CVE-2023-5366
📋 TL;DR
This vulnerability in Open vSwitch allows ICMPv6 Neighbor Advertisement packets to bypass OpenFlow rules between virtual machines. A local attacker can craft packets with spoofed target IP addresses to redirect ICMPv6 traffic to arbitrary destinations. This affects Open vSwitch deployments in virtualized environments.
💻 Affected Systems
- Open vSwitch
📦 What is this software?
Openvswitch by Openvswitch
⚠️ Risk & Real-World Impact
Worst Case
An attacker could redirect ICMPv6 traffic to malicious IP addresses, potentially enabling man-in-the-middle attacks, network traffic interception, or denial of service within the virtual network.
Likely Case
Local attackers within virtual machines could redirect ICMPv6 neighbor discovery traffic, potentially disrupting network connectivity or enabling limited traffic redirection within the virtual network segment.
If Mitigated
With proper network segmentation and strict OpenFlow rules, impact is limited to the affected virtual network segment with no access to external networks.
🎯 Exploit Status
Requires local access to a virtual machine and knowledge of ICMPv6 packet crafting. No public exploit code has been released.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Open vSwitch 3.2.3 and later
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2023-5366
Restart Required: Yes
Instructions:
1. Update Open vSwitch to version 3.2.3 or later. 2. For Red Hat systems: 'yum update openvswitch'. 3. For Debian/Ubuntu: 'apt update && apt upgrade openvswitch'. 4. Restart Open vSwitch services: 'systemctl restart openvswitch-switch'.
🔧 Temporary Workarounds
Block ICMPv6 Neighbor Advertisements
linuxAdd OpenFlow rules to block or restrict ICMPv6 Neighbor Advertisement packets between VMs
ovs-ofctl add-flow br0 'priority=100,icmp6,icmp_type=136,actions=drop'
Network Segmentation
allIsolate virtual machines into separate network segments to limit attack surface
🧯 If You Can't Patch
- Implement strict OpenFlow rules to filter ICMPv6 traffic between virtual machines
- Segment virtual networks to limit the blast radius of potential attacks
🔍 How to Verify
Check if Vulnerable:
Check Open vSwitch version: 'ovs-vsctl --version'. If version is below 3.2.3, system is vulnerable.Check Version:
ovs-vsctl --versionVerify Fix Applied:
Verify Open vSwitch version is 3.2.3 or higher: 'ovs-vsctl --version'📡 Detection & Monitoring
Log Indicators:
- Unusual ICMPv6 Neighbor Advertisement patterns in network logs
- Open vSwitch flow rule violations for ICMPv6 traffic
Network Indicators:
- Suspicious ICMPv6 packets with modified target IP addresses
- Unexpected ICMPv6 traffic redirection between VMs
SIEM Query:
source="ovs" AND (icmp6_type=136 AND target_ip_changed)🔗 References
- http://www.openwall.com/lists/oss-security/2024/02/08/4
- https://access.redhat.com/security/cve/CVE-2023-5366
- https://bugzilla.redhat.com/show_bug.cgi?id=2006347
- https://lists.debian.org/debian-lts-announce/2024/02/msg00004.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LFZADABUDOFI2KZIRQBYFZCIKH55RGY3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VYYUBF6OW2JG7VOFEOROHXGSJCTES3QO/
- http://www.openwall.com/lists/oss-security/2024/02/08/4
- https://access.redhat.com/security/cve/CVE-2023-5366
- https://bugzilla.redhat.com/show_bug.cgi?id=2006347
- https://lists.debian.org/debian-lts-announce/2024/02/msg00004.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LFZADABUDOFI2KZIRQBYFZCIKH55RGY3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VYYUBF6OW2JG7VOFEOROHXGSJCTES3QO/
