Headline
CVE-2023-3153: [ovs-announce] [ADVISORY] CVE-2023-3153 OVN: Service monitor MAC flow is not rate limited
A flaw was found in Open Virtual Network where the service monitor MAC does not properly rate limit. This issue could allow an attacker to cause a denial of service, including on deployments with CoPP enabled and properly configured.
Mark Michelson mmichels at redhat.com
Tue Aug 29 17:03:27 UTC 2023
- Previous message: [ovs-announce] OVN 22.03.3, 22.09.2, 22.12.1, 23.03.1, and 23.06.1 Released
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Description
Multiple versions of Open Virtual Network (OVN) are vulnerable to a potential denial of service via traffic sent to the svc_monitor_mac.
The svc_monitor_mac is a MAC address used by OVN for the purposes of load balancer health checks. The svc_monitor_mac may be explicitly configured in the northbound database’s NB_Global "options:svc_monitor_mac". If it is not configured, then ovn-northd will choose a random MAC address for svc_monitor_mac and save it in the NB_Global "options:svc_monitor_mac". OVN will assign a svc_monitor_mac regardless of whether any load balancer health checks are configured.
If an attacker were to learn the svc_monitor_mac, then they could potentially cause a denial of service by continually sending traffic to the svc_monitor_mac, resulting in continuous upcalls to ovn-controller. These continuous upcalls can drive up the CPU usage of ovn-controller and prevent Open vSwitch from being able to handle legitimate traffic.
Note that learning the svc_monitor_mac is not straightforward. The attacker would need to either a) Have access to the contents of the northbound database so that they can see NB_Global’s options:svc_monitor_mac value. b) If load balancer health checks are configured, then the attacker would need access to virtual machines attached to the br-int bridge so that traffic could be sniffed to learn the svc_monitor_mac.
Load balancer health checks were added to OVN in October 2019. Therefore, all OVN releases from 20.03 to 23.06 are vulnerable.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2023-3153 to this issue.
Mitigation
Administrators can mitigate the risk by ensuring that access to the northbound database and to virtual machines attached to br-int is restricted. Administrators may further mitigate the risk by periodically clearing the NB_Global options:svc_monitor_mac in the northbound database, causing ovn-northd to generate a new random svc_monitor_mac.
Fix
Administrators may either apply one of the patches attached to this advisory, or they may upgrade their OVN version to a patched version. Administrators should also enable control plane protection (CoPP) for the new “svc_monitor” meter on logical switches. This goes especially for logical switches that accept traffic from the public internet. The OVN project only prepares patches for versions of OVN that are currently under support. The following versions of OVN have the vulnerability patched:
* OVN version 22.03.3 or higher * OVN version 22.09.2 or higher * OVN version 22.12.1 or higher * OVN version 23.03.1 or higher * OVN version 23.06.1 or higher
Recommendation
OVN administrators should upgrade to any of the versions listed in the previous section. Administrators should also enable control plane protection (CoPP) for the new “svc_monitor” meter on logical switches. This goes especially for logical switches that accept traffic from the public internet
Acknowledgments
Thanks to Ales Musil of Red Hat for discovering, disclosing, and fixing the vulnerability. Thanks to Dumitru Ceara of Red Hat for confirming the issue, determining the extent of the issue, and reviewing Ales’s patch.
Patch
The attached patches, all written by Ales Musil, provide a fix for each supported version of OVN. -------------- next part -------------- A non-text attachment was scrubbed… Name: svc_23.06.patch Type: text/x-patch Size: 4778 bytes Desc: not available URL: http://mail.openvswitch.org/pipermail/ovs-announce/attachments/20230829/e3121130/attachment-0005.bin\ -------------- next part -------------- A non-text attachment was scrubbed… Name: svc_23.03.patch Type: text/x-patch Size: 4800 bytes Desc: not available URL: http://mail.openvswitch.org/pipermail/ovs-announce/attachments/20230829/e3121130/attachment-0006.bin\ -------------- next part -------------- A non-text attachment was scrubbed… Name: svc_22.12.patch Type: text/x-patch Size: 4800 bytes Desc: not available URL: http://mail.openvswitch.org/pipermail/ovs-announce/attachments/20230829/e3121130/attachment-0007.bin\ -------------- next part -------------- A non-text attachment was scrubbed… Name: svc_22.09.patch Type: text/x-patch Size: 4800 bytes Desc: not available URL: http://mail.openvswitch.org/pipermail/ovs-announce/attachments/20230829/e3121130/attachment-0008.bin\ -------------- next part -------------- A non-text attachment was scrubbed… Name: svc_22.03.patch Type: text/x-patch Size: 4800 bytes Desc: not available URL: http://mail.openvswitch.org/pipermail/ovs-announce/attachments/20230829/e3121130/attachment-0009.bin\
- Previous message: [ovs-announce] OVN 22.03.3, 22.09.2, 22.12.1, 23.03.1, and 23.06.1 Released
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the announce mailing list