RHEL 9 : ovn24.09 (RHSA-2025:1097)

🗓️ 07 Feb 2025 00:00:00Reported by TenableType

RHEL 9 has a vulnerability in OVN impacting virtual network security, allowing ACL bypass via UDP.

Reporter	Title	Published	Views	Family All 111
AstraLinux	Astra Linux - уязвимость в ovn	20 May 202605:53	–	astralinux
BDU FSTEC	The vulnerability of the abstraction support system in the OVN virtual network, related to improper access control, allows a intruder to gain unauthorized access to virtual machines and containers that operate on the OVN network.	27 Mar 202500:00	–	bdu_fstec
Circl	CVE-2025-0650	23 Jan 202517:15	–	circl
CNNVD	Open Virtual Network 访问控制错误漏洞	23 Jan 202500:00	–	cnnvd
CVE	CVE-2025-0650	23 Jan 202516:34	–	cve
Cvelist	CVE-2025-0650 Ovn: egress acls may be bypassed via specially crafted udp packet	23 Jan 202516:34	–	cvelist
Debian CVE	CVE-2025-0650	23 Jan 202516:34	–	debiancve
EUVD	EUVD-2025-1804	3 Oct 202520:07	–	euvd
NVD	CVE-2025-0650	23 Jan 202517:15	–	nvd
OpenVAS	Ubuntu: Security Advisory (USN-7396-1)	1 Apr 202500:00	–	openvas

Source	Link
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
nessus	www.nessus.org/u
access	www.access.redhat.com/errata/RHSA-2025:1097
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2025:1097. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(215080);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/06/05");

  script_cve_id("CVE-2025-0650");
  script_xref(name:"RHSA", value:"2025:1097");

  script_name(english:"RHEL 9 : ovn24.09 (RHSA-2025:1097)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing a security update for ovn24.09.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in
the RHSA-2025:1097 advisory.

    OVN, the Open Virtual Network, is a system to support virtual network abstraction.  OVN complements the
    existing capabilities of OVS to add native support for virtual network abstractions, such as virtual L2
    and L3 overlays and security groups.

    Security Fix(es):

    * ovn: egress ACLs may be bypassed via specially crafted UDP packet (CVE-2025-0650)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and
    other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/updates/classification/#important");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2339537");
  # https://security.access.redhat.com/data/csaf/v2/advisories/2025/rhsa-2025_1097.json
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0088ef73");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2025:1097");
  script_set_attribute(attribute:"solution", value:
"Update the RHEL ovn24.09 package based on the guidance in RHSA-2025:1097.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-0650");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(284);
  script_set_attribute(attribute:"vendor_severity", value:"Important");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/01/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/02/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/02/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ovn24.09");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ovn24.09-central");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ovn24.09-host");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ovn24.09-vtep");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');
include('rhel.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'Red Hat' >!< os_product) audit(AUDIT_OS_NOT, 'Red Hat');
var os_release = get_kb_item('installed_os/local/SSH/0/release');
if (isnull(os_release)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
if (!rhel_check_release(operator: 'ge', os_version: os_release, rhel_version: '9')) audit(AUDIT_OS_NOT, 'Red Hat 9.x', 'Red Hat ' + os_release);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'release': '9',
    'repo_relative_urls': [
      'content/dist/layered/rhel9/aarch64/fast-datapath/debug',
      'content/dist/layered/rhel9/aarch64/fast-datapath/os',
      'content/dist/layered/rhel9/aarch64/fast-datapath/source/SRPMS',
      'content/dist/layered/rhel9/ppc64le/fast-datapath/debug',
      'content/dist/layered/rhel9/ppc64le/fast-datapath/os',
      'content/dist/layered/rhel9/ppc64le/fast-datapath/source/SRPMS',
      'content/dist/layered/rhel9/s390x/fast-datapath/debug',
      'content/dist/layered/rhel9/s390x/fast-datapath/os',
      'content/dist/layered/rhel9/s390x/fast-datapath/source/SRPMS',
      'content/dist/layered/rhel9/x86_64/fast-datapath/debug',
      'content/dist/layered/rhel9/x86_64/fast-datapath/os',
      'content/dist/layered/rhel9/x86_64/fast-datapath/source/SRPMS'
    ],
    'pkgs': [
      {'reference':'ovn24.09-24.09.1-66.el9fdp', 'el_string':'el9fdp', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openvswitch'},
      {'reference':'ovn24.09-central-24.09.1-66.el9fdp', 'el_string':'el9fdp', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openvswitch'},
      {'reference':'ovn24.09-host-24.09.1-66.el9fdp', 'el_string':'el9fdp', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openvswitch'},
      {'reference':'ovn24.09-vtep-24.09.1-66.el9fdp', 'el_string':'el9fdp', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'openvswitch'}
    ]
  }
];

var applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);
if(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);

var flag = 0;
var repo_relative_urls;

foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }

  if (!empty_or_null(constraint['repo_relative_urls'])) repo_relative_urls = constraint['repo_relative_urls'];

  foreach var pkg ( constraint['pkgs'] ) {
    var reference = NULL;
    var sp = NULL;
    var _cpu = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var epoch = NULL;
    var allowmaj = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&
        (applicable_repo_urls || (!exists_check || rpm_exists(rpm:exists_check))) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  if (isnull(applicable_repo_urls) || !applicable_repo_urls) extra = rpm_report_get() + redhat_report_repo_caveat();
  else extra = rpm_report_get();
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : extra
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ovn24.09 / ovn24.09-central / ovn24.09-host / ovn24.09-vtep');
}

05 Jun 2025 00:00Current

7.6High risk

Vulners AI Score7.6

CVSS 3.18.1

EPSS0.00804

SSVC