Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 577568 (CVE-2016-2074)

Summary: <net-misc/openvswitch-2.5.0 - MPLS buffer overflow vulnerabilities in Open vSwitch
Product: Gentoo Security Reporter: Matthew Thode ( prometheanfire ) <prometheanfire>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa cve]
Package list:
Runtime testing required: ---

Description Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-03-16 17:15:14 UTC
Embargo ends: Monday, March 28

Multiple versions of Open vSwitch are vulnerable to remote buffer
overflow attacks, in which crafted MPLS packets could overflow the
buffer reserved for MPLS labels in an OVS internal data structure.
The MPLS packets that trigger the vulnerability and the potential for
exploitation vary depending on version:

    - Open vSwitch 2.1.x and earlier are not vulnerable.

    - In Open vSwitch 2.2.x and 2.3.x, the MPLS buffer overflow can be
      exploited for arbitrary remote code execution.

    - In Open vSwitch 2.4.x, the MPLS buffer overflow does not
      obviously lead to a remote code execution exploit, but testing
      shows that it can allow a remote denial of service.

    - Open vSwitch 2.5.x is not vulnerable.


Mitigation
==========

For any version of Open vSwitch, preventing MPLS packets from reaching
Open vSwitch mitigates the vulnerability.  We do not recommend
attempting to mitigate the vulnerability this way because of the
following difficulties:

    - Open vSwitch obtains packets before the iptables host firewall,
      so iptables on the Open vSwitch host cannot ordinarily block the
      vulnerability.

    - If Open vSwitch is configured to support tunnels, MPLS packets
      encapsulated within tunnels must also be prevented from reaching
      the host.

    - If Open vSwitch runs on a hypervisor, MPLS packets from VMs can
      also trigger the vulnerability.

We believe that Open vSwitch 2.4 is subject to denial of service only
when debug logging is enabled.  By default, debug logging is not
enabled.  Users most commonly enable debug logging at runtime using
the "ovs-appctl" utility.  When this is the case, the buffer overflow
will crash the ovs-vswitchd daemon once, and then when it
automatically restarts debug logging will be disabled; thus, in this
situation, the vulnerability can only cause a single, brief
interruption in service.  Debug logging can also be enabled
persistently using a command-line flag; in this situation, a stream of
crafted MPLS packets could cause an extended denial of service.


Fix
===

Patches to fix these vulnerabilities in Open vSwitch 2.3.x and 2.4.x
are appended.  The patch for Open vSwitch 2.3.x also applies to and is
effective for Open vSwitch 2.2.x.


Recommendation
==============

We recommend that users of Open vSwitch 2.3.x or 2.4.x apply the
respective patch, or upgrade to Open vSwitch 2.5.0.

For Open vSwitch 2.4.x only, if it cannot be upgraded expeditiously,
we recommend verifying that debug logging is not enabled on the
command line.  This is not effective mitigation for Open vSwitch
2.3.x.

Open vSwitch 2.2.x was never officially released.  If users of
prerelease versions exist, we recommend that they upgrade to Open
vSwitch 2.5.0.
Comment 1 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-03-16 17:16:52 UTC
As 2.5.0 is in tree, I'd like to do a fast stablereq on that (amd64/x86) and remove all older releases.
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-03-16 17:35:13 UTC
adding arch sec liaisons for fast stablereq of =net-misc/openvswitch-2.5.0
Comment 3 Agostino Sarubbo gentoo-dev 2016-03-16 18:04:13 UTC
stable for both.
Comment 4 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2016-03-16 18:10:42 UTC
removed bad versions

openvswitch-2.3.0.ebuild
openvswitch-2.3.1.ebuild
openvswitch-2.3.2.ebuild
openvswitch-2.4.0.ebuild

cleanup done

removing arch contacts
Comment 5 Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-04-10 16:18:27 UTC
issue public at http://www.openwall.com/lists/oss-security/2016/03/29/1
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-21 17:02:03 UTC
@ Security: Waiting for GLSA...
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2017-01-01 16:03:57 UTC
This issue was resolved and addressed in
 GLSA 201701-07 at https://security.gentoo.org/glsa/201701-07
by GLSA coordinator Thomas Deutschmann (whissi).