On Tue, Dec 20, 2022 at 10:39:23PM +0100, Ilya Maximets wrote: > Description > =========== > > Multiple versions of Open vSwitch are vulnerable to crafted LLDP > packets causing denial of service, and data underflow attacks. > Triggering the vulnerabilities requires LLDP processing to be enabled > for a specific port. Open vSwitch versions prior to 2.4.0 are not > vulnerable. > > The Common Vulnerabilities and Exposures project (cve.mitre.org) > did not assign the identifier to this issue yet. The identifier will > be communicated separately.
Has a CVE been requested? > This issue does not affect the `lldpd' project, although they share > a code base. The issue is related to parsing the Auto Attach TLVs, > which is specific to the Open vSwitch implementation. > > > Mitigation > ========== > > For any version of Open vSwitch, preventing LLDP packets from reaching > Open vSwitch mitigates the vulnerability. We do not recommend > attempting to mitigate the vulnerability this way because of the > following difficulties: > > - Open vSwitch obtains packets before the iptables host firewall, > so ebtables on the Open vSwitch host cannot ordinarily block the > vulnerability. > > - If Open vSwitch is configured to receive and transmit LLDP > messages, the required functionality will need to be disabled > potentially disrupting the network. > > We have found that Open vSwitch is subject to a denial of service, and > possibly a remote code execution exploit when LLDP processing is enabled > on an interface. By default, interfaces are not configured to process > LLDP messages. > > > Fix > === > > Patches to fix these vulnerabilities in Open vSwitch 2.13.x and newer are > applied to the appropriate branches, and the original patch is located > at: > > https://mail.openvswitch.org/pipermail/ovs-dev/2022-December/400596.html > > Recommendation > ============== > > We recommend that users of Open vSwitch apply the respective patch, or > upgrade to a known patched version of Open vSwitch. These include: > > * 3.0.3 > * 2.17.5 > * 2.16.6 > * 2.15.7 > * 2.14.8 > * 2.13.10 > > > Acknowledgments > =============== > > The Open vSwitch team wishes to thank the reporter: > > Qian Chen <cq674350...@gmail.com> >
signature.asc
Description: PGP signature
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss