Improper access control in openstack-neutron

#VU57242 Improper access control in openstack-neutron

Published: 2021-10-12

Vulnerability identifier: #VU57242

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-40085

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
openstack-neutron
Client/Desktop applications / Other client software

Vendor: Openstack

Description

The vulnerability allows a remote user to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote user can bypass implemented security restrictions and reconfigure dnsmasq via a crafted extra_dhcp_opts value.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

openstack-neutron: 18.0.0 - 18.1.0, 17.0.0 - 17.2.0, 16.0.0 - 16.4.0

Fixed software versions

CPE

cpe:2.3:a:openstack:openstack-neutron:18.1.0:*:*:*:*:*:*:*

External links
http://security.openstack.org/ossa/OSSA-2021-005.html
http://launchpad.net/bugs/1939733
http://www.openwall.com/lists/oss-security/2021/08/31/2
http://lists.debian.org/debian-lts-announce/2021/10/msg00005.html
http://www.debian.org/security/2021/dsa-4983

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in Juniper Networks Contrail Cloud

Ubuntu update for neutron

SUSE update for openstack-neutron

Multiple vulnerabilities in Openstack Neutron