Bug 1956284 (CVE-2021-38575) - CVE-2021-38575 edk2: remote buffer overflow in IScsiHexToBin function in NetworkPkg/IScsiDxe
Summary: CVE-2021-38575 edk2: remote buffer overflow in IScsiHexToBin function in Netw...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-38575
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1956406 1956407 1956408 1956409 1956676 1961100 1969442 1969443 1971481
Blocks: 1935497 1954596
TreeView+ depends on / blocked
 
Reported: 2021-05-03 11:51 UTC by Riccardo Schirone
Modified: 2022-04-17 21:20 UTC (History)
17 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in edk2. Missing checks in the IScsiHexToBin function in NetworkPkg/IScsiDxe lead to a buffer overflow allowing a remote attacker, who can inject himself in the communication between edk2 and the iSCSI target, to write arbitrary data to any address in the edk2 firmware and potentially execute code. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-08-10 19:28:25 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3408 0 None None None 2021-09-01 18:32:34 UTC
Red Hat Product Errata RHSA-2021:3066 0 None None None 2021-08-10 13:52:37 UTC
Red Hat Product Errata RHSA-2021:3172 0 None None None 2021-08-17 08:29:01 UTC
Red Hat Product Errata RHSA-2021:3235 0 None None None 2021-08-19 15:48:38 UTC
Red Hat Product Errata RHSA-2021:3369 0 None None None 2021-08-31 09:12:30 UTC

Description Riccardo Schirone 2021-05-03 11:51:38 UTC
Function IscsiMisc.c:IScsiHexToBin() in NetworkPkg/IScsiDxe does not correctly check the sizes of the input and output buffers, allowing an attacker who can control the input buffer to cause a buffer overflow in the destination buffer. Function IScsiHexToBin is used to decode strings passed as part of iSCSI Challenge-Handshake Authentication Protocol(CHAP), before authentication takes place. Thus an attacker, who can either inject himself in the communication between edk2 and the iSCSI target or control the iSCSI target used by edk2, can trigger this flaw and potentially execute code in the edk2 firmware.

Upstream bug:
https://bugzilla.tianocore.org/show_bug.cgi?id=3356

Comment 1 Riccardo Schirone 2021-05-03 15:20:30 UTC
Acknowledgments:

Name: Laszlo Ersek (Red Hat)

Comment 2 Riccardo Schirone 2021-05-03 15:29:22 UTC
Upstream patches (still under review):
https://bugzilla.tianocore.org/show_bug.cgi?id=3356#c5

Comment 5 Riccardo Schirone 2021-05-03 16:09:52 UTC
When edk2 is configured to use iSCSI, it sends a Login Request to the defined target on the network (which can be configured statically or discovered through DHCP). The target and the initiator, implemented in the edk2 firmware, exchanges CHAP messages to authenticate each other or at least the initiator. The target, potentially malicious as its data come from the network, sends a challenge to the target hex-encoded.

Function IScsiHexToBin is used to convert this challenge to its binary form. The attacker has control over the content of the input string and its length. The vulnerable function does not check if the data provided is enough or correctly formatted, nor if the output binary buffer is big enough to contain the challenge string provided by the target. Thus the attacker can effectively overwrite memory with whatever data he wants.

Comment 6 Riccardo Schirone 2021-05-03 16:12:12 UTC
To trigger this flaw an attacker has to do a Man-in-the-middle attack and modify/inject packets in the communication between the target and the initiator (edk2) or he has to control the target used by the configured firmware (e.g. compromising the server). For these reasons, Attack Complexity is set to High (AC:H).

Comment 9 Laszlo Ersek 2021-05-07 12:56:21 UTC
Upstream v2 patches (under review):
https://bugzilla.tianocore.org/show_bug.cgi?id=3356#c17

Comment 10 Laszlo Ersek 2021-05-14 15:35:46 UTC
(In reply to Laszlo Ersek from comment #9)
> Upstream v2 patches (under review):
> https://bugzilla.tianocore.org/show_bug.cgi?id=3356#c17

Review complete; said patches can be backported.

Comment 29 Laszlo Ersek 2021-06-08 12:17:40 UTC
Public posting:

* [edk2-devel] [PUBLIC edk2 PATCH v2 00/10]
  NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs

Message-Id: <20210608121259.32451-1-lersek>
https://listman.redhat.com/archives/edk2-devel-archive/2021-June/msg00316.html
https://edk2.groups.io/g/devel/message/76198

Comment 30 Riccardo Schirone 2021-06-08 13:10:29 UTC
Created edk2 tracking bugs for this issue:

Affects: epel-all [bug 1969442]
Affects: fedora-all [bug 1969443]

Comment 31 Laszlo Ersek 2021-06-09 19:00:42 UTC
(In reply to Laszlo Ersek from comment #29)
> Public posting:
> 
> * [edk2-devel] [PUBLIC edk2 PATCH v2 00/10]
>   NetworkPkg/IScsiDxe: fix IScsiHexToBin() security and functionality bugs
> 
> Message-Id: <20210608121259.32451-1-lersek>
> https://listman.redhat.com/archives/edk2-devel-archive/2021-June/msg00316.html
> https://edk2.groups.io/g/devel/message/76198

Merged as upstream commit range 702ba436ed8e..b8649cf2a3e6, via <https://github.com/tianocore/edk2/pull/1698>.

Comment 33 errata-xmlrpc 2021-08-10 13:52:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3066 https://access.redhat.com/errata/RHSA-2021:3066

Comment 34 errata-xmlrpc 2021-08-17 08:28:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3172 https://access.redhat.com/errata/RHSA-2021:3172

Comment 35 errata-xmlrpc 2021-08-19 15:48:36 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:3235 https://access.redhat.com/errata/RHSA-2021:3235

Comment 36 errata-xmlrpc 2021-08-31 09:12:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3369 https://access.redhat.com/errata/RHSA-2021:3369


Note You need to log in before you can comment on or make changes to this bug.