APPLIED(X,D)/cmt: [SRU X/B/D] CVE-2020-1749 - tunnels over IPv6 are unencrypted when using IPsec
Stefan Bader
stefan.bader at canonical.com
Thu May 14 12:57:03 UTC 2020
On 14.05.20 06:31, Khaled Elmously wrote:
> Based on Stefan's comment, I applied this only to X and D. Should I delay for B?
Actually it looks like this is now applied via stable to B.
BugLink: https://bugs.launchpad.net/bugs/1877461
The matrix should pick this up via the SHA1 reference, despite missing the CVE
number.
-Stefan
>
>
>
> On 2020-05-05 23:23:38 , Thadeu Lima de Souza Cascardo wrote:
>> BugLink: https://bugs.launchpad.net/bugs/1876982
>>
>> I decided to open a bug, though this is a CVE, in order to document the testing
>> that I did on all 3 series.
>>
>> [Impact]
>> When tunnels are configured over IPv6 using a xfrm policy, it's ignored. That
>> means data will be unencrypted when it shouldn't.
>>
>> [Test case]
>>
>> Launch a VM with the given kernel and monitor its network link on the host with:
>> tcpdump -n -i virbr0 ip6 and port 4789
>>
>> In the guest, set up a tunnel using an IPv6 address:
>> ip link add type vxlan id 5 remote fd00:cafe::2 dstport 4789
>>
>> When setting the link up, observe packets being output on the host side:
>> ip link set vxlan0 up
>>
>> Set the link down, and add a xfrm policy to block output to that given IPv6
>> address:
>> ip link set vxlan0 down
>> ip xfrm policy add dst fd00:cafe::2 dir out action block
>>
>> Check that using ping won't work with Operation not permitted:
>> ping6 fd00:cafe::2
>> connect: Operation not permitted
>>
>> Set the vxlan link up and watch that no packets appear on tcpdump:
>> ip link set vxlan0 up
>>
>> [Regression potential]
>> Tunnels like VXLAN, GENEVE, etc, will stop to send. The test has shown that it
>> still sends at least when no xfrm policy is configured. Other potential
>> regressions are possible, testing those tunnel paths and failure paths would be
>> desirable, but hard to do.
>>
>>
>>
>> --
>> kernel-team mailing list
>> kernel-team at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20200514/c99ac833/attachment.sig>
More information about the kernel-team
mailing list