Bug 1994695 (CVE-2021-3716)

Summary:	CVE-2021-3716 nbdkit: NBD_OPT_STRUCTURED_REPLY injection on STARTTLS
Product:	[Other] Security Response	Reporter:	Mauro Matteo Cascella <mcascell>
Component:	vulnerability	Assignee:	Red Hat Product Security <security-response-team>
Status:	CLOSED ERRATA	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	eblake, michal.skrivanek, mperina, rjones, sbonazzo, virt-maint
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	nbdkit 1.24.6, nbdkit 1.26.5, nbdkit 1.27.6	Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.	Story Points:	---
Clone Of:		Environment:
Last Closed:	2022-02-02 10:02:22 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1994913, 1994914, 1994915, 1994928, 1995692, 2040780
Bug Blocks:	1994697, 2002253

Description Mauro Matteo Cascella 2021-08-17 17:36:03 UTC

https://nostarttls.secvuln.info/ pointed out a common implementation
flaw in various SMTP and IMAP servers with regards to improperly
caching plaintext state across the STARTTLS encryption boundary.  It
turns out that nbdkit has the same vulnerability in regards to the NBD
protocol: an attacker is able to inject a plaintext
NBD_OPT_STRUCTURED_REPLY before proxying everything else a client
sends to the server; if the server then acts on that plaintext request
(as nbdkit did before this patch), then the server ends up sending
structured replies to at least NBD_CMD_READ, even though the client
was not expecting them. The NBD spec has been recently tightened to
declare the nbdkit behavior to be a security hole.

Depending on how the client handles unexpected structured replies,
the attacker can use this to form a denial of service attack on the
client, distinct from a trivial protocol downgrade attack. Please refer
to the upstream announcement (comment#10) for additional details.

Comment 3 Mauro Matteo Cascella 2021-08-18 08:05:41 UTC

Created nbdkit tracking bugs for this issue:

Affects: fedora-all [bug 1994928]

Comment 5 Mauro Matteo Cascella 2021-08-18 08:19:37 UTC

This bug was introduced in nbdkit v1.11.8 (March 2019) with the first implementation of NBD Structured Replies:
https://github.com/libguestfs/nbdkit/commit/eaa4c6e9a

Comment 6 Richard W.M. Jones 2021-08-18 09:21:46 UTC

Upstream fix is:
https://listman.redhat.com/archives/libguestfs/2021-August/msg00077.html

There's no upstream commit yet, I'll add a comment here when
the final patch has been pushed upstream.

Comment 7 Richard W.M. Jones 2021-08-19 07:28:15 UTC

The fixes are:

https://gitlab.com/nbdkit/nbdkit/-/commit/09a13dafb7bb3a38ab52eb5501cba786365ba7fd
https://gitlab.com/nbdkit/nbdkit/-/commit/6c5faac6a37077cf2366388a80862bb00616d0d8

Comment 10 Eric Blake 2021-08-19 20:52:16 UTC

Upstream announcement:
https://listman.redhat.com/archives/libguestfs/2021-August/msg00083.html

Comment 11 errata-xmlrpc 2022-02-02 08:47:55 UTC

This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.5.0.Z

Via RHSA-2022:0397 https://access.redhat.com/errata/RHSA-2022:0397

Comment 12 Product Security DevOps Team 2022-02-02 10:02:19 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3716

Comment 13 errata-xmlrpc 2022-05-10 13:16:43 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1759 https://access.redhat.com/errata/RHSA-2022:1759