Bug 984443 (CVE-2016-5363) - VUL-0: CVE-2016-5363: openstack-neutron: Neutron IPTables firewall anti-spoof protection bypass
Summary: VUL-0: CVE-2016-5363: openstack-neutron: Neutron IPTables firewall anti-spoof...
Status: RESOLVED FIXED
Alias: CVE-2016-5363
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Cloud Bugs
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/169989/
Whiteboard: CVSSv2:SUSE:CVE-2016-5363:5.8:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-13 12:23 UTC by Marcus Meissner
Modified: 2017-08-04 08:56 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-13 12:23:36 UTC 
CVE-2016-5363

    Title: Neutron IPTables firewall anti-spoof protection bypass


    independently reported vulnerabilities in Neutron
    anti-spoof protection. By forging DHCP discovery messages or non-IP
    traffic, such as ARP or ICMPv6, an instance may spoof IP or MAC source
    addresses on attached networks resulting in denial of services and/or
    traffic interception. Moreover when L2population isn't used, other
    tenants attached to a shared network are also vulnerable. Neutron
    setups using the IPTables firewall driver are affected.


    The dhcp fix has been included in the 8.0.0 release and this
    request probably needs more than one CVE.


        https://bugs.launchpad.net/neutron/+bug/1502933/comments/21


        Just to be clear, the ICMPv6 source address spoof isn't addressed by
        bug 1558658 patch (I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78).


        Since both issues abuse the same fundamental flaw, it seems like a
        good opportunity to bundle both fix in a single advisory.


        However, because we need different patch, this will likely requires 2
        different CVE numbers...

    https://bugs.launchpad.net/bugs/1558658 (MAC source address spoofing)


Use CVE-2016-5363.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5363
http://seclists.org/oss-sec/2016/q2/520
Comment 1 Swamp Workflow Management 2016-06-13 22:03:45 UTC 
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-06-14 14:40:25 UTC 
=====================================================================
OSSA-2016-009: Neutron IPTables firewall anti-spoof protection bypass
=====================================================================

:Date: June 14, 2016
:CVE: CVE-2016-5362 (DHCP spoofing),
      CVE-2016-5363 (MAC source address spoofing),
      CVE-2015-8914 (ICMPv6 source address spoofing)


Affects
~~~~~~~
- Neutron: <=7.0.4, >=8.0.0 <=8.1.0


Description
~~~~~~~~~~~
Romain Aviolat from Nagravision and Dustin Lundquist from Blue Box
Group, Inc independently reported vulnerabilities in Neutron anti-
spoof protection. By forging DHCP discovery messages or non-IP
traffic, such as ARP or ICMPv6, an instance may spoof IP or MAC source
addresses on attached networks resulting in denial of services and/or
traffic interception. Moreover when L2population isn't used, other
tenants attached to a shared network are also vulnerable. Neutron
setups using the IPTables firewall driver are affected.


Patches
~~~~~~~
- https://review.openstack.org/299025 (MAC)    (Liberty)
- https://review.openstack.org/303572 (DHCP)   (Liberty)
- https://review.openstack.org/310652 (ICMPv6) (Liberty)
- https://review.openstack.org/299023 (MAC)    (Mitaka)
- https://review.openstack.org/303563 (DHCP)   (Mitaka)
- https://review.openstack.org/310648 (ICMPv6) (Mitaka)
- https://review.openstack.org/299021 (MAC)    (Newton)
- https://review.openstack.org/300202 (DHCP)   (Newton)
- https://review.openstack.org/300233 (ICMPv6) (Newton)


Credits
~~~~~~~
- Romain Aviolat from Nagravision           (CVE-2015-8914)
- Dustin Lundquist from Blue Box Group, Inc (CVE-2016-5362,
                                             CVE-2016-5363)


References
~~~~~~~~~~
- https://bugs.launchpad.net/bugs/1502933 (ICMPv6)
- https://bugs.launchpad.net/bugs/1558658 (MAC, DHCP)
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5362
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5363
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8914

--
Tristan Cacqueray
OpenStack Vulnerability Management Team
Comment 3 Swamp Workflow Management 2016-08-23 19:15:32 UTC 
SUSE-SU-2016:2143-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (low)
Bug References: 970258,982426,983807,984442,984443,988729
CVE References: CVE-2016-2140,CVE-2016-4428,CVE-2016-5362,CVE-2016-5363
Sources used:
SUSE OpenStack Cloud 6 (src):    openstack-ceilometer-5.0.4~a0~dev6-6.1, openstack-ceilometer-doc-5.0.4~a0~dev6-6.2, openstack-cinder-7.0.3~a0~dev2-7.1, openstack-cinder-doc-7.0.3~a0~dev2-7.1, openstack-dashboard-8.0.2~a0~dev34-8.1, openstack-glance-11.0.2~a0~dev13-7.1, openstack-glance-doc-11.0.2~a0~dev13-7.1, openstack-heat-5.0.2~a0~dev93-9.1, openstack-heat-doc-5.0.2~a0~dev93-9.3, openstack-keystone-8.1.1~a0~dev13-3.1, openstack-keystone-doc-8.1.1~a0~dev13-3.2, openstack-manila-1.0.2~a0~dev11-9.1, openstack-manila-doc-1.0.2~a0~dev11-9.2, openstack-neutron-7.1.2~a0~dev29-10.1, openstack-neutron-doc-7.1.2~a0~dev29-10.1, openstack-neutron-fwaas-7.1.2~a0~dev1-6.1, openstack-neutron-fwaas-doc-7.1.2~a0~dev1-6.1, openstack-neutron-lbaas-7.1.2~a0~dev1-6.1, openstack-neutron-lbaas-doc-7.1.2~a0~dev1-6.1, openstack-nova-12.0.5~a0~dev2-7.1, openstack-nova-doc-12.0.5~a0~dev2-7.1, openstack-resource-agents-1.0+git.1467079370.4f2c49d-7.1, python-networking-cisco-2.1.1-6.1, python-openstackclient-1.7.2-4.1
Comment 4 Johannes Segitz 2017-08-04 08:56:05 UTC 
fixed