Sovereign Cloud Stack

One platform — standardized, built and operated by many.

Sovereign Cloud Stack Security Advisory OVN (CVE-2024-2182)

Felix Kronlage-Dammers March 15, 2024

The vulnerability

Multiple versions of OVN (Open Virtual Network) are vulnerable to crafted BFD packets potentially causing denial of service.

OVN supports configuration of gateway chassis and high-availability chassis groups (via the Gateway_Chassis and HA_Chassis_Group tables in the OVN_Northbound database). These group cluster nodes (chassis) together and provide high availability to them. OVN logical switch and router ports can be configured to reference such groups. In this case the traffic forwarding decision is influenced by the liveness of the chassis listed in the group.

In such scenarios OVN automatically enables the OVS Bidirectional Forwarding Detection (BFD) functionality to monitor the health of remote nodes and tunnels between them.

BFD packets are transmitted in-band in tunnels that connect OVN chassis, along with other traffic. And, by default, OVS will process any BFD packets received on a tunnel port with BFD enabled. That makes it possible for a VM or container connected to an OVN logical switch port to send BFD packets that will be tunneled to another node and processed by OVS, potentially changing the BFD state and affecting the forwarding decisions.

The vulnerability has been assigned CVE-2024-2182.

Impact on the SCS reference implementation

The Sovereign Cloud Stack reference implementation (by OSISM) comes with and utilizes OVN. The upcoming Release 6 of the SCS reference implementation will not be vulnerable to this as Release 6 will contain the OVN version 24.03.1.

A way to determine if BFD will be used is to issue the following commands on the node that runs the OVN central components:

$ docker exec -it ovn_nb_db ovn-nbctl --columns name,gateway_chassis list logical_router_port

If the above command returns more than a single gateway chassis reference for a given port that means OVS BFD has been automatically enabled.

$ docker exec -it ovn_nb_db ovn-nbctl --columns name,ha_chassis list ha_chassis_group

The same applies if the above command returns groups that contain more than one chassis.

In any case, operators of OpenStack platforms are advised to deploy fixed versions.

Mitigation and Fixes

For any version of OVN, in order to prevent the issue, an ACL (Access Control List) rule can be added to drop BFD packets originated from logical ports.

For example, the following shell script would configure ACLs on all existing OVN logical switches:

  for sw in $(docker exec -it ovn_nb_db ovn-nbctl --bare --columns name list logical_switch); do
      docker exec -it ovn_nb_db ovn-nbctl acl-add $sw from-lport 32767 'udp && udp.dst == 3784' drop
  done

We do not recommend attempting to mitigate the vulnerability this way because this will also drop legitimate BFD traffic originated by the workloads connected to logical switch ports, e.g., BFD sessions established with external entities.

For the currently maintained version SCS R5 (OSISM 6.0.x), OVN has been updated to 23.06.3. Updated images have been built by OSISM and are available to be installed.

To install the fixed OVN images, set ovn_tag: "2023.1" in the configuration repository in environments/kolla/configuration.yml. Afterwards run osism apply -a upgrade ovn.

This will deploy the latest OVN images for OSISM 6.0.x series (SCS R5, using OpenStack 2023.1 (Antelope)), pulling OVN 23.06.3. This only replaces the OVN image and no service interruption is to be expected.

Version history

About the author

Felix Kronlage-Dammers
Felix has been building (open source) IT Infrastructure since the late 90s - during high school he helped build and run an ISP specialized in providing UUCP over ssh. Between then and now felix has always been active in various open source development communities (from DarwinPorts, OpenDarwin to OpenBSD and nowadays the Sovereign Cloud Stack). His interests range from monitoring and observability over infrastructure-as-code to building and scaling communities and companies. A technician at heart he enjoys enabling others to do awesome stuff. He is part of the extended board of the OSBA and describes himself as an unix/open source nerd. If not working, doing OSS for fun and (non-)profit or spending time with his family, he is usually found on a road bike.