Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-2182
CVE-2024-2182:
Linux Debian vulnerability analysis and mitigation
Overview
A vulnerability (CVE-2024-2182) was discovered in Open Virtual Network (OVN) affecting multiple versions back to 20.03.0. The vulnerability allows attackers to inject specially crafted BFD (Bidirectional Forwarding Detection) packets from inside unprivileged workloads, including virtual machines or containers, that can trigger a denial of service. This issue specifically affects OVN clusters where BFD is used between hypervisors for high availability (OVN Announce, OSS Security).
Technical details
The vulnerability exists in OVN's handling of BFD packets in clusters where gateway chassis and high-availability chassis groups are configured. When OVN logical switch and router ports reference these groups, OVN automatically enables OVS BFD functionality to monitor remote nodes' health. BFD packets are transmitted in-band through tunnels connecting OVN chassis. By default, OVS processes any BFD packets received on a tunnel port with BFD enabled, without proper validation of their origin. This allows unprivileged workloads to send crafted BFD packets that can be tunneled to another node and processed by OVS. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (NVD).
Impact
When successfully exploited, an attacker can affect traffic forwarding decisions by manipulating BFD states between nodes. In a scenario with at least two nodes where BFD is used for high availability, a VM in a tenant network can inject specific BFD packets advertising a 'down' state, which will impact traffic forwarding between all tenants in the OVN cluster, resulting in a denial of service condition (OSS Security).
Mitigation and workarounds
A temporary mitigation involves adding ACL rules to drop BFD packets originated from logical ports. This can be implemented by running a script that adds ACLs to all existing OVN logical switches. However, this approach is not recommended as it will also block legitimate BFD traffic from workloads. The recommended solution is to upgrade to patched versions: v22.03.7, v23.03.3, v23.06.3, v23.09.3, or v24.03.1. Patches are available for all currently supported versions of OVN (OVN Announce).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management