[Openstack] [OSSA-2016-009] Neutron IPTables firewall anti-spoof protection bypass (CVE-2016-5362, CVE-2016-5363, CVE-2015-8914)

Tristan Cacqueray tdecacqu at redhat.com
Tue Jun 14 06:55:38 UTC 2016 

=====================================================================
OSSA-2016-009: Neutron IPTables firewall anti-spoof protection bypass
=====================================================================

:Date: June 14, 2016
:CVE: CVE-2016-5362 (DHCP spoofing),
      CVE-2016-5363 (MAC source address spoofing),
      CVE-2015-8914 (ICMPv6 source address spoofing)


Affects
~~~~~~~
- Neutron: <=7.0.4, >=8.0.0 <=8.1.0


Description
~~~~~~~~~~~
Romain Aviolat from Nagravision and Dustin Lundquist from Blue Box
Group, Inc independently reported vulnerabilities in Neutron anti-
spoof protection. By forging DHCP discovery messages or non-IP
traffic, such as ARP or ICMPv6, an instance may spoof IP or MAC source
addresses on attached networks resulting in denial of services and/or
traffic interception. Moreover when L2population isn't used, other
tenants attached to a shared network are also vulnerable. Neutron
setups using the IPTables firewall driver are affected.


Patches
~~~~~~~
- https://review.openstack.org/299025 (MAC)    (Liberty)
- https://review.openstack.org/303572 (DHCP)   (Liberty)
- https://review.openstack.org/310652 (ICMPv6) (Liberty)
- https://review.openstack.org/299023 (MAC)    (Mitaka)
- https://review.openstack.org/303563 (DHCP)   (Mitaka)
- https://review.openstack.org/310648 (ICMPv6) (Mitaka)
- https://review.openstack.org/299021 (MAC)    (Newton)
- https://review.openstack.org/300202 (DHCP)   (Newton)
- https://review.openstack.org/300233 (ICMPv6) (Newton)


Credits
~~~~~~~
- Romain Aviolat from Nagravision           (CVE-2015-8914)
- Dustin Lundquist from Blue Box Group, Inc (CVE-2016-5362,
                                             CVE-2016-5363)


References
~~~~~~~~~~
- https://bugs.launchpad.net/bugs/1502933 (ICMPv6)
- https://bugs.launchpad.net/bugs/1558658 (MAC, DHCP)
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5362
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5363
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8914

--
Tristan Cacqueray
OpenStack Vulnerability Management Team

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20160614/04adaed7/attachment.sig>

More information about the Openstack mailing list