===================================================================== OSSA-2016-009: Neutron IPTables firewall anti-spoof protection bypass ===================================================================== :Date: June 14, 2016 :CVE: CVE-2016-5362 (DHCP spoofing), CVE-2016-5363 (MAC source address spoofing), CVE-2015-8914 (ICMPv6 source address spoofing) Affects ~~~~~~~ - Neutron: <=7.0.4, >=8.0.0 <=8.1.0 Description ~~~~~~~~~~~ Romain Aviolat from Nagravision and Dustin Lundquist from Blue Box Group, Inc independently reported vulnerabilities in Neutron anti- spoof protection. By forging DHCP discovery messages or non-IP traffic, such as ARP or ICMPv6, an instance may spoof IP or MAC source addresses on attached networks resulting in denial of services and/or traffic interception. Moreover when L2population isn't used, other tenants attached to a shared network are also vulnerable. Neutron setups using the IPTables firewall driver are affected. Patches ~~~~~~~ - https://review.openstack.org/299025 (MAC) (Liberty) - https://review.openstack.org/303572 (DHCP) (Liberty) - https://review.openstack.org/310652 (ICMPv6) (Liberty) - https://review.openstack.org/299023 (MAC) (Mitaka) - https://review.openstack.org/303563 (DHCP) (Mitaka) - https://review.openstack.org/310648 (ICMPv6) (Mitaka) - https://review.openstack.org/299021 (MAC) (Newton) - https://review.openstack.org/300202 (DHCP) (Newton) - https://review.openstack.org/300233 (ICMPv6) (Newton) Credits ~~~~~~~ - Romain Aviolat from Nagravision (CVE-2015-8914) - Dustin Lundquist from Blue Box Group, Inc (CVE-2016-5362, CVE-2016-5363) References ~~~~~~~~~~ - https://bugs.launchpad.net/bugs/1502933 (ICMPv6) - https://bugs.launchpad.net/bugs/1558658 (MAC, DHCP) - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5362 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5363 - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8914 -- Tristan Cacqueray OpenStack Vulnerability Management Team