CVE-2023-5366: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in Open vSwitch (CVE-2023-5366) that allows ICMPv6 Neighbor Advertisement packets between virtual machines to bypass OpenFlow rules. The vulnerability affects Open vSwitch versions 2.1 and newer, allowing local attackers to create specially crafted packets with modified or spoofed target IP address fields that can redirect ICMPv6 traffic to arbitrary IP addresses (OpenWall Advisory, NVD).

The vulnerability stems from a discrepancy between the OpenFlow specification and datapath implementations. While the OpenFlow spec only requires ICMPV6 TYPE=135 or ICMPV6 TYPE=136 as prerequisites for IPV6_ND_TARGET, datapath implementations treat ICMPV6_CODE=0 as a requirement for packets with Target Address options. This mismatch leads to the creation of overly broad datapath flows that match packets regardless of the Target Address value. The vulnerability has a CVSS v3.1 base score of 5.5 (Medium) according to NVD, with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (OpenWall Advisory, NVD).

The vulnerability can allow attackers to bypass Neighbor Discovery anti-spoofing protection. When exploited, it enables the redirection of ICMPv6 traffic to arbitrary IP addresses, potentially compromising network security and enabling man-in-the-middle attacks between virtual machines (OpenWall Advisory).

For affected versions of Open vSwitch, the primary mitigation is to add an icmpv6_code=0 match to OpenFlow rules. Fixed versions include Open vSwitch 3.2.2, 3.1.4, 3.0.6, and 2.17.9. The development team recommends following the mitigation strategy even with patches applied, as checking both ICMPv6 Code and Type is the correct way to validate Neighbor Discovery packets according to RFC 4861 (OpenWall Advisory).