On 1/21/25 21:00, Mark Michelson wrote:
Note: This release had to be fast-tracked because the security issue was
made public before an embargo could be lifted. We are awaiting a CVE
assignment and will update this advisory with the CVE number once it is
assigned.
CVE-2025-0650 has been assigned to this vulnerability.
Description
===========
Multiple versions of OVN (Open Virtual Network) are vulnerable to
allowing crafted UDP packets to bypass egress access control list (ACL)
rules. This can result in unauthorized access to virtual machines and
containers running on the OVN network.
OVN provides rudimentary DNS caching as an optional feature to speed up
lookups of frequently-used domains. When this feature is enabled, due to
the OpenFlow rules that OVN installs in Open vSwitch, it is possible for
an attacker to craft a UDP packet that can bypass egress ACL rules.
Egress ACL rules are those that have the "direction" set to "to-lport".
The OVN installation is vulnerable if a logical switch has DNS records
set on it AND if the same switch has any egress ACLs configured on it.
The switch is considered to have egress ACLs configured if the switch
has an egress ACL configured directly on it using the "acls" column of
the logical switch. A switch is also considered to have egress ACLs
configured if any of its logical switch ports are part of a port group
that has egress ACLs configured in its "acls" column.
A python script (vuln_test.py) is attached to this advisory and can be
used to determine if your installation is vulnerable. Run it in a
location where "ovn-nbctl" is installed and can access the northbound
database. The script will print to the console whether the installation
is vulnerable.
Mitigation
==========
If the DNS records being used in OVN are accessible over the internet
without using the built-in cache, then DNS caching can be disabled in
OVN by clearing the "dns_records" column of all logical switches in the
northbound database. Here is a command that can be used to accomplish this:
$ for s in $(ovn-nbctl list logical_switch | grep uuid | cut -f 2 -d
':') ; do ovn-nbctl clear logical_switch "$s" dns_records ; done
Doing this will incur a latency penalty for DNS lookups since the lookup
will be carried out over the internet instead of being looked up in a
local cache.
If OVN's DNS caching is required on the deployment, then a second
mitigation might be to adjust ACLs from being evaluated on egress to
being evaluated on ingress. ACLs whose "direction" column is set to
"to-lport" are evaluated on egress and are vulnerable to being bypassed
if OVN's DNS caching is enabled. ACLs whose "direction" column is set to
"from-lport" are evaluated on ingress and are not vulnerable to being
bypassed if OVN's DNS caching is enabled. An ACL can be evaluated on
ingress as long as it does not attempt to match on the "outport" field.
Ingress ACLs are capable of matching based on the results of load
balancing if "options:apply-after-lb" is set to "true".
There is no one-size fits all command line solution for changing egress
ACLs to ingress ACLs. Each ACL rule will need to be evaluated and
changed over if possible.
If DNS caching is required and egress ACLs are required, then the only
mitigation is to adjust the topology of the virtual network so that DNS
caching and egress ACLs are not on the same logical switch.
Fix
===
Patches to fix this vulnerability in currently supported versions of OVN
are as follows:
* 22.03.x:
https://github.com/ovn-org/ovn/commit/f22a1ba9c127795bebcfbd41d772bb071f893a6d
* 24.03.x:
https://github.com/ovn-org/ovn/commit/70618a65fd49f1d1d5498927c0bed63e296dafb7
* 24.09.x:
https://github.com/ovn-org/ovn/commit/249c52ad011cacb4c182dc64e88977ac7c61f668
The original patch is located at:
https://mail.openvswitch.org/pipermail/ovs-dev/2025-January/419993.html
Recommendation
==============
We recommend that users of OVN apply the linked patches, or upgrade to a
known patched version of OVN. These include:
v22.03.8
v24.03.5
v24.09.2
Acknowledgments
===============
The OVN team wishes to thank the reporters:
Marius Berntsberg - mar...@redpill-linpro.com
Trygve Vea - t...@redpill-linpro.com
Tore Anderson - t...@redpill-linpro.com
Rodolfo Alonso - ralon...@redhat.com
Jay Faulkner (Openstack VMT) - j...@jvf.cc
Brian Haley (Openstack/Neutron) - haleyb....@gmail.com
In addition, a special acknowledgment is due to the Firewall
Misconfiguration security research team at the University of California,
Riverside - firewallresea...@ucr.edu -
https://firewall-research.cs.ucr.edu/misconfiguration/
