OSSA-2016-009: Neutron IPTables firewall anti-spoof protection bypass

Date:June 14, 2016
CVE:CVE-2016-5362 (DHCP spoofing), CVE-2016-5363 (MAC source address spoofing), CVE-2015-8914 (ICMPv6 source address spoofing)

Affects

  • Neutron: <=7.0.4, >=8.0.0 <=8.1.0

Description

Romain Aviolat from Nagravision and Dustin Lundquist from Blue Box Group, Inc independently reported vulnerabilities in Neutron anti- spoof protection. By forging DHCP discovery messages or non-IP traffic, such as ARP or ICMPv6, an instance may spoof IP or MAC source addresses on attached networks resulting in denial of services and/or traffic interception. Moreover when L2population isn’t used, other tenants attached to a shared network are also vulnerable. Neutron setups using the IPTables firewall driver are affected.

Credits

  • Romain Aviolat from Nagravision (CVE-2015-8914)
  • Dustin Lundquist from Blue Box Group, Inc (CVE-2016-5362, CVE-2016-5363)