Multiple versions of OVN (Open Virtual Network) are vulnerable to crafted BFD packets potentially causing denial of service.
OVN supports configuration of gateway chassis and high-availability chassis groups (via the Gateway_Chassis and HA_Chassis_Group tables in the OVN_Northbound database). These group cluster nodes (chassis) together and provide high availability to them. OVN logical switch and router ports can be configured to reference such groups. In this case the traffic forwarding decision is influenced by the liveness of the chassis listed in the group.
In such scenarios OVN automatically enables the OVS Bidirectional Forwarding Detection (BFD) functionality to monitor the health of remote nodes and tunnels between them.
BFD packets are transmitted in-band in tunnels that connect OVN chassis, along with other traffic. And, by default, OVS will process any BFD packets received on a tunnel port with BFD enabled. That makes it possible for a VM or container connected to an OVN logical switch port to send BFD packets that will be tunneled to another node and processed by OVS, potentially changing the BFD state and affecting the forwarding decisions.
The vulnerability has been assigned CVE-2024-2182.
The Sovereign Cloud Stack reference implementation (by OSISM) comes with and utilizes OVN. The upcoming Release 6 of the SCS reference implementation will not be vulnerable to this as Release 6 will contain the OVN version 24.03.1.
A way to determine if BFD will be used is to issue the following commands on the node that runs the OVN central components:
$ docker exec -it ovn_nb_db ovn-nbctl --columns name,gateway_chassis list logical_router_port
If the above command returns more than a single gateway chassis reference for a given port that means OVS BFD has been automatically enabled.
$ docker exec -it ovn_nb_db ovn-nbctl --columns name,ha_chassis list ha_chassis_group
The same applies if the above command returns groups that contain more than one chassis.
In any case, operators of OpenStack platforms are advised to deploy fixed versions.
For any version of OVN, in order to prevent the issue, an ACL (Access Control List) rule can be added to drop BFD packets originated from logical ports.
For example, the following shell script would configure ACLs on all existing OVN logical switches:
for sw in $(docker exec -it ovn_nb_db ovn-nbctl --bare --columns name list logical_switch); do
docker exec -it ovn_nb_db ovn-nbctl acl-add $sw from-lport 32767 'udp && udp.dst == 3784' drop
done
We do not recommend attempting to mitigate the vulnerability this way because this will also drop legitimate BFD traffic originated by the workloads connected to logical switch ports, e.g., BFD sessions established with external entities.
For the currently maintained version SCS R5 (OSISM 6.0.x), OVN has been updated to 23.06.3. Updated images have been built by OSISM and are available to be installed.
To install the fixed OVN images, set ovn_tag: "2023.1"
in the configuration repository in environments/kolla/configuration.yml
.
Afterwards run osism apply -a upgrade ovn
.
This will deploy the latest OVN images for OSISM 6.0.x series (SCS R5, using OpenStack 2023.1 (Antelope)), pulling OVN 23.06.3. This only replaces the OVN image and no service interruption is to be expected.