CVE-2024-2182 in ovn
Summary
by MITRE • 03/12/2024
A flaw was found in the Open Virtual Network (OVN). In OVN clusters where BFD is used between hypervisors for high availability, an attacker can inject specially crafted BFD packets from inside unprivileged workloads, including virtual machines or containers, that can trigger a denial of service.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 01/25/2026
The vulnerability identified as CVE-2024-2182 resides within the Open Virtual Network (OVN) framework, specifically affecting OVN clusters that implement Bidirectional Forwarding Detection (BFD) for high availability purposes. This flaw represents a critical security weakness that undermines the integrity of virtualized network infrastructures by enabling unauthorized denial of service attacks. The vulnerability exploits the trust relationships between hypervisors within OVN clusters, creating a pathway for malicious actors to disrupt network availability through crafted packet injection.
The technical implementation of this vulnerability stems from insufficient validation of BFD packet sources within the OVN control plane. When BFD is enabled for high availability between hypervisors, the system expects BFD packets to originate from legitimate network peers. However, the flaw allows unprivileged workloads including virtual machines or containers to craft and inject BFD packets that appear to come from trusted hypervisor endpoints. This misconfiguration creates a vector where malicious actors can manipulate the BFD state machine, causing legitimate network paths to be marked as failed or unstable. The vulnerability manifests through the lack of proper source validation mechanisms that should verify the authenticity of BFD packet origins before processing them within the OVN control plane.
The operational impact of CVE-2024-2182 extends beyond simple service disruption to potentially compromise entire virtualized network infrastructures. Attackers exploiting this vulnerability can trigger cascading failures across multiple hypervisors in an OVN cluster, leading to widespread network partitioning and service outages. The denial of service effect can be particularly severe in production environments where OVN clusters manage critical network connectivity for numerous virtual workloads. This vulnerability directly affects the availability and reliability of virtualized networks, potentially causing significant business disruption and requiring immediate remediation efforts to restore network services.
Security mitigations for CVE-2024-2182 should focus on implementing robust source validation mechanisms within OVN clusters that utilize BFD. Network administrators should consider disabling BFD functionality in environments where untrusted workloads exist, or implement strict network segmentation policies that prevent unprivileged workloads from accessing BFD packet injection capabilities. The mitigation strategy should include enforcing proper access controls and network isolation between privileged hypervisor management planes and unprivileged virtual workloads. Additionally, implementing network monitoring solutions that can detect anomalous BFD packet patterns and unauthorized packet injection attempts provides an additional layer of defense against exploitation of this vulnerability.
This vulnerability aligns with CWE-284, which addresses improper access control in network protocols, and demonstrates the importance of implementing proper input validation and source authentication mechanisms. The attack vector corresponds to techniques described in the ATT&CK framework under T1059 for command and control communications and T1499 for network denial of service attacks. Organizations utilizing OVN with BFD high availability features must prioritize patching and configuration reviews to prevent exploitation of this critical vulnerability that could compromise the availability of virtualized network services and potentially impact business continuity operations.