Miggo Logo

CVE-2019-9735: OpenStack Neutron's unsupported dport option prevents applying security groups

6.5

CVSS Score
3.0

Basic Information

EPSS Score
0.82868%
Published
5/13/2022
Updated
10/3/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
neutronpip< 10.0.810.0.8
neutronpip>= 11.0.0, < 11.0.711.0.7
neutronpip>= 12.0.0, < 12.0.612.0.6
neutronpip>= 13.0.0, < 13.0.313.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper validation of protocol-port compatibility when generating iptables rules. The primary issue lies in the iptables driver's rule construction logic (_build_rule), which appended '--dport' without verifying protocol support (e.g., VRRP). The secondary issue is in the security group processing layer (_process_security_group_rule), which did not filter invalid rules before passing them to the firewall driver. Patches addressed these by adding protocol-specific checks and omitting '--dport' where unsupported. The high confidence for _build_rule is based on direct linkage to iptables command generation, while _process_security_group_rule is marked medium due to indirect involvement in validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n issu* w*s *is*ov*r** in t** ipt**l*s *ir*w*ll mo*ul* in Op*nSt**k N*utron ***or* **.*.*, **.x ***or* **.*.*, **.x ***or* **.*.*, *n* **.x ***or* **.*.*. *y s*ttin* * **stin*tion port in * s**urity *roup rul* *lon* wit* * proto*ol t**t *o*sn't supp

Reasoning

T** vuln*r**ility st*ms *rom improp*r v*li**tion o* proto*ol-port *omp*ti*ility w**n **n*r*tin* ipt**l*s rul*s. T** prim*ry issu* li*s in t** ipt**l*s *riv*r's rul* *onstru*tion lo*i* (_*uil*_rul*), w*i** *pp*n*** '--*port' wit*out v*ri*yin* proto*ol