Open Virtual Network Egress ACL Bypass Vulnerability Allowing Unauthorized Access

A vulnerability exists in Open Virtual Network (OVN) installations that can lead to unauthorized access to virtual machines and containers. This issue arises because specially crafted UDP packets can bypass egress access control lists (ACLs) on logical switches with DNS records and egress ACLs configured. The vulnerability takes advantage of OVN's optional DNS caching feature, which, when enabled, allows the crafted packets to evade ACL rules that are set to 'to-lport' direction.

Impact

Exploitation of this vulnerability can result in unauthorized access to virtual machines and containers within the OVN network.

Reproduction

To reproduce this vulnerability, first ensure that the OVN installation has DNS caching enabled and that a logical switch has both DNS records and egress ACLs configured. Once these conditions are met, an attacker can send crafted UDP packets that bypass the egress ACLs, gaining unauthorized access to the virtual machines or containers on the OVN network.

Remediation

Users can upgrade to OVN versions 22.03.8, 24.03.5, or 24.09.2, all of which include patches for this vulnerability. For those using Red Hat Enterprise Linux, the update can be applied through the Red Hat Product Errata advisories RHSA-2025:1084, RHSA-2025:1090, RHSA-2025:1094, and RHSA-2025:1096.