Vulnerabilities > CVE-2019-9735 - Improper Handling of Exceptional Conditions vulnerability in multiple products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
openstack
redhat
debian
CWE-755
nessus

Summary

An issue was discovered in the iptables firewall module in OpenStack Neutron before 10.0.8, 11.x before 11.0.7, 12.x before 12.0.6, and 13.x before 13.0.3. By setting a destination port in a security group rule along with a protocol that doesn't support that option (for example, VRRP), an authenticated user may block further application of security group rules for instances from any project/tenant on the compute hosts to which it's applied. (Only deployments using the iptables security group driver are affected.)

Vulnerable Configurations

Part Description Count
Application
Openstack
57
Application
Redhat
3
OS
Debian
1

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4409.NASL
    descriptionErik Olof Gunnar Andersson discovered that incorrect validation of port settings in the iptables security group driver of Neutron, the OpenStack virtual network service, could result in denial of service in a multi tenant setup.
    last seen2020-06-01
    modified2020-06-02
    plugin id122957
    published2019-03-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122957
    titleDebian DSA-4409-1 : neutron - security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-4409. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122957);
      script_version("1.2");
      script_cvs_date("Date: 2020/02/04");
    
      script_cve_id("CVE-2019-9735");
      script_xref(name:"DSA", value:"4409");
    
      script_name(english:"Debian DSA-4409-1 : neutron - security update");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Erik Olof Gunnar Andersson discovered that incorrect validation of
    port settings in the iptables security group driver of Neutron, the
    OpenStack virtual network service, could result in denial of service
    in a multi tenant setup."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security-tracker.debian.org/tracker/source-package/neutron"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/stretch/neutron"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.debian.org/security/2019/dsa-4409"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the neutron packages.
    
    For the stable distribution (stretch), this problem has been fixed in
    version 2:9.1.1-3+deb9u1."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:neutron");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/03/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"9.0", prefix:"neutron-common", reference:"2:9.1.1-3+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"neutron-dhcp-agent", reference:"2:9.1.1-3+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"neutron-l3-agent", reference:"2:9.1.1-3+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"neutron-linuxbridge-agent", reference:"2:9.1.1-3+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"neutron-macvtap-agent", reference:"2:9.1.1-3+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"neutron-metadata-agent", reference:"2:9.1.1-3+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"neutron-metering-agent", reference:"2:9.1.1-3+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"neutron-openvswitch-agent", reference:"2:9.1.1-3+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"neutron-plugin-linuxbridge-agent", reference:"2:9.1.1-3+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"neutron-plugin-nec-agent", reference:"2:9.1.1-3+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"neutron-plugin-openvswitch-agent", reference:"2:9.1.1-3+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"neutron-server", reference:"2:9.1.1-3+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"neutron-sriov-agent", reference:"2:9.1.1-3+deb9u1")) flag++;
    if (deb_check(release:"9.0", prefix:"python-neutron", reference:"2:9.1.1-3+deb9u1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4036-1.NASL
    descriptionErik Olof Gunnar Andersson discovered that OpenStack Neutron incorrectly handled certain security group rules in the iptables firewall module. An authenticated attacker could possibly use this issue to block further application of security group rules for other instances. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id126256
    published2019-06-26
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126256
    titleUbuntu 16.04 LTS / 18.10 : neutron vulnerability (USN-4036-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-4036-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126256);
      script_version("1.3");
      script_cvs_date("Date: 2020/01/10");
    
      script_cve_id("CVE-2019-9735");
      script_xref(name:"USN", value:"4036-1");
    
      script_name(english:"Ubuntu 16.04 LTS / 18.10 : neutron vulnerability (USN-4036-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Erik Olof Gunnar Andersson discovered that OpenStack Neutron
    incorrectly handled certain security group rules in the iptables
    firewall module. An authenticated attacker could possibly use this
    issue to block further application of security group rules for other
    instances.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/4036-1/"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected python-neutron and / or python3-neutron packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python-neutron");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python3-neutron");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/06/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/06/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(16\.04|18\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 16.04 / 18.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"16.04", pkgname:"python-neutron", pkgver:"2:8.4.0-0ubuntu7.4")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"python-neutron", pkgver:"2:13.0.2-0ubuntu3.4")) flag++;
    if (ubuntu_check(osver:"18.10", pkgname:"python3-neutron", pkgver:"2:13.0.2-0ubuntu3.4")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python-neutron / python3-neutron");
    }
    

Redhat

advisories
  • rhsa
    idRHSA-2019:0879
  • rhsa
    idRHSA-2019:0916
  • rhsa
    idRHSA-2019:0935
rpms
  • openstack-neutron-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-common-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-linuxbridge-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-macvtap-agent-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-metering-agent-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-ml2-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-openvswitch-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-rpc-server-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-sriov-nic-agent-1:13.0.3-0.20190313155649.00b63be.el7ost
  • python-neutron-1:13.0.3-0.20190313155649.00b63be.el7ost
  • openstack-neutron-1:9.4.1-40.el7ost
  • openstack-neutron-bigswitch-agent-2:9.42.14-1.el7ost
  • openstack-neutron-bigswitch-lldp-2:9.42.14-1.el7ost
  • openstack-neutron-common-1:9.4.1-40.el7ost
  • openstack-neutron-lbaas-1:9.2.2-8.el7ost
  • openstack-neutron-linuxbridge-1:9.4.1-40.el7ost
  • openstack-neutron-macvtap-agent-1:9.4.1-40.el7ost
  • openstack-neutron-metering-agent-1:9.4.1-40.el7ost
  • openstack-neutron-ml2-1:9.4.1-40.el7ost
  • openstack-neutron-openvswitch-1:9.4.1-40.el7ost
  • openstack-neutron-rpc-server-1:9.4.1-40.el7ost
  • openstack-neutron-sriov-nic-agent-1:9.4.1-40.el7ost
  • python-networking-bigswitch-2:9.42.14-1.el7ost
  • python-neutron-1:9.4.1-40.el7ost
  • python-neutron-lbaas-1:9.2.2-8.el7ost
  • python-neutron-lbaas-tests-1:9.2.2-8.el7ost
  • python-neutron-tests-1:9.4.1-40.el7ost
  • openstack-neutron-1:12.0.5-11.el7ost
  • openstack-neutron-common-1:12.0.5-11.el7ost
  • openstack-neutron-linuxbridge-1:12.0.5-11.el7ost
  • openstack-neutron-macvtap-agent-1:12.0.5-11.el7ost
  • openstack-neutron-metering-agent-1:12.0.5-11.el7ost
  • openstack-neutron-ml2-1:12.0.5-11.el7ost
  • openstack-neutron-openvswitch-1:12.0.5-11.el7ost
  • openstack-neutron-rpc-server-1:12.0.5-11.el7ost
  • openstack-neutron-sriov-nic-agent-1:12.0.5-11.el7ost
  • python-neutron-1:12.0.5-11.el7ost