[Bug 1939733] Related fix merged to neutron-lib (master)

OpenStack Infra 1939733 at bugs.launchpad.net
Thu Nov 25 10:40:08 UTC 2021 

Reviewed:  https://review.opendev.org/c/openstack/neutron-lib/+/811708
Committed: https://opendev.org/openstack/neutron-lib/commit/1f4c4031ee8a0dc91149dc6a83c7051db7628f23
Submitter: "Zuul (22348)"
Branch:    master

commit 1f4c4031ee8a0dc91149dc6a83c7051db7628f23
Author: Slawek Kaplonski <skaplons at redhat.com>
Date:   Wed Sep 29 12:34:17 2021 +0200

    Add oneline_string validators
    
    Those new validators are used to validate extra_dhcp_opt's opt_name and
    opt_value fields to not allow multi-line strings to be set there.
    
    Related-Bug: #1939733
    Change-Id: I4dc3a09847205a660dc966d8eabccb4946f9bbc6

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1939733

Title:
  [OSSA-2021-005] Arbitrary dnsmasq reconfiguration via extra_dhcp_opts
  (CVE-2021-40085)

Status in Ubuntu Cloud Archive:
  New
Status in Ubuntu Cloud Archive queens series:
  Fix Committed
Status in Ubuntu Cloud Archive rocky series:
  Fix Committed
Status in Ubuntu Cloud Archive stein series:
  Fix Committed
Status in Ubuntu Cloud Archive train series:
  Fix Committed
Status in Ubuntu Cloud Archive ussuri series:
  Fix Committed
Status in Ubuntu Cloud Archive victoria series:
  Fix Committed
Status in Ubuntu Cloud Archive wallaby series:
  Fix Committed
Status in Ubuntu Cloud Archive xena series:
  New
Status in neutron:
  Fix Released
Status in OpenStack Security Advisory:
  Fix Released
Status in neutron package in Ubuntu:
  New
Status in neutron source package in Bionic:
  New
Status in neutron source package in Focal:
  New
Status in neutron source package in Hirsute:
  New
Status in neutron source package in Impish:
  New

Bug description:
  Application doesnt check the input values for extra_dhcp_opts port
  parameter allowing user to use a newline character. The values from
  extra_dhcp_opts are used in rendering of opts file which is passed to
  dnsmasq as a dhcp-optsfile. Considering this, an attacker can inject
  any options to that file.

  The main direct impact in my opinion is that attacker can push
  arbitrary dhcp options to another instances connected to the same
  network. And due to we are able to modify our own port connected to
  external network, it is possible to push dhcp options to the instances
  of another tennants using the same external network.

  If we go further, there is an known buffer overflow vulnerability in
  dnsmasq
  (https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=7d04e17444793a840f98a0283968b96502b112dc)
  which was not considered as a security issue due to attacker cannot
  control dhcp opts in most cases and therefore this vulnerability is
  still exists in most distributives (e.g Ubuntu 20.04.1). In our case
  dhcp opts is exactly what attacker can modify, so we can trigger
  buffer overflow there. I even managed to write an exploit which lead
  to a remote code execution using this buffer overflow vulnerability.

  Here the payload to crash dnsmasq as a proof of concept:
  ```
  PUT /v2.0/ports/9db67e0f-537c-494a-a655-c8a0c518d57e HTTP/1.1
  Host: openstack
  X-Auth-Token: TOKEN
  Content-Type: application/json
  Content-Length: 170

  {"port":{
  "extra_dhcp_opts":[{"opt_name":"zzz",
  "opt_value":"xxx\n128,aa:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\n120,aa.cc\n128,:"
  }]}}
  ```

  Tested on ocata, train and victoria versions.

  Vulnerability was found by Pavel Toporkov

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1939733/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list