Miggo Logo

CVE-2021-20267: Openstack Neutron has Insufficient Verification of IPv6 addresses

7.1

CVSS Score
3.1

Basic Information

EPSS Score
0.36495%
Published
5/24/2022
Updated
9/26/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
neutronpip>= 16.0.0, < 16.3.116.3.1
neutronpip< 15.3.315.3.3
neutronpip>= 17.0.0, < 17.1.117.1.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from missing IPv6 anti-spoofing rules in Open vSwitch's firewall implementation. The OVS firewall driver's rule generation logic failed to properly validate ICMPv6 Neighbor Advertisement packets. The '_add_icmpv6_na_spoofing_protection' function (or equivalent) would be responsible for adding these critical checks, and its absence/insufficiency directly enables the spoofing. The '_create_base_flows' function's failure to include proper IPv6 source validation in flow rules matches the CWE-345 pattern of insufficient data authenticity verification. These conclusions align with the described attack vector (ICMPv6 NA spoofing) and the OpenStack security advisory's patch focus on firewall rule generation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in op*nst**k-n*utron's ****ult Op*n vSwit** *ir*w*ll rul*s. *y s*n*in* **r**ully *r**t** p**k*ts, *nyon* in *ontrol o* * s*rv*r inst*n** *onn**t** to t** virtu*l swit** **n imp*rson*t* t** IPv* ***r*ss*s o* ot**r syst*ms on t** n*two

Reasoning

T** vuln*r**ility st*ms *rom missin* IPv* *nti-spoo*in* rul*s in Op*n vSwit**'s *ir*w*ll impl*m*nt*tion. T** OVS *ir*w*ll *riv*r's rul* **n*r*tion lo*i* **il** to prop*rly v*li**t* I*MPv* N*i***or **v*rtis*m*nt p**k*ts. T** '_***_i*mpv*_n*_spoo*in*_p