Hi folks, I made a summary report regarding the 2022 DPDK CVE issues. In this report, we will discuss the CVE[i] issues that have been fixed in 2022. A total of 4 CVEs were reported and addressed in 2022, details are as below.
1. CVE-2021-3839 - Link: https://access.redhat.com/security/cve/CVE-2021-3839 Description: A flaw was discovered in DPDK's Vhost library. The function vhost_user_set_inflight_fd() does not validate msg->payload.inflight.num_queues, which could result in an out-of-bounds memory read/write. CVSS score: 7.5 (Moderate Impact). Impact: Any software that uses DPDK's Vhost library could experience crashes due to this vulnerability. Reported-by: Wenxiang Qian. Solution: We fixed this issue by adding proper validation checks and ensuring that it does not exceed the maximum number of supported queues. 2. CVE-2022-0669 - Link: https://access.redhat.com/security/cve/CVE-2022-0669 Description: A flaw was discovered in DPDK which allows a malicious primary vhost-user to attach an unexpected number of fds as ancillary data to VHOST_USER_GET_INFLIGHT_FD / VHOST_USER_SET_INFLIGHT_FD messages. By sending such messages continuously, the primary vhost-user exhausts available fd in the vhost-user standby process, leading to a denial of service. CVSS score: 6.5 (Moderate Impact). Impact: This vulnerability could cause a denial of service (DoS). Reported-by: David Marchand. Solution: We limited the number of fds that can be attached as ancillary data to the above messages and ensure their proper closing after use. 3. CVE-2022-2132 - Link: https://access.redhat.com/security/cve/CVE-2022-2132 Description: A flaw was detected in DPDK, which permits a remote attacker to create a denial of service through a crafted Vhost header. The copy_desc_to_mbuf() function assumed that the Vhost header doesn't cross more than two descriptors, but if a malicious entity sends a packet with a Vhost header that crosses more than two descriptors, the buf_avail value becomes very large near 4G, leading to blocking of other guest traffic and denial of service. CVSS score: 8.6 (Important Impact). Impact: This vulnerability could cause a denial of service (DoS). Reported-by: Cong Wang. Solution: We fixed this by checking the Vhost header length to ensure it does not exceed two descriptors. 4. CVE-2022-28199 - Link: https://access.redhat.com/security/cve/CVE-2022-28199 Description: The DPDK package has a vulnerability that can cause denial of service (DoS) attacks resulting in system unavailability. When facing a failure with the mlx5 driver, the error recovery is not handled properly, which allows remote attackers to cause DoS and some impact to data integrity and confidentiality. CVSS score: 6.5 (Moderate Impact). Impact: This vulnerability could cause DoS and some impact to data integrity and confidentiality. Reported-by: Thomas Monjalon. Solution: We improved the error recovery mechanism for the mlx5 driver to handle failures properly. In summary, 3 Moderate Impact CVEs and 1 Important Impact CVE in DPDK were reported and addressed in 2022. Our top priority is delivering high-quality, secure software to our customers and partners. Our commitment to this goal remain unchanged. If you have any questions or feedback, please do not hesitate to contact us. The Security Team can be reached via secur...@dpdk.org<mailto:secur...@dpdk.org>. For any security report, messages should be encrypted with the following GPG keys: * 213127A63D9087C9 - Cheng Jiang * 80A77F6095CDE47E - Stephen Hemminger * 683000CC50B9E390 - Thomas Monjalon Last but not least, I would like to extend our sincere gratitude to everyone involved in the timely identification and remediation of these security issues. Without the diligent efforts of our developers, testers, and security researchers, issues like these could have gone unnoticed and caused harm. By working together as a community, we were able to solve these CVEs promptly and will continue enhancing our systems and software to prevent future vulnerabilities. Thank you all again for your dedication and support. Let's keep working to build secure and trustworthy technologies for the benefit of all. Best Regards, Cheng ________________________________ [i] CVE is an acronym for Common Vulnerabilities and Exposures, which is a database featuring publicly disclosed information security issues. Each vulnerability listed in CVE has a unique identification number. CVE serves as a dependable and convenient way for academics, enterprises, vendors, and other interested parties to exchange information about cyber security issues.
