Reviewed: https://review.opendev.org/c/openstack/neutron/+/806746 Committed: https://opendev.org/openstack/neutron/commit/df891f0593d234e01f27d7c0376d9702e178ecfb Submitter: "Zuul (22348)" Branch: master
commit df891f0593d234e01f27d7c0376d9702e178ecfb Author: Slawek Kaplonski <[email protected]> Date: Tue Aug 31 15:43:11 2021 +0200 Remove dhcp_extra_opt value after first newline character Passing newline to the dnsmasq may cause security issues, especially that in case of Neutron that dhcp options' values are controlled by cloud users. This patch removes everything what is after first newline character in the dhcp_extra_opt's values before passing them to dnsmasq. Closes-Bug: #1939733 Change-Id: Ifeaf258f0b5ea86f25620ac4116d618980a7272e ** Changed in: neutron Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1939733 Title: [OSSA-2021-005] Arbitrary dnsmasq reconfiguration via extra_dhcp_opts (CVE-2021-40085) Status in Ubuntu Cloud Archive: New Status in Ubuntu Cloud Archive queens series: New Status in Ubuntu Cloud Archive rocky series: New Status in Ubuntu Cloud Archive stein series: New Status in Ubuntu Cloud Archive train series: New Status in Ubuntu Cloud Archive ussuri series: New Status in Ubuntu Cloud Archive victoria series: New Status in Ubuntu Cloud Archive wallaby series: New Status in Ubuntu Cloud Archive xena series: New Status in neutron: Fix Released Status in OpenStack Security Advisory: Fix Released Status in neutron package in Ubuntu: New Status in neutron source package in Bionic: New Status in neutron source package in Focal: New Status in neutron source package in Hirsute: New Status in neutron source package in Impish: New Bug description: Application doesnt check the input values for extra_dhcp_opts port parameter allowing user to use a newline character. The values from extra_dhcp_opts are used in rendering of opts file which is passed to dnsmasq as a dhcp-optsfile. Considering this, an attacker can inject any options to that file. The main direct impact in my opinion is that attacker can push arbitrary dhcp options to another instances connected to the same network. And due to we are able to modify our own port connected to external network, it is possible to push dhcp options to the instances of another tennants using the same external network. If we go further, there is an known buffer overflow vulnerability in dnsmasq (https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=7d04e17444793a840f98a0283968b96502b112dc) which was not considered as a security issue due to attacker cannot control dhcp opts in most cases and therefore this vulnerability is still exists in most distributives (e.g Ubuntu 20.04.1). In our case dhcp opts is exactly what attacker can modify, so we can trigger buffer overflow there. I even managed to write an exploit which lead to a remote code execution using this buffer overflow vulnerability. Here the payload to crash dnsmasq as a proof of concept: ``` PUT /v2.0/ports/9db67e0f-537c-494a-a655-c8a0c518d57e HTTP/1.1 Host: openstack X-Auth-Token: TOKEN Content-Type: application/json Content-Length: 170 {"port":{ "extra_dhcp_opts":[{"opt_name":"zzz", "opt_value":"xxx\n128,aa:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\n120,aa.cc\n128,:" }]}} ``` Tested on ocata, train and victoria versions. Vulnerability was found by Pavel Toporkov To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1939733/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
