[ADVISORY] CVE-2023-1668: Open vSwitch: Remote traffic denial of service via crafted packets with IP proto 0

[Ilya Maximets <i.maximets () ovn org>]

Description
===========

Multiple versions of Open vSwitch are vulnerable to crafted IP packets
with ip proto set to 0 causing a potential denial of service.
Triggering the vulnerability will require an attacker to send a crafted
IP packet with protocol field set to 0 and the flow rules to contain
'set' actions on other fields in the IP protocol header.  The resulting
flows will omit required actions, and fail to mask the IP protocol field,
resulting in a large bucket which captures all IP packets.

All versions of Open vSwitch at least as early as 1.5.0 are affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2023-1668 to this issue.


Mitigation
==========

For any version of Open vSwitch, preventing packets with network
protocol number '0' from reaching Open vSwitch will prevent the issue.
This is difficult to achieve because Open vSwitch obtains packets before
the iptables or nftables host firewall, so iptables or nftables on the
Open vSwitch host cannot ordinarily block the vulnerability.

Another method would be to add a high priority rule to the flow table
explicitly matching on nw protocol '0' and handling that traffic
separately:

    table=0 priority=32768,ip,nw_proto=0,actions=drop
    table=0 priority=32768,ipv6,nw_proto=0,actions=drop
    table=0 priority=32768,arp,arp_op=0,actions=drop

All 3 OpenFlow rules should be added to every OVS bridge.  This can
be difficult to maintain during the service restart.


Fix
===

Patches to fix these vulnerabilities in Open vSwitch 2.13.x and newer:

* 3.1.x:
  https://github.com/openvswitch/ovs/commit/61b39d8c4797f1b668e4d5e5350d639fca6082a9
* 3.0.x:
  https://github.com/openvswitch/ovs/commit/0ec9af260ad84225e758d249fa32151ddf8a6520
* 2.17.x:
  https://github.com/openvswitch/ovs/commit/27fb5db7f727ffc056f024f9ba4936facccb5f40
* 2.16.x:
  https://github.com/openvswitch/ovs/commit/42f2b4b9b9a3c11d38f180bf1e35c47b77cd4ce8
* 2.15.x:
  https://github.com/openvswitch/ovs/commit/f36509fd64e339ffd33593451099be6baa12ffe6
* 2.14.x:
  https://github.com/openvswitch/ovs/commit/b46505f4d26cd4612a533687e7884efcb7a74111
* 2.13.x:
  https://github.com/openvswitch/ovs/commit/7fa0106e8594c34f9e16efd87a58e38a947c6c5b


Recommendation
==============

We recommend that users of Open vSwitch apply the linked patches, or
upgrade to a known patched version of Open vSwitch.  These include:

* 3.1.1
* 3.0.4
* 2.17.6
* 2.16.7
* 2.15.8
* 2.14.9
* 2.13.11


Acknowledgements
================

The Open vSwitch team wishes to thank the reporter:

      David Marchand <dmarchan () redhat com>

Attachment: OpenPGP_0xB9F7EC77C829BF96.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature
Description: OpenPGP digital signature