David Marchand (RedHat) reported an issue with Open vSwitch (OvS) where the failure to properly execute ‘set’ actions for specifically crafted network packets with IP protocol number 0 could lead to a succesful remote Denial-of-Service (DoS) attack.
The vulnerability is long-standing and affects Open vSwitch going back until at least 1.5.0. (Current is 3.1.1, which has this issue fixed.)
The vulnerability has been assigned CVE-2023-1668; a more detailed description can be found in the Openwall OSS security advisory.
Open vSwitch is used in almost all OpenStack setups – specifically all SCS setups known to us use OvS. This includes both the OVN configurations (the SCS default) as well as those that rely on OvS alone.
It is possible to set flow rules that block IP protocol 0 packets by adding 3 flow rules as highest priority rules to every OvS bridge. Care is needed to ensure this happens automatically on every single bridge, which is a non-trivial endeavor.
There are patches available to fix the issue. These patches are included in the current OvS version 3.1.1. They have also been backported into older versions 3.0.4, 2.17.6, 2.16.7, 2.15.8, 2.14.9, 2.13.11.
Due to ongoing work on improving the network stack, OSISM had released version 5.1.0 on Apr 7, which includes OvS version 3.1.1 that includes the fix. Due to the networking improvements, the SCS project had advised all SCS partners to move from OSISM-4.x (SCS Release 3) or from 5.0.0 (SCS Release 4) to 5.1.0 even without being aware of CVE-2023-1668.
SCS release 3 (OSISM-4.x) is only officially supported until the end of April 2023 – we advise all our partners to move to R4 with OSISM-5.1.0 or later as soon as possible.
OSISM has worked on preparing a version 4.3.0 that includes a patched OvS version for those partners that can not yet move to R4/OSISM-5.x. A release of this is planned for next week. No further updates are planned after this final release of R3/OSISM-4.x., users should move to R4/OSISM-5.x.
The networking improvements for OSISM-5.1.0 were done in close alignement between PlusServer and OSISM – unsurprisingly, all regions of the PlusCloud Open had been upgraded to OSISM-5.1.0 in calendar week 15 already.
The Betacloud runs the rolling tag (latest) images and thus has picked up the fixes the day after they became available.
The WaveStack operators are planning to do the upgrade to R4/OSISM-5.1+ next week. For now, their inbound firewalls protect them from remote attacks with evil proto 0 packets.
The regio tech cloud has deployed OSISM-5.1.0 last week already.
The authors would like to thank David Marchand who reported the vulnerability, the upstream OvS community and Jens Harbott at OSISM for working on addressing the issue.
SCS security contact is firstname.lastname@example.org, as published on https://scs.community/.well-known/security.txt.