CVE-2021-20267: Openstack Neutron has Insufficient Verification of IPv6 addresses
7.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.36495%
CWE
Published
5/24/2022
Updated
9/26/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
neutron | pip | >= 16.0.0, < 16.3.1 | 16.3.1 |
neutron | pip | < 15.3.3 | 15.3.3 |
neutron | pip | >= 17.0.0, < 17.1.1 | 17.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from missing IPv6 anti-spoofing rules in Open vSwitch's firewall implementation. The OVS firewall driver's rule generation logic failed to properly validate ICMPv6 Neighbor Advertisement packets. The '_add_icmpv6_na_spoofing_protection' function (or equivalent) would be responsible for adding these critical checks, and its absence/insufficiency directly enables the spoofing. The '_create_base_flows' function's failure to include proper IPv6 source validation in flow rules matches the CWE-345 pattern of insufficient data authenticity verification. These conclusions align with the described attack vector (ICMPv6 NA spoofing) and the OpenStack security advisory's patch focus on firewall rule generation.