7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-20267

GHSA ID

GHSA-w8hx-f868-pvch

EPSS Score

0.36495%

CWE

CWE-345

Published

5/24/2022

Updated

9/26/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-20267

CVE-2021-20267: Openstack Neutron has Insufficient Verification of IPv6 addresses

A flaw was found in openstack-neutron's default Open vSwitch firewall rules. By sending carefully crafted packets, anyone in control of a server instance connected to the virtual switch can impersonate the IPv6 addresses of other systems on the network, resulting in denial of service or in some cases possibly interception of traffic intended for other destinations. Only deployments using the Open vSwitch driver are affected. Source: OpenStack project. Versions before openstack-neutron 15.3.3, openstack-neutron 16.3.1 and openstack-neutron 17.1.1 are affected.

(GitHub Advisory)

7.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-20267

GHSA ID

GHSA-w8hx-f868-pvch

EPSS Score

0.36495%

CWE

CWE-345

Published

5/24/2022

Updated

9/26/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
neutron	pip	>= 16.0.0, < 16.3.1	16.3.1
neutron	pip	< 15.3.3	15.3.3
neutron	pip	>= 17.0.0, < 17.1.1	17.1.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing IPv6 anti-spoofing rules in Open vSwitch's firewall implementation. The OVS firewall driver's rule generation logic failed to properly validate ICMPv6 Neighbor Advertisement packets. The '_add_icmpv6_na_spoofing_protection' function (or equivalent) would be responsible for adding these critical checks, and its absence/insufficiency directly enables the spoofing. The '_create_base_flows' function's failure to include proper IPv6 source validation in flow rules matches the CWE-345 pattern of insufficient data authenticity verification. These conclusions align with the described attack vector (ICMPv6 NA spoofing) and the OpenStack security advisory's patch focus on firewall rule generation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in op*nst**k-n*utron's ****ult Op*n vSwit** *ir*w*ll rul*s. *y s*n*in* **r**ully *r**t** p**k*ts, *nyon* in *ontrol o* * s*rv*r inst*n** *onn**t** to t** virtu*l swit** **n imp*rson*t* t** IPv* ***r*ss*s o* ot**r syst*ms on t** n*two

Reasoning

T** vuln*r**ility st*ms *rom missin* IPv* *nti-spoo*in* rul*s in Op*n vSwit**'s *ir*w*ll impl*m*nt*tion. T** OVS *ir*w*ll *riv*r's rul* **n*r*tion lo*i* **il** to prop*rly v*li**t* I*MPv* N*i***or **v*rtis*m*nt p**k*ts. T** '_***_i*mpv*_n*_spoo*in*_p

7.1

Basic Information

Concerned about an active attack path?

CVE-2021-20267: Openstack Neutron has Insufficient Verification of IPv6 addresses

7.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI