====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN067
_____________________________________________________________________

DATE                : 03/02/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Open vSwitch versions prior to
                      2.14.1, 2.13.2, 2.12.2, 2.11.5, 2.10.6, 2.9.8,
                            2.8.10, 2.7.12, 2.6.9, 2.5.11.

=====================================================================
https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000270.html
https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000269.html
https://mail.openvswitch.org/pipermail/ovs-announce/2021-January/000268.html
_____________________________________________________________________

The Open vSwitch team is pleased to announce a number of bug fix releases:

  Latest release:
      https://www.openvswitch.org/releases/openvswitch-2.14.1.tar.gz

  Current LTS series:
      https://www.openvswitch.org/releases/openvswitch-2.13.2.tar.gz

  Previous LTS series (EOL: Feb 2021):
      https://www.openvswitch.org/releases/openvswitch-2.5.11.tar.gz

  Other:
      https://www.openvswitch.org/releases/openvswitch-2.12.2.tar.gz
      https://www.openvswitch.org/releases/openvswitch-2.11.5.tar.gz
      https://www.openvswitch.org/releases/openvswitch-2.10.6.tar.gz
      https://www.openvswitch.org/releases/openvswitch-2.9.8.tar.gz
      https://www.openvswitch.org/releases/openvswitch-2.8.10.tar.gz
      https://www.openvswitch.org/releases/openvswitch-2.7.12.tar.gz
      https://www.openvswitch.org/releases/openvswitch-2.6.9.tar.gz

Among other bug fixes and improvements, these releases also include
fixes for LLDP security issues: CVE-2020-27827 and CVE-2015-8011.

--The Open vSwitch Team

Open vSwitch is a production quality, multilayer open source virtual
switch. It is designed to enable massive network automation through
programmatic extension, while still supporting standard management
interfaces. Open vSwitch can operate both as a soft switch running
within the hypervisor, and as the control stack for switching silicon.
It has been ported to multiple virtualization platforms
and switching chipsets.

_____________________________________________________________________

[ovs-announce] [ADVISORY] CVE-2020-27827: lldp: Externally triggered
memory leak.

Description
===========

Multiple versions of Open vSwitch are vulnerable to denial of service
attacks in which crafted LLDP packets could cause memory to be lost
when allocating data to handle specific optional TLVs.  Triggering the
vulnerability requires LLDP processing to be enabled for a specific
port.  Open vSwitch versions before 2.5.x are not vulnerable.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
previously assigned the identifier CVE-2020-27827 to this issue for
the `lldpd` project, and the Open vSwitch project.


Mitigation
==========

For any version of Open vSwitch, preventing LLDP packets from
reaching Open vSwitch mitigates the vulnerability.  We do not recommend
attempting to mitigate the vulnerability this way because of the
following difficulties:

    - Open vSwitch obtains packets before the iptables host firewall,
      so ebtables on the Open vSwitch host cannot ordinarily block the
      vulnerability.

    - If Open vSwitch is configured to receive and transmit LLDP
      messages, the required functionality will need to be disabled
      potentially disrupting the network.

We have found that Open vSwitch is subject to a denial of service
exploit when LLDP processing is enabled on an interface.  By default,
interfaces are not configured to process LLDP messages.


Recommendation
==============

We recommend that users of Open vSwitch apply the included patch, or
upgrade to a known patched version of Open vSwitch.  These include:

* 2.14.1
* 2.13.2
* 2.12.2
* 2.11.5
* 2.10.6
* 2.9.8
* 2.8.10
* 2.7.12
* 2.6.9


Acknowledgments
===============

The Open vSwitch team wishes to thank the reporter:

  Jonas Rudloff <jonas.t.rudloff at gmail.com>

Fix:

The patch to resolve this issue is attached.

Reported-by: Jonas Rudloff <jonas.t.rudloff at gmail.com>
Signed-off-by: Aaron Conole <aconole at redhat.com>
---
diff --git a/lib/lldp/lldp.c b/lib/lldp/lldp.c
index e5755307fb..18afbab9a7 100644
--- a/lib/lldp/lldp.c
+++ b/lib/lldp/lldp.c
@@ -513,10 +513,13 @@ lldp_decode(struct lldpd *cfg OVS_UNUSED, char
*frame, int s,
             b = xzalloc(tlv_size + 1);
             PEEK_BYTES(b, tlv_size);
             if (tlv_type == LLDP_TLV_PORT_DESCR) {
+                free(port->p_descr);
                 port->p_descr = b;
             } else if (tlv_type == LLDP_TLV_SYSTEM_NAME) {
+                free(chassis->c_name);
                 chassis->c_name = b;
             } else {
+                free(chassis->c_descr);
                 chassis->c_descr = b;
             }
             break;
---

_____________________________________________________________________

[ovs-announce] [ADVISORY] CVE-2015-8011: lldpd buffer overflow when
decoding malformed packets


Description
===========

Multiple versions of Open vSwitch are vulnerable to remote buffer
overflow attacks in which crafted LLDP packets could overflow the
buffer reserved for management address information in an internal
OVS data structure.  Triggering the vulnerability requires LLDP
processing to be enabled for a specific port.  Open vSwitch
versions before 2.5.x are not vulnerable.

The Common Vulnerabilities and Exposures project (cve.mitre.org)
previously assigned the identifier CVE-2015-8011 to this issue for
the `lldpd` project, and is appropriate here since Open vSwitch uses
the same `lldpd` code.


Mitigation
==========

For any version of Open vSwitch, preventing LLDP packets from
reaching Open vSwitch mitigates the vulnerability.  We do not recommend
attempting to mitigate the vulnerability this way because of the
following difficulties:

    - Open vSwitch obtains packets before the iptables host firewall,
      so ebtables on the Open vSwitch host cannot ordinarily block the
      vulnerability.

    - If Open vSwitch is configured to receive and transmit LLDP
      messages, the required functionality will need to be disabled
      potentially disrupting the network.

We have found that Open vSwitch is subject to a remote code execution
exploit when LLDP processing is enabled on an interface.  By default,
interfaces are not configured to process LLDP messages.


Fix
===

Patches to fix these vulnerabilities in Open vSwitch 2.5.x and newer are
applied to the various appropriate branches, and the original patch is
located at:

   https://mail.openvswitch.org/pipermail/ovs-dev/2020-November/377394.html


Recommendation
==============

We recommend that users of Open vSwitch apply the respective patch, or
upgrade to a known patched version of Open vSwitch.  These include:

* 2.14.1
* 2.13.2
* 2.12.2
* 2.11.5
* 2.10.6
* 2.9.8
* 2.8.10
* 2.7.12
* 2.6.9


Acknowledgments
===============

The Open vSwitch team wishes to thank the reporter:

  Jonas Rudloff <jonas.t.rudloff at gmail.com>

=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================