CVE-2018-14636
published 2018-09-10CVE-2018-14636: Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the…
PriorityP428medium5.3CVSS 3.0
AVNACHPRLUINSUCHINAN
EPSS
1.17%
63.6th percentile
Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due to the Open vSwitch integration bridge being connected to the instance during migration. When connected to the integration bridge, all traffic for instances using the same Open vSwitch instance would potentially be visible to the migrated guest, as the required Open vSwitch VLAN filters are only applied post-migration. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3, 11.0.5 are vulnerable.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | neutron | < neutron 2:13.0.0-1 (bookworm) | neutron 2:13.0.0-1 (bookworm) |
| openstack | neutron | — | — |
| openstack | neutron | >= 0 < 2:13.0.0-1 | 2:13.0.0-1 |
| openstack | neutron | >= 0 < 2:13.0.0-1 | 2:13.0.0-1 |
| openstack | neutron | >= 0 < 2:13.0.0-1 | 2:13.0.0-1 |
| openstack | neutron | >= 0 < 2:13.0.0-1 | 2:13.0.0-1 |
| openstack | neutron | >= 11.0.0 < 11.0.5 | 11.0.5 |
| openstack | neutron | >= 12.0.0 < 12.0.3 | 12.0.3 |
| openstack | neutron | 12.0.0 – 12.0.2 | — |
| openstack | neutron | >= 13.0.0.0b1 < 13.0.0.0b2 | 13.0.0.0b2 |
| openstack | neutron | 7.0.0 – 11.0.4 | — |
| the_openstack_project | openstack-neutron | — | — |
| the_openstack_project | openstack-neutron | — | — |
| the_openstack_project | openstack-neutron | — | — |
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:P/I:N/A:N
osv5.3MEDIUM
vendor_debian5.3LOW
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Openstack Neutron vulnerable to eavesdropping on private traffic
ghsa·2022-05-13
CVE-2018-14636 [MEDIUM] Openstack Neutron vulnerable to eavesdropping on private traffic
Openstack Neutron vulnerable to eavesdropping on private traffic
Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due to the Open vSwitch integration bridge being connected to the instance during migration. When connected to the integration bridge, all traffic for instances using the same Open vSwitch instance would potentially be visible to the migrated guest, as the required Open vSwitch VLAN filters are only applied post-migration. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3, 11.0.5 are vulnerable.
OSV
Openstack Neutron vulnerable to eavesdropping on private traffic
osv·2022-05-13
CVE-2018-14636 [MEDIUM] Openstack Neutron vulnerable to eavesdropping on private traffic
Openstack Neutron vulnerable to eavesdropping on private traffic
Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due to the Open vSwitch integration bridge being connected to the instance during migration. When connected to the integration bridge, all traffic for instances using the same Open vSwitch instance would potentially be visible to the migrated guest, as the required Open vSwitch VLAN filters are only applied post-migration. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3, 11.0.5 are vulnerable.
OSV
CVE-2018-14636: Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor
osv·2018-09-10·CVSS 5.3
CVE-2018-14636 [MEDIUM] CVE-2018-14636: Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor
Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due to the Open vSwitch integration bridge being connected to the instance during migration. When connected to the integration bridge, all traffic for instances using the same Open vSwitch instance would potentially be visible to the migrated guest, as the required Open vSwitch VLAN filters are only applied post-migration. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3, 11.0.5 are vulnerable.
Red Hat
openstack-neutron: eavesdropping private traffic due to trunk ports after live migration
vendor_redhat·2018-04-27·CVSS 5.3
CVE-2018-14636 [MEDIUM] CWE-300 openstack-neutron: eavesdropping private traffic due to trunk ports after live migration
openstack-neutron: eavesdropping private traffic due to trunk ports after live migration
Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due to the Open vSwitch integration bridge being connected to the instance during migration. When connected to the integration bridge, all traffic for instances using the same Open vSwitch instance would potentially be visible to the migrated guest, as the required Open vSwitch VLAN filters are only applied post-migration. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3, 11.0.5 are vulnerable.
Live-migrat
Debian
CVE-2018-14636: neutron - Live-migrated instances are briefly able to inspect traffic for other instances ...
vendor_debian·2018·CVSS 5.3
CVE-2018-14636 [MEDIUM] CVE-2018-14636: neutron - Live-migrated instances are briefly able to inspect traffic for other instances ...
Live-migrated instances are briefly able to inspect traffic for other instances on the same hypervisor. This brief window could be extended indefinitely if the instance's port is set administratively down prior to live-migration and kept down after the migration is complete. This is possible due to the Open vSwitch integration bridge being connected to the instance during migration. When connected to the integration bridge, all traffic for instances using the same Open vSwitch instance would potentially be visible to the migrated guest, as the required Open vSwitch VLAN filters are only applied post-migration. Versions of openstack-neutron before 13.0.0.0b2, 12.0.3, 11.0.5 are vulnerable.
Scope: local
bookworm: resolved (fixed in 2:13.0.0-1)
bullseye: resolved (fixed in 2:13.0.0-1)
forky:
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2018-14636 openstack-neutron: eavesdropping private traffic due to trunk ports after live migration [openstack-rdo]
bugzilla·2018-06-25·CVSS 5.3
CVE-2018-14636 [MEDIUM] CVE-2018-14636 openstack-neutron: eavesdropping private traffic due to trunk ports after live migration [openstack-rdo]
CVE-2018-14636 openstack-neutron: eavesdropping private traffic due to trunk ports after live migration [openstack-rdo]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of openstack-rdo.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discus
Bugzilla
CVE-2018-14636 openstack-neutron: eavesdropping private traffic due to trunk ports after live migration
bugzilla·2018-06-25·CVSS 5.3
CVE-2018-14636 [MEDIUM] CVE-2018-14636 openstack-neutron: eavesdropping private traffic due to trunk ports after live migration
CVE-2018-14636 openstack-neutron: eavesdropping private traffic due to trunk ports after live migration
A flaw was found in Openstack Neutron. During live-migration there is a small time window where the ports of instances are untagged. Instances have a port trunked to the integration bridge and receive 802.1Q tagged private traffic from other tenants. If the port is administratively down during live migration, the port will remain in trunk mode indefinitely. Traffic is possible between ports is that are administratively down, even between tenants self-service networks. This allows end users within their own private network to receive from, and send traffic to, other private networks on the same compute node.
References:
https://bugs.launchpad.net/neutron/+bug/1734320
https://bugs.launc
https://bugs.launchpad.net/neutron/+bug/1734320https://bugs.launchpad.net/neutron/+bug/1767422https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14636https://bugs.launchpad.net/neutron/+bug/1734320https://bugs.launchpad.net/neutron/+bug/1767422https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14636
2018-09-10
Published