01 00:00:00.000000000 +0000
+++ 
neutron-9.1.1/debian/patches/CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch
    2019-03-14 09:41:17.000000000 +0000
@@ -0,0 +1,74 @@
+Description: CVE-2019-9735: When converting sg rules to iptables, do not emit 
dport if not supported
+ Since iptables-restore doesn't support --dport with protocol vrrp,
+ it errors out setting the security groups on the hypervisor.
+ .
+ Marking this a partial fix, since we need a change to prevent
+ adding those incompatible rules in the first place, but this
+ patch will stop the bleeding.
+Author: Doug Wiegley <dwieg...@salesforce.com>
+Change-Id: If5e557a8e61c3aa364ba1e2c60be4cbe74c1ec8f
+Bug-Debian: https://bugs.debian.org/924508
+Bug-Ubuntu: https://bugs.launchpad.net/neutron/+bug/1818385
+Origin: upstream, https://review.openstack.org/#/c/640685/
+Partial-Bug: #1818385
+Last-Update: 2019-03-14
+
+--- neutron-9.1.1.orig/neutron/agent/linux/iptables_firewall.py
++++ neutron-9.1.1/neutron/agent/linux/iptables_firewall.py
+@@ -49,6 +49,15 @@ LINUX_DEV_LEN = 14
+ MAX_CONNTRACK_ZONES = 65535
+ comment_rule = iptables_manager.comment_rule
+ 
++# iptables protocols that support --dport and --sport
++IPTABLES_PORT_PROTOCOLS = [
++    constants.PROTO_NAME_DCCP,
++    constants.PROTO_NAME_SCTP,
++    constants.PROTO_NAME_TCP,
++    constants.PROTO_NAME_UDP,
++    constants.PROTO_NAME_UDPLITE
++]
++
+ 
+ def get_hybrid_port_name(port_name):
+     return (constants.TAP_DEVICE_PREFIX + port_name)[:LINUX_DEV_LEN]
+@@ -644,11 +653,12 @@ class IptablesFirewallDriver(firewall.Fi
+             # icmp code can be 0 so we cannot use "if port_range_max" here
+             if port_range_max is not None:
+                 args[-1] += '/%s' % port_range_max
+-        elif port_range_min == port_range_max:
+-            args += ['--%s' % direction, '%s' % (port_range_min,)]
+-        else:
+-            args += ['-m', 'multiport', '--%ss' % direction,
+-                     '%s:%s' % (port_range_min, port_range_max)]
++        elif protocol in IPTABLES_PORT_PROTOCOLS:
++            if port_range_min == port_range_max:
++                args += ['--%s' % direction, '%s' % (port_range_min,)]
++            else:
++                args += ['-m', 'multiport', '--%ss' % direction,
++                         '%s:%s' % (port_range_min, port_range_max)]
+         return args
+ 
+     def _ip_prefix_arg(self, direction, ip_prefix):
+--- neutron-9.1.1.orig/neutron/tests/unit/agent/linux/test_iptables_firewall.py
++++ neutron-9.1.1/neutron/tests/unit/agent/linux/test_iptables_firewall.py
+@@ -195,6 +195,20 @@ class IptablesFirewallTestCase(BaseIptab
+         egress = None
+         self._test_prepare_port_filter(rule, ingress, egress)
+ 
++    def test_filter_bad_vrrp_with_dport(self):
++        rule = {'ethertype': 'IPv4',
++                'direction': 'ingress',
++                'protocol': 'vrrp',
++                'port_range_min': 10,
++                'port_range_max': 10}
++        # Dest port isn't support with VRRP, so don't send it
++        # down to iptables.
++        ingress = mock.call.add_rule('ifake_dev',
++                                     '-p vrrp -j RETURN',
++                                     top=False, comment=None)
++        egress = None
++        self._test_prepare_port_filter(rule, ingress, egress)
++
+     def test_filter_ipv4_ingress_prefix(self):
+         prefix = FAKE_PREFIX['IPv4']
+         rule = {'ethertype': 'IPv4',
diff -Nru neutron-9.1.1/debian/patches/series 
neutron-9.1.1/debian/patches/series
--- neutron-9.1.1/debian/patches/series 2017-04-03 16:11:13.000000000 +0000
+++ neutron-9.1.1/debian/patches/series 2019-03-14 09:41:17.000000000 +0000
@@ -1,3 +1,4 @@
 fix-requirements.txt.patch
 flake8-legacy.patch
 allow-sqla-1.1.patch
+CVE-2019-9735_When_converting_sg_rules_to_iptables_do_not_emit_dport_if_not_supported.patch

Reply via email to