Sovereign Cloud Stack

One platform — standardized, built and operated by many.

Sovereign Cloud Stack Security Advisory OvS proto 0 DoS (CVE-2023-1668)

Christian Berendt, Kurt Garloff, Felix Kronlage-Dammers April 21, 2023

The vulnerability

David Marchand (RedHat) reported an issue with Open vSwitch (OvS) where the failure to properly execute ‘set’ actions for specifically crafted network packets with IP protocol number 0 could lead to a succesful remote Denial-of-Service (DoS) attack.

The vulnerability is long-standing and affects Open vSwitch going back until at least 1.5.0. (Current is 3.1.1, which has this issue fixed.)

The vulnerability has been assigned CVE-2023-1668; a more detailed description can be found in the Openwall OSS security advisory.

Impact on the SCS reference implementation

Open vSwitch is used in almost all OpenStack setups – specifically all SCS setups known to us use OvS. This includes both the OVN configurations (the SCS default) as well as those that rely on OvS alone.

Mitigation

It is possible to set flow rules that block IP protocol 0 packets by adding 3 flow rules as highest priority rules to every OvS bridge. Care is needed to ensure this happens automatically on every single bridge, which is a non-trivial endeavor.

There are patches available to fix the issue. These patches are included in the current OvS version 3.1.1. They have also been backported into older versions 3.0.4, 2.17.6, 2.16.7, 2.15.8, 2.14.9, 2.13.11.

SCS releases

Due to ongoing work on improving the network stack, OSISM had released version 5.1.0 on Apr 7, which includes OvS version 3.1.1 that includes the fix. Due to the networking improvements, the SCS project had advised all SCS partners to move from OSISM-4.x (SCS Release 3) or from 5.0.0 (SCS Release 4) to 5.1.0 even without being aware of CVE-2023-1668.

SCS release 3 (OSISM-4.x) is only officially supported until the end of April 2023 – we advise all our partners to move to R4 with OSISM-5.1.0 or later as soon as possible.

OSISM has worked on preparing a version 4.3.0 that includes a patched OvS version for those partners that can not yet move to R4/OSISM-5.x. A release of this is planned for next week. No further updates are planned after this final release of R3/OSISM-4.x., users should move to R4/OSISM-5.x.

Patch status of SCS clouds

The networking improvements for OSISM-5.1.0 were done in close alignement between plusserver and OSISM – unsurprisingly, all regions of the pluscloud open had been upgraded to OSISM-5.1.0 in calendar week 15 already.

The Betacloud runs the rolling tag (latest) images and thus has picked up the fixes the day after they became available.

The WaveStack operators are planning to do the upgrade to R4/OSISM-5.1+ next week. For now, their inbound firewalls protect them from remote attacks with evil proto 0 packets.

The regio tech cloud has deployed OSISM-5.1.0 last week already.

Thanks

The authors would like to thank David Marchand who reported the vulnerability, the upstream OvS community and Jens Harbott at OSISM for working on addressing the issue.

Sovereign Cloud Stack Security Contact

SCS security contact is security@scs.community, as published on https://scs.community/.well-known/security.txt.

Version history

About the authors

Kurt Garloff
CTO Sovereign Cloud Stack @ Open Source Business Alliance
While working on Physics as student and researcher in Dortmund, Wuppertal and Eindhoven, Kurt started to work with and on Linux, with first patches to the SCSI layer in the mid 90s. He has spent his post-university life in Open Source, as kernel engineer, leader of SUSE Labs (kernel, compiler, X11, security), and engineering and business leadership at SUSE. Since 2011 he has been working on Open Source cloud software, at Deutsche Telekom, as Freelancer, at T-Systems (as chief architect for the OTC) and also has been serving on the Open Infra Foundation's board. Since 2019 he has been pushing the Sovereign Cloud Stack idea which resulted in a publically funded project that he now technically leads. He still loves to occasionally write code (mostly python these days) or at least test out code from the colleagues and project. He spends his free time with his family or with running and playing table tennis.
Felix Kronlage-Dammers
Felix has been building (open source) IT Infrastructure since the late 90s - during high school he helped build and run an ISP specialized in providing UUCP over ssh. Between then and now felix has always been active in various open source development communities (from DarwinPorts, OpenDarwin to OpenBSD and nowadays the Sovereign Cloud Stack). His interests range from monitoring and observability over infrastructure-as-code to building and scaling communities and companies. A technician at heart he enjoys enabling others to do awesome stuff. He is part of the extended board of the OSBA and describes himself as an unix/open source nerd. If not working, doing OSS for fun and (non-)profit or spending time with his family, he is usually found on a road bike.