Bug 2302865 (CVE-2024-7383)
| Summary: | CVE-2024-7383 libnbd: NBD server improper certificate validation | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | RaTasha Tillery-Smith <rtillery> |
| Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | carnil, rjones |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2303078 | ||
| Bug Blocks: | |||
|
Description
RaTasha Tillery-Smith
2024-08-05 13:03:52 UTC
I'm bit sconfused about the exact scope of this CVE, does it apply to the whole set of separate related problems found? More concretely: https://gitlab.com/nbdkit/libnbd/-/commit/87ef41b69929d5d293390ec36b1c10aba2c9a57a (v1.20.2) https://gitlab.com/nbdkit/libnbd/-/commit/6ed47a27d14f6f11946bb096d94e5bf21d97083d (v1.20.2) https://gitlab.com/nbdkit/libnbd/-/commit/5ff09cdbbd19226dd2d5015d76134f88dee9321e (v1.20.2) https://gitlab.com/nbdkit/libnbd/-/commit/7a45b5db68c59cc620ba328f0ebec1e7058cd95a (v1.21.1) https://gitlab.com/nbdkit/libnbd/-/commit/e62185645c4d1a833d40aa79f3fee4ed477827c2 (v1.21.1) Are the later two as well considered part of CVE-2024-7383 ? (In reply to Salvatore Bonaccorso from comment #1) > I'm bit sconfused about the exact scope of this CVE, does it apply to the > whole set of separate related problems found? Yes, the single CVE applies to all the problems. They are fixed in the following versions of libnbd: - 1.21.1 (development) - 1.20.2 (stable) - 1.18.5 (stable) (In reply to Salvatore Bonaccorso from comment #2) > More concretely: > > https://gitlab.com/nbdkit/libnbd/-/commit/ > 87ef41b69929d5d293390ec36b1c10aba2c9a57a (v1.20.2) > https://gitlab.com/nbdkit/libnbd/-/commit/ > 6ed47a27d14f6f11946bb096d94e5bf21d97083d (v1.20.2) > https://gitlab.com/nbdkit/libnbd/-/commit/ > 5ff09cdbbd19226dd2d5015d76134f88dee9321e (v1.20.2) > https://gitlab.com/nbdkit/libnbd/-/commit/ > 7a45b5db68c59cc620ba328f0ebec1e7058cd95a (v1.21.1) > https://gitlab.com/nbdkit/libnbd/-/commit/ > e62185645c4d1a833d40aa79f3fee4ed477827c2 (v1.21.1) > > Are the later two as well considered part of CVE-2024-7383 ? The latter two are nice to have, but not part of the security fix. That's why there were not backported. If you update Debian to >= 1.18.5 or >= 1.20.2 or >= 1.21.1, then you will have fixed everything for the CVE. Salvatore: Checking the Debian packages, I see you also have 1.6.1 and 1.14.2 in the oldstable and stable branches respectively. Do you need backports to those? https://packages.debian.org/search?keywords=libnbd As it happens, we may also need to backport the fix to 1.6 branch (because of RHEL 8). Anyway let me know if you need this. This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:6757 https://access.redhat.com/errata/RHSA-2024:6757 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:6964 https://access.redhat.com/errata/RHSA-2024:6964 |