OSSA-2021-004: Linuxbridge ARP filter bypass on Netfilter platforms

Date:

August 17, 2021

CVE:

CVE-2021-38598

Affects

• Neutron: <16.4.1, >=17.0.0 <17.1.3, ==18.0.0

Description

Jake Yip with ARDC and Justin Mammarella with the University of Melbourne reported a vulnerability in Neutron’s linuxbridge driver on newer Netfilter-based platforms (the successor to IPTables). By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the hardware addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations. Only deployments using the linuxbridge driver with ebtables-nft are affected.

Patches

• https://review.opendev.org/804058 (Train)

• https://review.opendev.org/804057 (Ussuri)

• https://review.opendev.org/804056 (Victoria)

• https://review.opendev.org/785917 (Wallaby)

• https://review.opendev.org/785177 (Xena)

Credits

• Jake Yip from ARDC (CVE-2021-38598)

• Justin Mammarella from University of Melbourne (CVE-2021-38598)

References

• https://launchpad.net/bugs/1938670

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38598

Notes

• The stable/train branch is under extended maintenance and will receive no new point releases, but a patch for it is provided as a courtesy.