Vulnerabilities > CVE-2018-17205 - Reachable Assertion vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
openvswitch
redhat
canonical
CWE-617
nessus

Summary

An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting ofproto_rule_insert__ in ofproto/ofproto.c. During bundle commit, flows that are added in a bundle are applied to ofproto in order. If a flow cannot be added (e.g., the flow action is a go-to for a group id that does not exist), OvS tries to revert back all previous flows that were successfully applied from the same bundle. This is possible since OvS maintains list of old flows that were replaced by flows from the bundle. While reinserting old flows, OvS has an assertion failure due to a check on rule state != RULE_INITIALIZED. This would work for new flows, but for an old flow the rule state is RULE_REMOVED. The assertion failure causes an OvS crash.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3873-1.NASL
    descriptionIt was discovered that Open vSwitch incorrectly decoded certain packets. A remote attacker could possibly use this issue to cause Open vSwitch to crash, resulting in a denial of service. (CVE-2018-17204) It was discovered that Open vSwitch incorrectly handled processing certain flows. A remote attacker could possibly use this issue to cause Open vSwitch to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-17205) It was discovered that Open vSwitch incorrectly handled BUNDLE action decoding. A remote attacker could possibly use this issue to cause Open vSwitch to crash, resulting in a denial of service. (CVE-2018-17206). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-01-31
    plugin id121506
    published2019-01-31
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121506
    titleUbuntu 16.04 LTS / 18.04 LTS : openvswitch vulnerabilities (USN-3873-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3873-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(121506);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20");
    
      script_cve_id("CVE-2018-17204", "CVE-2018-17205", "CVE-2018-17206");
      script_xref(name:"USN", value:"3873-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS : openvswitch vulnerabilities (USN-3873-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that Open vSwitch incorrectly decoded certain
    packets. A remote attacker could possibly use this issue to cause Open
    vSwitch to crash, resulting in a denial of service. (CVE-2018-17204)
    
    It was discovered that Open vSwitch incorrectly handled processing
    certain flows. A remote attacker could possibly use this issue to
    cause Open vSwitch to crash, resulting in a denial of service. This
    issue only affected Ubuntu 18.04 LTS. (CVE-2018-17205)
    
    It was discovered that Open vSwitch incorrectly handled BUNDLE action
    decoding. A remote attacker could possibly use this issue to cause
    Open vSwitch to crash, resulting in a denial of service.
    (CVE-2018-17206).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3873-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openvswitch-common package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openvswitch-common");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"openvswitch-common", pkgver:"2.5.5-0ubuntu0.16.04.2")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"openvswitch-common", pkgver:"2.9.2-0ubuntu0.18.04.3")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openvswitch-common");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-4128-1.NASL
    descriptionThis update for openvswitch to version 2.7.6 fixes the following issues : These security issues were fixed : CVE-2018-17205: Prevent OVS crash when reverting old flows in bundle commit (bsc#1104467). CVE-2018-17206: Avoid buffer overread in BUNDLE action decoding (bsc#1104467). CVE-2018-17204: When decoding a group mod, it validated the group type and command after the whole group mod has been decoded. The OF1.5 decoder, however, tried to use the type and command earlier, when it might still be invalid. This caused an assertion failure (via OVS_NOT_REACHED) (bsc#1104467). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-28
    modified2018-12-17
    plugin id119720
    published2018-12-17
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119720
    titleSUSE SLES12 Security Update : openvswitch (SUSE-SU-2018:4128-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3500.NASL
    descriptionAn update for openvswitch is now available for Fast Datapath for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Security Fix(es) : * openvswitch: Mishandle of group mods in lib/ ofp-util.c:parse_group_prop_ntr_selection_method() allows for assertion failure (CVE-2018-17204) * openvswitch: Error during bundle commit in ofproto/ ofproto.c:ofproto_rule_insert__() allows for crash (CVE-2018-17205) * openvswitch: Buffer over-read in lib/ofp-actions.c:decode_bundle() (CVE-2018-17206) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * Previously, when the ovs-vswitchd service restarted, an error displayed with many open files. With this update, the number of sockets opened by ovs-vswitchd is decreased. As a result, the described problem no longer occurs. (BZ#1526306) * Previously, when OpenvSwitch service was reloaded, the default flow was not removed and it became part of the final flow table. With this update, the default flow rule is no longer added after a service reload. As a result, the described problem no longer occurs. (BZ#1626096) Enhancement(s) : * With this update, the pmd-rxq-assign configuration has been added to Poll Mode Drivers (PMDs) cores. This allows users to select a round-robin assignment. (BZ#1616001) * With this update the ovs-appctl connection-status command has been introduced to the ovs-appctl utility. The command enables to monitor hypervisor (HV) south bound database (SBDB) connection status. Layered products can now check if the ovn-controller is properly connected to a central node. (BZ#1593804) * With this update, a support for the Dynamic Host Configuration Protocol (DHCP) option 252 has been added to Open Virtual Network (OVN) Native DHCP. (BZ#1641765)
    last seen2020-06-01
    modified2020-06-02
    plugin id118745
    published2018-11-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118745
    titleRHEL 7 : openvswitch (RHSA-2018:3500)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1562.NASL
    descriptionThis update for openvswitch to version 2.7.6 fixes the following issues : These security issues were fixed : - CVE-2018-17205: Prevent OVS crash when reverting old flows in bundle commit (bsc#1104467). - CVE-2018-17206: Avoid buffer overread in BUNDLE action decoding (bsc#1104467). - CVE-2018-17204:When decoding a group mod, it validated the group type and command after the whole group mod has been decoded. The OF1.5 decoder, however, tried to use the type and command earlier, when it might still be invalid. This caused an assertion failure (via OVS_NOT_REACHED) (bsc#1104467). These non-security issues were fixed : - ofproto/bond: Fix bond reconfiguration race condition. - ofproto/bond: Fix bond post recirc rule leak. - ofproto/bond: fix interal flow leak of tcp-balance bond - systemd: Restart openvswitch service if a daemon crashes - conntrack: Fix checks for TCP, UDP, and IPv6 header sizes. - ofp-actions: Fix translation of set_field for nw_ecn - netdev-dpdk: Fix mempool segfault. - ofproto-dpif-upcall: Fix flow setup/delete race. - learn: Fix memory leak in learn_parse_sepc() - netdev-dpdk: fix mempool_configure error state - vswitchd: Add --cleanup option to the
    last seen2020-06-05
    modified2018-12-17
    plugin id119716
    published2018-12-17
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119716
    titleopenSUSE Security Update : openvswitch (openSUSE-2018-1562)

Redhat

advisories
  • rhsa
    idRHSA-2018:3500
  • rhsa
    idRHSA-2019:0053
  • rhsa
    idRHSA-2019:0081
rpms
  • openvswitch-0:2.9.0-70.el7fdp.1
  • openvswitch-debuginfo-0:2.9.0-70.el7fdp.1
  • openvswitch-devel-0:2.9.0-70.el7fdp.1
  • openvswitch-ovn-central-0:2.9.0-70.el7fdp.1
  • openvswitch-ovn-common-0:2.9.0-70.el7fdp.1
  • openvswitch-ovn-host-0:2.9.0-70.el7fdp.1
  • openvswitch-ovn-vtep-0:2.9.0-70.el7fdp.1
  • openvswitch-test-0:2.9.0-70.el7fdp.1
  • python-openvswitch-0:2.9.0-70.el7fdp.1
  • openvswitch-0:2.9.0-83.el7fdp.1
  • openvswitch-debuginfo-0:2.9.0-83.el7fdp.1
  • openvswitch-devel-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-central-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-common-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-host-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-vtep-0:2.9.0-83.el7fdp.1
  • openvswitch-test-0:2.9.0-83.el7fdp.1
  • python-openvswitch-0:2.9.0-83.el7fdp.1
  • openvswitch-0:2.9.0-83.el7fdp.1
  • openvswitch-debuginfo-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-central-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-common-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-host-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-vtep-0:2.9.0-83.el7fdp.1
  • openvswitch-test-0:2.9.0-83.el7fdp.1
  • python-openvswitch-0:2.9.0-83.el7fdp.1