Bug 1994695 (CVE-2021-3716) - CVE-2021-3716 nbdkit: NBD_OPT_STRUCTURED_REPLY injection on STARTTLS
Summary: CVE-2021-3716 nbdkit: NBD_OPT_STRUCTURED_REPLY injection on STARTTLS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3716
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1994913 1994914 1994915 1994928 1995692 2040780
Blocks: 1994697 2002253
TreeView+ depends on / blocked
 
Reported: 2021-08-17 17:36 UTC by Mauro Matteo Cascella
Modified: 2022-05-10 13:16 UTC (History)
6 users (show)

Fixed In Version: nbdkit 1.24.6, nbdkit 1.26.5, nbdkit 1.27.6
Clone Of:
Environment:
Last Closed: 2022-02-02 10:02:22 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0397 0 None None None 2022-02-02 08:47:58 UTC
Red Hat Product Errata RHSA-2022:1759 0 None None None 2022-05-10 13:16:46 UTC

Description Mauro Matteo Cascella 2021-08-17 17:36:03 UTC 
https://nostarttls.secvuln.info/ pointed out a common implementation
flaw in various SMTP and IMAP servers with regards to improperly
caching plaintext state across the STARTTLS encryption boundary.  It
turns out that nbdkit has the same vulnerability in regards to the NBD
protocol: an attacker is able to inject a plaintext
NBD_OPT_STRUCTURED_REPLY before proxying everything else a client
sends to the server; if the server then acts on that plaintext request
(as nbdkit did before this patch), then the server ends up sending
structured replies to at least NBD_CMD_READ, even though the client
was not expecting them. The NBD spec has been recently tightened to
declare the nbdkit behavior to be a security hole.

Depending on how the client handles unexpected structured replies,
the attacker can use this to form a denial of service attack on the
client, distinct from a trivial protocol downgrade attack. Please refer
to the upstream announcement (comment#10) for additional details.
Comment 3 Mauro Matteo Cascella 2021-08-18 08:05:41 UTC 
Created nbdkit tracking bugs for this issue:

Affects: fedora-all [bug 1994928]
Comment 5 Mauro Matteo Cascella 2021-08-18 08:19:37 UTC 
This bug was introduced in nbdkit v1.11.8 (March 2019) with the first implementation of NBD Structured Replies:
https://github.com/libguestfs/nbdkit/commit/eaa4c6e9a
Comment 6 Richard W.M. Jones 2021-08-18 09:21:46 UTC 
Upstream fix is:
https://listman.redhat.com/archives/libguestfs/2021-August/msg00077.html

There's no upstream commit yet, I'll add a comment here when
the final patch has been pushed upstream.
Comment 7 Richard W.M. Jones 2021-08-19 07:28:15 UTC 
The fixes are:

https://gitlab.com/nbdkit/nbdkit/-/commit/09a13dafb7bb3a38ab52eb5501cba786365ba7fd
https://gitlab.com/nbdkit/nbdkit/-/commit/6c5faac6a37077cf2366388a80862bb00616d0d8
Comment 10 Eric Blake 2021-08-19 20:52:16 UTC 
Upstream announcement:
https://listman.redhat.com/archives/libguestfs/2021-August/msg00083.html
Comment 11 errata-xmlrpc 2022-02-02 08:47:55 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.5.0.Z

Via RHSA-2022:0397 https://access.redhat.com/errata/RHSA-2022:0397
Comment 12 Product Security DevOps Team 2022-02-02 10:02:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3716
Comment 13 errata-xmlrpc 2022-05-10 13:16:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1759 https://access.redhat.com/errata/RHSA-2022:1759
Note You need to log in before you can comment on or make changes to this bug.