[Bug 1939733] Re: [OSSA-2021-005] Arbitrary dnsmasq reconfiguration via extra_dhcp_opts (CVE-2021-40085)
OpenStack Infra
1939733 at bugs.launchpad.net
Thu Sep 2 12:16:58 UTC 2021
Reviewed: https://review.opendev.org/c/openstack/neutron/+/806746
Committed: https://opendev.org/openstack/neutron/commit/df891f0593d234e01f27d7c0376d9702e178ecfb
Submitter: "Zuul (22348)"
Branch: master
commit df891f0593d234e01f27d7c0376d9702e178ecfb
Author: Slawek Kaplonski <skaplons at redhat.com>
Date: Tue Aug 31 15:43:11 2021 +0200
Remove dhcp_extra_opt value after first newline character
Passing newline to the dnsmasq may cause security issues, especially
that in case of Neutron that dhcp options' values are controlled by
cloud users.
This patch removes everything what is after first newline character
in the dhcp_extra_opt's values before passing them to dnsmasq.
Closes-Bug: #1939733
Change-Id: Ifeaf258f0b5ea86f25620ac4116d618980a7272e
** Changed in: neutron
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1939733
Title:
[OSSA-2021-005] Arbitrary dnsmasq reconfiguration via extra_dhcp_opts
(CVE-2021-40085)
Status in Ubuntu Cloud Archive:
New
Status in Ubuntu Cloud Archive queens series:
New
Status in Ubuntu Cloud Archive rocky series:
New
Status in Ubuntu Cloud Archive stein series:
New
Status in Ubuntu Cloud Archive train series:
New
Status in Ubuntu Cloud Archive ussuri series:
New
Status in Ubuntu Cloud Archive victoria series:
New
Status in Ubuntu Cloud Archive wallaby series:
New
Status in Ubuntu Cloud Archive xena series:
New
Status in neutron:
Fix Released
Status in OpenStack Security Advisory:
Fix Released
Status in neutron package in Ubuntu:
New
Status in neutron source package in Bionic:
New
Status in neutron source package in Focal:
New
Status in neutron source package in Hirsute:
New
Status in neutron source package in Impish:
New
Bug description:
Application doesnt check the input values for extra_dhcp_opts port
parameter allowing user to use a newline character. The values from
extra_dhcp_opts are used in rendering of opts file which is passed to
dnsmasq as a dhcp-optsfile. Considering this, an attacker can inject
any options to that file.
The main direct impact in my opinion is that attacker can push
arbitrary dhcp options to another instances connected to the same
network. And due to we are able to modify our own port connected to
external network, it is possible to push dhcp options to the instances
of another tennants using the same external network.
If we go further, there is an known buffer overflow vulnerability in
dnsmasq
(https://thekelleys.org.uk/gitweb/?p=dnsmasq.git;a=commitdiff;h=7d04e17444793a840f98a0283968b96502b112dc)
which was not considered as a security issue due to attacker cannot
control dhcp opts in most cases and therefore this vulnerability is
still exists in most distributives (e.g Ubuntu 20.04.1). In our case
dhcp opts is exactly what attacker can modify, so we can trigger
buffer overflow there. I even managed to write an exploit which lead
to a remote code execution using this buffer overflow vulnerability.
Here the payload to crash dnsmasq as a proof of concept:
```
PUT /v2.0/ports/9db67e0f-537c-494a-a655-c8a0c518d57e HTTP/1.1
Host: openstack
X-Auth-Token: TOKEN
Content-Type: application/json
Content-Length: 170
{"port":{
"extra_dhcp_opts":[{"opt_name":"zzz",
"opt_value":"xxx\n128,aa:bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb\n120,aa.cc\n128,:"
}]}}
```
Tested on ocata, train and victoria versions.
Vulnerability was found by Pavel Toporkov
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1939733/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list