CVE-2018-17205 in Open vSwitch
Summary
by MITRE
An issue was discovered in Open vSwitch (OvS) 2.7.x through 2.7.6, affecting ofproto_rule_insert__ in ofproto/ofproto.c. During bundle commit, flows that are added in a bundle are applied to ofproto in order. If a flow cannot be added (e.g., the flow action is a go-to for a group id that does not exist), OvS tries to revert back all previous flows that were successfully applied from the same bundle. This is possible since OvS maintains list of old flows that were replaced by flows from the bundle. While reinserting old flows, OvS has an assertion failure due to a check on rule state != RULE_INITIALIZED. This would work for new flows, but for an old flow the rule state is RULE_REMOVED. The assertion failure causes an OvS crash.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/17/2023
The vulnerability identified as CVE-2018-17205 represents a critical flaw in Open vSwitch version 2.7.x through 2.7.6 that affects the flow management system during bundle commit operations. This issue resides within the ofproto/ofproto.c file in the ofproto_rule_insert__ function, where the system handles the application of multiple flows as part of a single bundle transaction. The problem manifests when a bundle contains a mix of valid and invalid flow entries, particularly when a flow action references a non-existent group identifier. The system's flow management mechanism attempts to maintain transactional integrity by rolling back previously applied flows when a failure occurs, but this rollback process contains a fundamental logic error that leads to system instability.
The technical flaw occurs during the bundle commit process where Open vSwitch maintains a list of old flows that were replaced by new flows from the same bundle. When a flow fails to be added due to invalid references such as non-existent group IDs, the system attempts to revert all successfully applied flows from that bundle. However, the rollback mechanism contains an assertion failure that checks rule state against RULE_INITIALIZED, a condition that works correctly for newly created flows but fails for previously removed flows. During the rollback process, old flows have their rule state set to RULE_REMOVED rather than RULE_INITIALIZED, causing the assertion to fail and resulting in an immediate system crash. This represents a classic state management error where the system assumes all flows in a rollback scenario are in a consistent state that matches the initialization logic, but fails to account for the different state transitions that occur during normal flow lifecycle management.
The operational impact of this vulnerability is severe as it can cause complete disruption of network virtualization services running on Open vSwitch platforms. When an attacker can trigger this condition through carefully crafted flow entries in a bundle commit, they can induce a denial of service attack that crashes the Open vSwitch daemon, leading to network connectivity loss for all virtual machines and containers managed by that switch. This vulnerability directly maps to CWE-248, an unspecified other error, and CWE-682, incorrect calculation, as the system fails to properly handle the state transitions during rollback operations. The attack surface is particularly concerning in environments where flow management is frequently performed through bundle operations, which is common in dynamic network virtualization scenarios. The vulnerability also aligns with ATT&CK technique T1499.004, Network Denial of Service, as it enables an attacker to cause persistent network disruption through controlled system crashes.
The mitigation strategy for CVE-2018-17205 requires immediate patching of Open vSwitch installations to versions 2.7.7 or later, where the rollback logic has been corrected to properly handle rule state transitions during bundle commit failures. Organizations should also implement strict flow validation mechanisms before bundle commit operations to prevent invalid flow entries from reaching the problematic rollback code path. Network administrators should monitor for unusual bundle commit patterns that might indicate exploitation attempts, and consider implementing rate limiting for flow management operations to reduce the effectiveness of potential denial of service attacks. The fix addresses the core assertion failure by properly checking for RULE_REMOVED state during rollback operations, ensuring that the system can gracefully handle flow rollback scenarios without crashing. Additionally, system administrators should review existing flow configurations to identify and remove any references to non-existent group IDs that could trigger this condition during normal operations.