OVN Information Disclosure Vulnerability via Crafted DHCPv6 Packets

A vulnerability exists in OVN (Open Virtual Network) versions through 2.13 and 22.03, 22.06, and 22.09. A remote attacker can exploit this flaw by sending specially crafted DHCPv6 SOLICIT packets with an exaggerated Client ID length. This manipulation causes the ovn-controller to perform an out-of-bounds read, accessing sensitive information in heap memory. The leaked data is then sent back to the attacker's virtual machine port. This issue arises when DHCPv6 is enabled for logical switch ports, allowing the exploitation of user-controlled packet data without proper validation.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive information stored in heap memory, which is then disclosed to the attacker's virtual machine port.

Reproduction

To reproduce this vulnerability, send a DHCPv6 SOLICIT packet with an inflated Client ID length to a logical switch port with DHCPv6 enabled. The ovn-controller will read beyond the packet's bounds, leaking adjacent heap memory information.

Remediation

There is no recommended fix for this vulnerability, as disabling DHCPv6 on affected logical ports will also interrupt legitimate DHCPv6 traffic from connected workloads.