CVE-2025-0650

Multiple versions of OVN (Open Virtual Network) are vulnerable to allowing crafted UDP packets to bypass egress access control list (ACL) rules. This can result in unauthorized access to virtual machines and containers running on the OVN network. OVN provides rudimentary DNS caching as an optional feature to speed up lookups of frequently-used domains. When this feature is enabled, due to the OpenFlow rules that OVN installs in Open vSwitch, it is possible for an attacker to craft a UDP packet that can bypass egress ACL rules. Egress ACL rules are those that have the "direction" set to "to-lport". The OVN installation is vulnerable if a logical switch has DNS records set on it AND if the same switch has any egress ACLs configured on it. The switch is considered to have egress ACLs configured if the switch has an egress ACL configured directly on it using the "acls" column of the logical switch. A switch is also considered to have egress ACLs configured if any of its logical switch ports are part of a port group that has egress ACLs configured in its "acls" column. A python script (vuln_test.py) is attached to this advisory and can be used to determine if your installation is vulnerable. Run it in a location where "ovn-nbctl" is installed and can access the northbound database. The script will print to the console whether the installation is vulnerable.

• How can I get the fixes?
• What do statuses mean?

References

• MITRE
• NVD
• Launchpad
• Debian

Other references

• https://www.cve.org/CVERecord?id=CVE-2025-0650
• https://www.openwall.com/lists/oss-security/2025/01/22/5
• https://github.com/ovn-org/ovn/commit/249c52ad011cacb4c182dc64e88977ac7c61f668 (v24.09.2)