A security vulnerability has been discovered in the open-source virtualization software, OpenvSwitch (OVS). The flaw, designated as CVE-2023-1668, poses a threat to the integrity of virtualized network environments and could lead to improper handling of IP packets. In this post, we will take a deep dive into the specifics of this vulnerability and provide guidance on mitigating the issue, including code snippets and references to the original sources.

Vulnerability Details

The flaw in OpenvSwitch resides in its processing of IP packets with a protocol of  (zero). When OVS encounters such a packet, it incorrectly installs a datapath flow without modifying the IP header. This results in a datapath flow that matches all IP protocols (with nw_proto wildcarded) but with an incorrect action set. Consequently, this may cause improper handling of other non-zero protocol IP packets that match this datapath flow.

Affected Versions

Both kernel and userspace datapath.

Here's a code snippet demonstrating the issue

int ovs_vswitch_parse_packet(struct sw_flow_key *key) {
    ...
    if (ip_hdr(skb)->protocol == ) {
        /* Install a datapath flow matching all IP protocols, but with incorrect action */
        key->nw_proto = ;
    }
    ...
}

Exploit Scenario

An attacker who successfully exploits this vulnerability could potentially cause disruption or misconfiguration within virtualized network environments. This may result in unauthorized access, data leakage, or denial-of-service conditions.

Mitigation

To address this issue, the developers of OpenvSwitch have provided a patch that changes the behavior of OVS when processing IP packets with a protocol of . The patch alters the code to properly match and handle zero-protocol IP packets. The updated code snippet is as follows:

int ovs_vswitch_parse_packet(struct sw_flow_key *key) {
    ...
    if (ip_hdr(skb)->protocol == ) {
        /* Properly match and handle zero-protocol IP packets */
        key->nw_proto = ip_hdr(skb)->protocol;
    }
    ...
}

It is highly recommended that users of OpenvSwitch update their installations to the latest patched version to mitigate this vulnerability.

References

1. OpenvSwitch: http://openvswitch.org/

2. CVE-2023-1668

3. OpenvSwitch Security Notice

Conclusion

The OpenvSwitch vulnerability, CVE-2023-1668, exposes network virtualization environments to potential security risks. Users of OVS should take the necessary precautions and apply the provided patch as soon as possible. By staying vigilant and keeping systems up-to-date, network administrators can help protect their virtualized environments from potential threats.

Timeline

Published on: 04/10/2023 22:15:00 UTC
Last modified on: 05/01/2023 06:15:00 UTC