[Bug 914160] Re: [MIR] openvswitch

Jamie Strandboge jamie at ubuntu.com
Tue Aug 7 17:28:17 UTC 2012 

Security review:
The package does not have a CVE history. No dbus servies, setuid or fscaps usage. No use of sudo and no cron jobs. There is a logrotate configuration. Inspecting the packaging:
 * initscripts/upstart jobs:
/etc/default/openvswitch-controller
/etc/init.d/openvswitch-ipsec
/etc/init.d/openvswitch-switch
 * Initial install of quantum creates no new open ports for openvswitch, but ovsdb-server and ovs-vswitchd are running as root.http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648667 requests to run as non-root
 * Installing openvswitch* we get additional root services and ovs-controller listening on TCP port 6633 ( as root)
 * The package makes use of encryption (private CA and PKI using openssl)
 * hardening options are used. Since all this is running as root and there is a network listener, could we add PIE and BIND_NOW? Could ovs-controller have an apparmor profile?

Shallow code audit:
 * uses system in lib/netdev-linux.c. While this is generally not a good idea due to shell meta injection, the arguments do not seem to be user controllable
 * execvp: (process_start() and process_run()): arguments only manipulated on invocation from the shell in ovsdb-server.c. For capture_vsctl*, the command line is built up internally in a safe manner that is not user controllable
 * defines its own malloc routines (xmalloc, xrealloc): verifies return value and aborts. Also defines other routines in lib/util.c (eg string routines) and all are defensively coded.
 * there are some uses strcpy but they seemed safe
 * uses encryption:
  * may bootstrap a CA (stream-ssl.c in do_ca_cert_bootstrap())
  * it disables SSLv2 and SSLv3 and uses TLSv1
  * appropriately uses SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT
  * doesn't seem to check the CN or SAN of the certificate, but openvswitch uses private CA certificates and client certificates and in all cases the CA certificate needs to be setup on the client so this shouldn't be an issue
 * predictable sockets in /tmp: this is ok-- bind() errors out if the file exists and openvswitch checks the return code

This is a pretty large code base and I was not able to perform an in
depth audit. However, openvswitch seems to be defensively coded and I
didn't find anything wrong during the review.

** Bug watch added: Debian Bug tracker #648667
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=648667

-- 
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to openvswitch in Ubuntu.
https://bugs.launchpad.net/bugs/914160

Title:
  [MIR] openvswitch

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openvswitch/+bug/914160/+subscriptions

More information about the Ubuntu-server-bugs mailing list