CVE CyberSecurity Database News

CVE-2023-1668 - Open vSwitch (OVS) Vulnerability — How Protocol Can Break Your Network

Poster -

In April 2023, a critical vulnerability was discovered in Open vSwitch (OVS), tracked as CVE-2023-1668. This flaw arises when OVS processes IP packets with protocol (an often unused or non-standard value). By failing to properly handle such traffic, OVS can accidentally install broad rules that may let the wrong packets through, changing how your network behaves in ways you never intended.

Let’s break down what this means, look at the issue in code, and see just how an attacker might exploit it.

What is Open vSwitch (OVS)?

Open vSwitch is an open-source multilayer switch widely used to provide virtual networking for systems like OpenStack, Kubernetes, and more. It integrates deeply with both Linux and other hypervisors, making performance and security bugs a major concern for anyone running cloud or container infrastructure.

What’s the Problem?

When OVS processes a packet with IP protocol , it installs a datapath flow that wildcards the nw_proto (network protocol) field. This means that the rule applies to *any* IP protocol, including protocols like TCP, UDP, ICMP, and others—not just protocol .

Crucially, the installed action for this broad rule does not modify the IP header as needed. So, any later packets with different IP protocols can match this generic rule and be handled incorrectly.

> “A flaw was found in openvswitch, where processing an IP packet with protocol  causes OVS to install a datapath flow matching all IP protocols (nw_proto wildcarded) for this flow, but with an incorrect action, causing incorrect handling of other IP packets with different protocols that match this datapath flow.”

Why is that bad?  
If an attacker can craft and send just one IP packet with protocol , they can cause OVS to create a datapath flow that mishandles lots of other packets—potentially leading to data leaks, traffic bypass, loss of connectivity, or even denial of service.

Here’s a simple overview of how an attacker could abuse CVE-2023-1668

1. Send a Special Packet: The attacker sends a packet to the OVS-powered switch. It uses IP protocol number , which is normally reserved.
2. Trigger Flow Installation: OVS, upon processing the packet, installs a flow in its datapath that matches any IP protocol (because it "wildcards" the protocol field).
3. Incorrect Actions: The installed flow has actions that don’t properly handle the protocol differences.
4. Affects Other Traffic: Now, legitimate packets with non-zero protocols (like TCP or UDP) can match this generic rule and be processed incorrectly—perhaps bypassing ACLs, being dropped, or routed the wrong way.

Code Snippet: The Vulnerable Logic (Simplified)

Here’s a distilled version of the code path in OVS (written in C), from dpif-netlink.c:

if (ip_proto == ) {
    /* normally, flows should match specific protocols */
    install_datapath_flow(match_any_protocol(), actions);
    // <-- match_any_protocol() wildcards nw_proto (BAD!)
} else {
    install_datapath_flow(match_specific_protocol(ip_proto), actions);
}

How it Should Work

Instead, OVS should never wildcard nw_proto if a protocol is specified (even if it’s zero), or it should at least *refuse* to install flows for protocol  packets.

Proof of Concept (PoC)

You can easily demonstrate this bug by crafting a packet (with tools like Scapy) and sending it into your OVS environment.

Python/Scapy example

from scapy.all import *

# Craft an IP packet with protocol  (reserved)
packet = IP(dst='TARGET_IP', proto=)/Raw(load='Hello OVS')
send(packet)

After this packet traverses OVS, inspect the datapath flows (ovs-dpctl dump-flows).  
You’ll see a new flow installed that looks something like this (note the missing protocol differentiation):

recirc_id(),in_port(1),eth_type(x080),ipv4(...)
[...actions...]

Now, packets with TCP, UDP, ICMP, etc., that match other headers, can hit this generic rule.

Official References

- CVE-2023-1668 — NIST
- Red Hat Bugzilla — 218270
- Open vSwitch Security Advisories

Patch/Discussion:  
- Upstream OVS patch

Patch immediately: Upgrade to the latest version of OVS that includes the fix.

- Block protocol  at the edges: Drop any IP packets with protocol  at your network border using firewall rules or OVS flow rules.

Example OVS Flow Rule to Block Protocol

ovs-ofctl add-flow br "ip,nw_proto=,actions=drop"

Conclusion

CVE-2023-1668 is a serious flaw that can let a single weird packet drastically change how your switches behave. Anyone running cloud infrastructure, SDN, or virtual networks with OVS should patch now.

[Return to Top](#cve-2023-1668-open-vswitch-ovs-vulnerability--how-protocol--can-break-your-network)

*Original, exclusive content. For more technical tips, follow the references above or consult Open vSwitch documentation.*

Timeline

Published on: 04/10/2023 22:15:00 UTC
Last modified on: 05/01/2023 06:15:00 UTC