5.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-7543

GHSA ID

GHSA-hvxr-2fvv-c3wq

EPSS Score

0.62333%

CWE

CWE-362

Published

5/13/2022

Updated

2/8/2023

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-7543

CVE-2017-7543: OpenStack Neutron Race Condition vulnerability

A race-condition flaw was discovered in openstack-neutron before 7.2.0-12.1, 8.x before 8.3.0-11.1, 9.x before 9.3.1-2.1, and 10.x before 10.0.2-1.1, where, following a minor overcloud update, neutron security groups were disabled. Specifically, the following were reset to 0: net.bridge.bridge-nf-call-ip6tables and net.bridge.bridge-nf-call-iptables. The race was only triggered by an update, at which point an attacker could access exposed tenant VMs and network resources.

(GitHub Advisory)

5.9

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-7543

GHSA ID

GHSA-hvxr-2fvv-c3wq

EPSS Score

0.62333%

CWE

CWE-362

Published

5/13/2022

Updated

2/8/2023

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
neutron	pip	< 7.2.0-12.1	7.2.0-12.1
neutron	pip	>= 8.0.0, < 8.3.0-11.1	8.3.0-11.1
neutron	pip	>= 9.0.0, < 9.3.1-2.1	9.3.1-2.1
neutron	pip	>= 10.0.0, < 10.0.2-1.1	10.0.2-1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from a race condition where sysctl settings for bridge-nf-call-iptables were reset during updates. The patch adds an ExecStartPre directive in neutron-ovs-cleanup.service to ensure these settings are reapplied. The absence of this step in vulnerable versions indicates the neutron-ovs-cleanup script execution (or lack thereof) is directly tied to the vulnerability. This function would appear in runtime profiles during service initialization.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r***-*on*ition *l*w w*s *is*ov*r** in op*nst**k-n*utron ***or* *.*.*-**.*, *.x ***or* *.*.*-**.*, *.x ***or* *.*.*-*.*, *n* **.x ***or* **.*.*-*.*, w**r*, *ollowin* * minor ov*r*lou* up**t*, n*utron s**urity *roups w*r* *is**l**. Sp**i*i**lly, t**

Reasoning

T** vuln*r**ility st*ms *rom * r*** *on*ition w**r* sys*tl s*ttin*s *or *ri***-n*-**ll-ipt**l*s w*r* r*s*t *urin* up**t*s. T** p*t** ***s *n `*x**St*rtPr*` *ir**tiv* in `n*utron-ovs-*l**nup.s*rvi**` to *nsur* t**s* s*ttin*s *r* r**ppli**. T** **s*n**

5.9

Basic Information

Concerned about an active attack path?

CVE-2017-7543: OpenStack Neutron Race Condition vulnerability

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI