CVE-2025-0650: 
Linux Debian vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-0650) was discovered in the Open Virtual Network (OVN) affecting multiple versions. The vulnerability was disclosed on January 22, 2025, allowing specially crafted UDP packets to bypass egress access control lists (ACLs) in OVN installations configured with a logical switch that has both DNS records and egress ACLs configured. This vulnerability affects various versions of OVN and has been assigned a CVSS v3.1 base score of 8.1 (High) (Red Hat CVE).

The vulnerability exists in OVN's DNS caching feature, which is designed to speed up lookups of frequently-used domains. When this feature is enabled, the OpenFlow rules that OVN installs in Open vSwitch can be exploited by crafting specific UDP packets that bypass egress ACL rules (those with 'direction' set to 'to-lport'). A system is vulnerable if a logical switch has DNS records set on it AND if the same switch has egress ACLs configured either directly using the 'acls' column or through port groups (OSS Security).

The exploitation of this vulnerability can lead to unauthorized access to virtual machines and containers running on the OVN network. This poses a significant security risk as it allows attackers to bypass intended access controls, potentially compromising the security boundaries between network segments (NVD).

Several mitigation options are available: 1) Disable DNS caching by clearing the 'dns_records' column of all logical switches in the northbound database, 2) Convert egress ACLs to ingress ACLs (direction 'from-lport') where possible, or 3) Adjust network topology to separate DNS caching and egress ACLs onto different logical switches. The recommended solution is to upgrade to patched versions: v22.03.8, v24.03.5, or v24.09.2 (OSS Security).