Vulnerabilities > CVE-2018-17206 - Out-of-bounds Read vulnerability in multiple products

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
openvswitch
redhat
canonical
debian
CWE-125
nessus

Summary

An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6. The decode_bundle function inside lib/ofp-actions.c is affected by a buffer over-read issue during BUNDLE action decoding.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3873-1.NASL
    descriptionIt was discovered that Open vSwitch incorrectly decoded certain packets. A remote attacker could possibly use this issue to cause Open vSwitch to crash, resulting in a denial of service. (CVE-2018-17204) It was discovered that Open vSwitch incorrectly handled processing certain flows. A remote attacker could possibly use this issue to cause Open vSwitch to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS. (CVE-2018-17205) It was discovered that Open vSwitch incorrectly handled BUNDLE action decoding. A remote attacker could possibly use this issue to cause Open vSwitch to crash, resulting in a denial of service. (CVE-2018-17206). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-18
    modified2019-01-31
    plugin id121506
    published2019-01-31
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/121506
    titleUbuntu 16.04 LTS / 18.04 LTS : openvswitch vulnerabilities (USN-3873-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3873-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(121506);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/20");
    
      script_cve_id("CVE-2018-17204", "CVE-2018-17205", "CVE-2018-17206");
      script_xref(name:"USN", value:"3873-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.04 LTS : openvswitch vulnerabilities (USN-3873-1)");
      script_summary(english:"Checks dpkg output for updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Ubuntu host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that Open vSwitch incorrectly decoded certain
    packets. A remote attacker could possibly use this issue to cause Open
    vSwitch to crash, resulting in a denial of service. (CVE-2018-17204)
    
    It was discovered that Open vSwitch incorrectly handled processing
    certain flows. A remote attacker could possibly use this issue to
    cause Open vSwitch to crash, resulting in a denial of service. This
    issue only affected Ubuntu 18.04 LTS. (CVE-2018-17205)
    
    It was discovered that Open vSwitch incorrectly handled BUNDLE action
    decoding. A remote attacker could possibly use this issue to cause
    Open vSwitch to crash, resulting in a denial of service.
    (CVE-2018-17206).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3873-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected openvswitch-common package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:openvswitch-common");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/01/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/01/31");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"openvswitch-common", pkgver:"2.5.5-0ubuntu0.16.04.2")) flag++;
    if (ubuntu_check(osver:"18.04", pkgname:"openvswitch-common", pkgver:"2.9.2-0ubuntu0.18.04.3")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "openvswitch-common");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-4128-1.NASL
    descriptionThis update for openvswitch to version 2.7.6 fixes the following issues : These security issues were fixed : CVE-2018-17205: Prevent OVS crash when reverting old flows in bundle commit (bsc#1104467). CVE-2018-17206: Avoid buffer overread in BUNDLE action decoding (bsc#1104467). CVE-2018-17204: When decoding a group mod, it validated the group type and command after the whole group mod has been decoded. The OF1.5 decoder, however, tried to use the type and command earlier, when it might still be invalid. This caused an assertion failure (via OVS_NOT_REACHED) (bsc#1104467). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-28
    modified2018-12-17
    plugin id119720
    published2018-12-17
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119720
    titleSUSE SLES12 Security Update : openvswitch (SUSE-SU-2018:4128-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-3500.NASL
    descriptionAn update for openvswitch is now available for Fast Datapath for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Open vSwitch provides standard network bridging functions and support for the OpenFlow protocol for remote per-flow control of traffic. Security Fix(es) : * openvswitch: Mishandle of group mods in lib/ ofp-util.c:parse_group_prop_ntr_selection_method() allows for assertion failure (CVE-2018-17204) * openvswitch: Error during bundle commit in ofproto/ ofproto.c:ofproto_rule_insert__() allows for crash (CVE-2018-17205) * openvswitch: Buffer over-read in lib/ofp-actions.c:decode_bundle() (CVE-2018-17206) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * Previously, when the ovs-vswitchd service restarted, an error displayed with many open files. With this update, the number of sockets opened by ovs-vswitchd is decreased. As a result, the described problem no longer occurs. (BZ#1526306) * Previously, when OpenvSwitch service was reloaded, the default flow was not removed and it became part of the final flow table. With this update, the default flow rule is no longer added after a service reload. As a result, the described problem no longer occurs. (BZ#1626096) Enhancement(s) : * With this update, the pmd-rxq-assign configuration has been added to Poll Mode Drivers (PMDs) cores. This allows users to select a round-robin assignment. (BZ#1616001) * With this update the ovs-appctl connection-status command has been introduced to the ovs-appctl utility. The command enables to monitor hypervisor (HV) south bound database (SBDB) connection status. Layered products can now check if the ovn-controller is properly connected to a central node. (BZ#1593804) * With this update, a support for the Dynamic Host Configuration Protocol (DHCP) option 252 has been added to Open Virtual Network (OVN) Native DHCP. (BZ#1641765)
    last seen2020-06-01
    modified2020-06-02
    plugin id118745
    published2018-11-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118745
    titleRHEL 7 : openvswitch (RHSA-2018:3500)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1562.NASL
    descriptionThis update for openvswitch to version 2.7.6 fixes the following issues : These security issues were fixed : - CVE-2018-17205: Prevent OVS crash when reverting old flows in bundle commit (bsc#1104467). - CVE-2018-17206: Avoid buffer overread in BUNDLE action decoding (bsc#1104467). - CVE-2018-17204:When decoding a group mod, it validated the group type and command after the whole group mod has been decoded. The OF1.5 decoder, however, tried to use the type and command earlier, when it might still be invalid. This caused an assertion failure (via OVS_NOT_REACHED) (bsc#1104467). These non-security issues were fixed : - ofproto/bond: Fix bond reconfiguration race condition. - ofproto/bond: Fix bond post recirc rule leak. - ofproto/bond: fix interal flow leak of tcp-balance bond - systemd: Restart openvswitch service if a daemon crashes - conntrack: Fix checks for TCP, UDP, and IPv6 header sizes. - ofp-actions: Fix translation of set_field for nw_ecn - netdev-dpdk: Fix mempool segfault. - ofproto-dpif-upcall: Fix flow setup/delete race. - learn: Fix memory leak in learn_parse_sepc() - netdev-dpdk: fix mempool_configure error state - vswitchd: Add --cleanup option to the
    last seen2020-06-05
    modified2018-12-17
    plugin id119716
    published2018-12-17
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119716
    titleopenSUSE Security Update : openvswitch (openSUSE-2018-1562)
  • NASL familyPhotonOS Local Security Checks
    NASL idPHOTONOS_PHSA-2020-1_0-0288_OPENVSWITCH.NASL
    descriptionAn update of the openvswitch package has been released.
    last seen2020-04-22
    modified2020-04-15
    plugin id135491
    published2020-04-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135491
    titlePhoton OS 1.0: Openvswitch PHSA-2020-1.0-0288

Redhat

advisories
  • rhsa
    idRHSA-2018:3500
  • rhsa
    idRHSA-2019:0053
  • rhsa
    idRHSA-2019:0081
rpms
  • openvswitch-0:2.9.0-70.el7fdp.1
  • openvswitch-debuginfo-0:2.9.0-70.el7fdp.1
  • openvswitch-devel-0:2.9.0-70.el7fdp.1
  • openvswitch-ovn-central-0:2.9.0-70.el7fdp.1
  • openvswitch-ovn-common-0:2.9.0-70.el7fdp.1
  • openvswitch-ovn-host-0:2.9.0-70.el7fdp.1
  • openvswitch-ovn-vtep-0:2.9.0-70.el7fdp.1
  • openvswitch-test-0:2.9.0-70.el7fdp.1
  • python-openvswitch-0:2.9.0-70.el7fdp.1
  • openvswitch-0:2.9.0-83.el7fdp.1
  • openvswitch-debuginfo-0:2.9.0-83.el7fdp.1
  • openvswitch-devel-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-central-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-common-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-host-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-vtep-0:2.9.0-83.el7fdp.1
  • openvswitch-test-0:2.9.0-83.el7fdp.1
  • python-openvswitch-0:2.9.0-83.el7fdp.1
  • openvswitch-0:2.9.0-83.el7fdp.1
  • openvswitch-debuginfo-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-central-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-common-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-host-0:2.9.0-83.el7fdp.1
  • openvswitch-ovn-vtep-0:2.9.0-83.el7fdp.1
  • openvswitch-test-0:2.9.0-83.el7fdp.1
  • python-openvswitch-0:2.9.0-83.el7fdp.1