Bug 1956284 (CVE-2021-38575)

Summary: CVE-2021-38575 edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: berrange, crobinso, dblechte, dfediuck, eedri, kraxel, lersek, mgoldboi, michal.skrivanek, pbonzini, philmd, sbonazzo, security-response-team, sherold, virt-maint, virt-maint, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in edk2. Missing checks in the IScsiHexToBin function in NetworkPkg/IScsiDxe lead to a buffer overflow allowing a remote attacker, who can inject himself in the communication between edk2 and the iSCSI target, to write arbitrary data to any address in the edk2 firmware and potentially execute code. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-10 19:28:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1969442, 1956406, 1956407, 1956408, 1956409, 1956676, 1961100, 1969443, 1971481    
Bug Blocks: 1935497, 1954596    

Description Riccardo Schirone 2021-05-03 11:51:38 UTC 
Function IscsiMisc.c:IScsiHexToBin() in NetworkPkg/IScsiDxe does not correctly check the sizes of the input and output buffers, allowing an attacker who can control the input buffer to cause a buffer overflow in the destination buffer. Function IScsiHexToBin is used to decode strings passed as part of iSCSI Challenge-Handshake Authentication Protocol(CHAP), before authentication takes place. Thus an attacker, who can either inject himself in the communication between edk2 and the iSCSI target or control the iSCSI target used by edk2, can trigger this flaw and potentially execute code in the edk2 firmware.

Upstream bug:
https://bugzilla.tianocore.org/show_bug.cgi?id=3356
Comment 1 Riccardo Schirone 2021-05-03 15:20:30 UTC 
Acknowledgments:

Name: Laszlo Ersek (Red Hat)
Comment 2 Riccardo Schirone 2021-05-03 15:29:22 UTC 
Upstream patches (still under review):
https://bugzilla.tianocore.org/show_bug.cgi?id=3356#c5
Comment 5 Riccardo Schirone 2021-05-03 16:09:52 UTC 
When edk2 is configured to use iSCSI, it sends a Login Request to the defined target on the network (which can be configured statically or discovered through DHCP). The target and the initiator, implemented in the edk2 firmware, exchanges CHAP messages to authenticate each other or at least the initiator. The target, potentially malicious as its data come from the network, sends a challenge to the target hex-encoded.

Function IScsiHexToBin is used to convert this challenge to its binary form. The attacker has control over the content of the input string and its length. The vulnerable function does not check if the data provided is enough or correctly formatted, nor if the output binary buffer is big enough to contain the challenge string provided by the target. Thus the attacker can effectively overwrite memory with whatever data he wants.
Comment 6 Riccardo Schirone 2021-05-03 16:12:12 UTC 
To trigger this flaw an attacker has to do a Man-in-the-middle attack and modify/inject packets in the communication between the target and the initiator (edk2) or he has to control the target used by the configured firmware (e.g. compromising the server). For these reasons, Attack Complexity is set to High (AC:H).
Comment 9 Laszlo Ersek 2021-05-07 12:56:21 UTC 
Upstream v2 patches (under review):
https://bugzilla.tianocore.org/show_bug.cgi?id=3356#c17
Comment 10 Laszlo Ersek 2021-05-14 15:35:46 UTC 
(In reply to Laszlo Ersek from comment #9)
> Upstream v2 patches (under review):
> https://bugzilla.tianocore.org/show_bug.cgi?id=3356#c17

Review complete; said patches can be backported.
Comment 29 Laszlo Ersek 2021-06-08 12:17:40 UTC 
Public posting:

* [edk2-devel] [PUBLIC edk2 PATCH v2 00/10]
  NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs

Message-Id: <20210608121259.32451-1-lersek>
https://listman.redhat.com/archives/edk2-devel-archive/2021-June/msg00316.html
https://edk2.groups.io/g/devel/message/76198
Comment 30 Riccardo Schirone 2021-06-08 13:10:29 UTC 
Created edk2 tracking bugs for this issue:

Affects: epel-all [bug 1969442]
Affects: fedora-all [bug 1969443]
Comment 31 Laszlo Ersek 2021-06-09 19:00:42 UTC 
(In reply to Laszlo Ersek from comment #29)
> Public posting:
> 
> * [edk2-devel] [PUBLIC edk2 PATCH v2 00/10]
>   NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs
> 
> Message-Id: <20210608121259.32451-1-lersek>
> https://listman.redhat.com/archives/edk2-devel-archive/2021-June/msg00316.html
> https://edk2.groups.io/g/devel/message/76198

Merged as upstream commit range 702ba436ed8e..b8649cf2a3e6, via <https://github.com/tianocore/edk2/pull/1698>.
Comment 33 errata-xmlrpc 2021-08-10 13:52:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3066 https://access.redhat.com/errata/RHSA-2021:3066
Comment 34 errata-xmlrpc 2021-08-17 08:28:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3172 https://access.redhat.com/errata/RHSA-2021:3172
Comment 35 errata-xmlrpc 2021-08-19 15:48:36 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:3235 https://access.redhat.com/errata/RHSA-2021:3235
Comment 36 errata-xmlrpc 2021-08-31 09:12:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3369 https://access.redhat.com/errata/RHSA-2021:3369