Lucene search
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT_UNPATCHED-OPENVSWITCH-RHEL7.NASLHistoryMay 11, 2024 - 12:00 a.m.
RHEL 7 : openvswitch (Unpatched Vulnerability)
2024-05-1100:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
4
rhel 7
openvswitch
unpatched vulnerability
dos
memory leak
packet processing
cve-2020-35498
cve-2022-4338
cve-2019-25076
cve-2021-36980
cve-2021-3905
cve-2022-4337
cve-2023-1668
cve-2023-5366
The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.
-
openvswitch: limitation in the OVS packet parsing in userspace leads to DoS (CVE-2020-35498)
-
openvswitch: Integer Underflow in Organization Specific TLV (CVE-2022-4338)
-
The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.17.2 and 3.0.0 allows remote attackers to cause a denial of service (delays of legitimate traffic) via crafted packet data that requires excessive evaluation time within the packet classification algorithm for the MegaFlow cache, aka a Tuple Space Explosion (TSE) attack. (CVE-2019-25076)
-
Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP (called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action. (CVE-2021-36980)
-
A memory leak was found in Open vSwitch (OVS) during userspace IP fragmentation processing. An attacker could use this flaw to potentially exhaust available memory by keeping sending packet fragments.
(CVE-2021-3905) -
An out-of-bounds read in Organization Specific TLV was found in various versions of OpenvSwitch.
(CVE-2022-4337) -
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow. (CVE-2023-1668)
-
A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary IP addresses. (CVE-2023-5366)
Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory openvswitch. The text
# itself is copyright (C) Red Hat, Inc.
##
include('compat.inc');
if (description)
{
script_id(195808);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/11");
script_cve_id(
"CVE-2019-25076",
"CVE-2020-35498",
"CVE-2021-3905",
"CVE-2021-36980",
"CVE-2022-4337",
"CVE-2022-4338",
"CVE-2023-1668",
"CVE-2023-5366"
);
script_name(english:"RHEL 7 : openvswitch (Unpatched Vulnerability)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 7 host is affected by multiple vulnerabilities that will not be patched.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.
- openvswitch: limitation in the OVS packet parsing in userspace leads to DoS (CVE-2020-35498)
- openvswitch: Integer Underflow in Organization Specific TLV (CVE-2022-4338)
- The TSS (Tuple Space Search) algorithm in Open vSwitch 2.x through 2.17.2 and 3.0.0 allows remote
attackers to cause a denial of service (delays of legitimate traffic) via crafted packet data that
requires excessive evaluation time within the packet classification algorithm for the MegaFlow cache, aka
a Tuple Space Explosion (TSE) attack. (CVE-2019-25076)
- Open vSwitch (aka openvswitch) 2.11.0 through 2.15.0 has a use-after-free in decode_NXAST_RAW_ENCAP
(called from ofpact_decode and ofpacts_decode) during the decoding of a RAW_ENCAP action. (CVE-2021-36980)
- A memory leak was found in Open vSwitch (OVS) during userspace IP fragmentation processing. An attacker
could use this flaw to potentially exhaust available memory by keeping sending packet fragments.
(CVE-2021-3905)
- An out-of-bounds read in Organization Specific TLV was found in various versions of OpenvSwitch.
(CVE-2022-4337)
- A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the
datapath flow without the action modifying the IP header. This issue results (for both kernel and
userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for
this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a !=
0 IP protocol that matches this dp flow. (CVE-2023-1668)
- A flaw was found in Open vSwitch that allows ICMPv6 Neighbor Advertisement packets between virtual
machines to bypass OpenFlow rules. This issue may allow a local attacker to create specially crafted
packets with a modified or spoofed target IP address field that can redirect ICMPv6 traffic to arbitrary
IP addresses. (CVE-2023-5366)
Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-35498");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-4338");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vendor_unpatched", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/02/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:9");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openvswitch");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openvswitch2.10");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openvswitch2.11");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openvswitch2.12");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openvswitch2.13");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openvswitch2.15");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openvswitch2.16");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:openvswitch3.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var constraints = [
{
'pkgs': [
{'reference':'openvswitch', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'openvswitch', 'cves':['CVE-2019-25076', 'CVE-2021-3905', 'CVE-2022-4337', 'CVE-2022-4338', 'CVE-2023-1668']},
{'reference':'openvswitch', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'openvswitch', 'cves':['CVE-2022-4337', 'CVE-2022-4338', 'CVE-2023-1668']},
{'reference':'openvswitch2.10', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'openvswitch2.10', 'cves':['CVE-2019-25076', 'CVE-2020-35498', 'CVE-2022-4338', 'CVE-2023-1668', 'CVE-2023-5366']},
{'reference':'openvswitch2.11', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'openvswitch2.11', 'cves':['CVE-2019-25076', 'CVE-2022-4337', 'CVE-2022-4338', 'CVE-2023-1668', 'CVE-2023-5366']},
{'reference':'openvswitch2.12', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'openvswitch2.12', 'cves':['CVE-2019-25076', 'CVE-2020-35498', 'CVE-2021-3905', 'CVE-2021-36980', 'CVE-2023-1668', 'CVE-2023-5366']},
{'reference':'openvswitch2.13', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'openvswitch2.13', 'cves':['CVE-2019-25076', 'CVE-2022-4337', 'CVE-2022-4338', 'CVE-2023-1668', 'CVE-2023-5366']},
{'reference':'openvswitch2.15', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'openvswitch2.15', 'cves':['CVE-2023-5366']}
]
}
];
var flag = 0;
foreach var constraint_array ( constraints ) {
var repo_relative_urls = NULL;
var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
foreach var pkg ( constraint_array['pkgs'] ) {
var unpatched_pkg = NULL;
var _release = NULL;
var sp = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (unpatched_pkg &&
_release &&
(!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
}
}
if (flag)
{
var extra = NULL;
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : unpatched_packages_report()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'openvswitch / openvswitch2.10 / openvswitch2.11 / openvswitch2.12 / etc');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| redhat | enterprise_linux | 7 | cpe:/o:redhat:enterprise_linux:7 |
| redhat | enterprise_linux | 8 | cpe:/o:redhat:enterprise_linux:8 |
| redhat | enterprise_linux | 9 | cpe:/o:redhat:enterprise_linux:9 |
| redhat | enterprise_linux | openvswitch | p-cpe:/a:redhat:enterprise_linux:openvswitch |
| redhat | enterprise_linux | openvswitch2.10 | p-cpe:/a:redhat:enterprise_linux:openvswitch2.10 |
| redhat | enterprise_linux | openvswitch2.11 | p-cpe:/a:redhat:enterprise_linux:openvswitch2.11 |
| redhat | enterprise_linux | openvswitch2.12 | p-cpe:/a:redhat:enterprise_linux:openvswitch2.12 |
| redhat | enterprise_linux | openvswitch2.13 | p-cpe:/a:redhat:enterprise_linux:openvswitch2.13 |
| redhat | enterprise_linux | openvswitch2.15 | p-cpe:/a:redhat:enterprise_linux:openvswitch2.15 |
| redhat | enterprise_linux | openvswitch2.16 | p-cpe:/a:redhat:enterprise_linux:openvswitch2.16 |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25076
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35498
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36980
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3905
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4337
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4338
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1668
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-5366
Related
nessus
nessus
GLSA-202311-16 : Open vSwitch: Multiple Vulnerabilities
2023-11-26 00:00:00
RHEL 8 : openvswitch (Unpatched Vulnerability)
2024-05-11 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2023-2262
2023-10-22 05:27:25
gentoo
gentoo
Open vSwitch: Multiple Vulnerabilities
2023-11-26 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2023:2275-1)
2023-05-24 00:00:00
SUSE: Security Advisory (SUSE-SU-2023:2274-1)
2023-05-24 00:00:00
SUSE: Security Advisory (SUSE-SU-2023:2360-1)
2023-06-05 00:00:00
redhat
redhat
debian
debian
[SECURITY] [DSA 5319-1] openvswitch security update
2023-01-13 19:23:56
[SECURITY] [DLA 3253-1] openvswitch security update
2022-12-31 14:58:16
[SECURITY] [DSA 4852-1] openvswitch security update
2021-02-15 12:24:38
redos
redos
ubuntu
ubuntu
Open vSwitch vulnerabilities
2023-02-27 00:00:00
Open vSwitch vulnerability
2021-09-08 00:00:00
Open vSwitch vulnerability
2021-02-10 00:00:00
osv
osv
openvswitch vulnerabilities
2023-02-27 12:24:28
openvswitch - security update
2023-01-13 00:00:00
openvswitch - security update
2022-12-31 00:00:00
ubuntucve
ubuntucve
photon
photon
Critical Photon OS Security Update - PHSA-2023-0316
2023-01-18 00:00:00
Moderate Photon OS Security Update - PHSA-2021-0091
2021-08-31 00:00:00
Critical Photon OS Security Update - PHSA-2023-3.0-0519
2023-01-23 00:00:00
cvelist
cvelist
alpinelinux
alpinelinux
nvd
nvd
cbl_mariner
cbl_mariner
CVE-2021-36980 affecting package openvswitch 2.12.3-2
2021-09-09 15:02:58
CVE-2020-35498 affecting package openvswitch 2.12.0-3
2021-04-06 23:50:11
CVE-2021-36980 affecting package openvswitch for versions less than 2.17.0-1
2022-04-14 19:39:46
redhatcve
redhatcve
suse
suse
Security update for openvswitch (moderate)
2022-09-06 00:00:00
Security update for openvswitch (moderate)
2022-09-06 00:00:00
Security update for openvswitch (moderate)
2022-09-06 00:00:00
archlinux
archlinux
[ASA-202107-40] openvswitch: arbitrary code execution
2021-07-20 00:00:00
debiancve
debiancve
prion
prion
Code injection
2022-09-08 23:15:00
Design/Logic Flaw
2021-07-20 07:15:00
Denial of service
2021-02-11 18:15:00
veracode
veracode
Denial Of Service (DoS)
2021-02-12 06:36:48
Insufficient Verification Of Data Authenticity
2024-02-12 17:52:01
Always-Incorrect Control Flow Implementation
2023-04-30 17:29:47
altlinux
altlinux
Security fix for the ALT Linux 9 package openvswitch version 2.14.2-alt0.p9
2021-06-07 00:00:00
cve
cve
citrix
citrix
Citrix Hypervisor Security Bulletin for CVE-2020-35498
2022-09-13 12:48:15
githubexploit
githubexploit
Exploit for Uncontrolled Resource Consumption in Openvswitch
2021-02-12 02:08:01
fedora
fedora
[SECURITY] Fedora 38 Update: openvswitch-3.1.1-1.fc38
2023-04-22 22:23:00
7.8 High
AI Score
Confidence
High
0.005 Low
EPSS
Percentile
75.4%
Related for REDHAT_UNPATCHED-OPENVSWITCH-RHEL7.NASL