VYPR
← All advisories
High severityNVD Advisory· Published Aug 31, 2021· Updated Aug 4, 2024

CVE-2021-40085

CVE-2021-40085

Description

An issue was discovered in OpenStack Neutron before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1. Authenticated attackers can reconfigure dnsmasq via a crafted extra_dhcp_opts value.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A vulnerability in OpenStack Neutron allows authenticated attackers to reconfigure dnsmasq via a crafted extra_dhcp_opts value, potentially leading to denial of service or privilege escalation.

Vulnerability

A vulnerability in OpenStack Neutron, affecting versions before 16.4.1, 17.x before 17.2.1, and 18.x before 18.1.1, allows an authenticated attacker to inject arbitrary configuration into the dnsmasq process by supplying a specially crafted extra_dhcp_opts value [1][2]. This issue occurs within the DHCP agent component that manages dnsmasq instances for tenant networks.

Exploitation

An attacker with authenticated access to Neutron can craft a request containing a malicious extra_dhcp_opts value. This value is passed to the dnsmasq process, enabling the addition of arbitrary configuration parameters. The attacker does not require any special privileges beyond basic authentication and can exploit the vulnerability from a tenant network context [2].

Impact

Successful exploitation allows the attacker to reconfigure dnsmasq arbitrarily, which can lead to denial of service by crashing the service, altering parameters for other tenants sharing the same interface, or triggering a configuration parsing buffer overflow that may enable further compromise [2]. This impacts the confidentiality, integrity, and availability of the Neutron networking service and affected tenant networks.

Mitigation

The vulnerability is fixed in Neutron versions 16.4.1, 17.2.1, and 18.1.1, released on August 31, 2021 [1][2]. Users should upgrade to these patched versions immediately. No workarounds are currently available, and the issue is actively tracked as CVE-2021-40085 [2]. It is not listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. NVD - CVE-2021-40085
  2. security - [OSSA-2021-005] Neutron: Arbitrary dnsmasq reconfiguration via extra_dhcp_opts (CVE-2021-40085)

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
neutronPyPI
< 16.4.116.4.1
neutronPyPI
>= 17.0.0, < 17.2.117.2.1
neutronPyPI
>= 18.0.0, < 18.1.118.1.1

Affected products

53

Patches

1
df891f0593d2

Remove dhcp_extra_opt value after first newline character

https://github.com/openstack/neutronSlawek KaplonskiAug 31, 2021via ghsa
commit
3 files changed · +16 4
  • neutron/agent/linux/dhcp.py+4 3 modified
    @@ -1322,10 +1322,11 @@ def _format_option(self, ip_version, tag, option, *args):
         elif not option.isdigit():
             option = 'option:%s' % option
         if extra_tag:
-            tags = ('tag:' + tag, extra_tag[:-1], '%s' % option)
+            tags = ['tag:' + tag, extra_tag[:-1], '%s' % option]
         else:
-            tags = ('tag:' + tag, '%s' % option)
-        return ','.join(tags + args)
+            tags = ['tag:' + tag, '%s' % option]
+
+        return ','.join(tags + [v.split("\n", 1)[0] for v in args])
 
     @staticmethod
     def _convert_to_literal_addrs(ip_version, ips):
  • neutron/tests/unit/agent/linux/test_dhcp.py+6 1 modified
    @@ -230,6 +230,9 @@ def __init__(self):
         self.extra_dhcp_opts = [
             DhcpOpt(opt_name='dns-server',
                     opt_value='ffea:3ba5:a17a:4ba3::100',
+                    ip_version=constants.IP_VERSION_6),
+            DhcpOpt(opt_name='malicious-option',
+                    opt_value='aaa\nbbb.ccc\n',
                     ip_version=constants.IP_VERSION_6)]
 
 
@@ -2910,7 +2913,9 @@ def test_host_and_opts_file_on_stateless_dhcpv6_network(
         exp_opt_data = ('tag:subnet-eeeeeeee-eeee-eeee-eeee-eeeeeeeeeeee,'
                         'option6:domain-search,openstacklocal\n'
                         'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,'
-                        'option6:dns-server,ffea:3ba5:a17a:4ba3::100').lstrip()
+                        'option6:dns-server,ffea:3ba5:a17a:4ba3::100\n'
+                        'tag:port-hhhhhhhh-hhhh-hhhh-hhhh-hhhhhhhhhhhh,'
+                        'option6:malicious-option,aaa').lstrip()
         dm = self._get_dnsmasq(FakeV6NetworkStatelessDHCP())
         dm._output_hosts_file()
         dm._output_opts_file()
  • releasenotes/notes/fix-newline-chars-in-dhcp-extra-options-bf86d30371556d63.yaml+6 0 added
    @@ -0,0 +1,6 @@
+---
+security:
+  - |
+    Fix `bug 1939733 <https://bugs.launchpad.net/neutron/+bug/1939733>`_ by
+    dropping from the dhcp extra option values everything what is after first
+    newline (``\n``) character before passing them to the dnsmasq.

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.