Bug 1994695 (CVE-2021-3716) - CVE-2021-3716 nbdkit: NBD_OPT_STRUCTURED_REPLY injection on STARTTLS
Summary: CVE-2021-3716 nbdkit: NBD_OPT_STRUCTURED_REPLY injection on STARTTLS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3716
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1994913 1994914 1994915 1994928 1995692 2040780
Blocks: 1994697 2002253
TreeView+ depends on / blocked
 
Reported: 2021-08-17 17:36 UTC by Mauro Matteo Cascella
Modified: 2022-05-10 13:16 UTC (History)
6 users (show)

Fixed In Version: nbdkit 1.24.6, nbdkit 1.26.5, nbdkit 1.27.6
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2022-02-02 10:02:22 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0397 0 None None None 2022-02-02 08:47:58 UTC
Red Hat Product Errata RHSA-2022:1759 0 None None None 2022-05-10 13:16:46 UTC

Description Mauro Matteo Cascella 2021-08-17 17:36:03 UTC
https://nostarttls.secvuln.info/ pointed out a common implementation
flaw in various SMTP and IMAP servers with regards to improperly
caching plaintext state across the STARTTLS encryption boundary.  It
turns out that nbdkit has the same vulnerability in regards to the NBD
protocol: an attacker is able to inject a plaintext
NBD_OPT_STRUCTURED_REPLY before proxying everything else a client
sends to the server; if the server then acts on that plaintext request
(as nbdkit did before this patch), then the server ends up sending
structured replies to at least NBD_CMD_READ, even though the client
was not expecting them. The NBD spec has been recently tightened to
declare the nbdkit behavior to be a security hole.

Depending on how the client handles unexpected structured replies,
the attacker can use this to form a denial of service attack on the
client, distinct from a trivial protocol downgrade attack. Please refer
to the upstream announcement (comment#10) for additional details.

Comment 3 Mauro Matteo Cascella 2021-08-18 08:05:41 UTC
Created nbdkit tracking bugs for this issue:

Affects: fedora-all [bug 1994928]

Comment 5 Mauro Matteo Cascella 2021-08-18 08:19:37 UTC
This bug was introduced in nbdkit v1.11.8 (March 2019) with the first implementation of NBD Structured Replies:
https://github.com/libguestfs/nbdkit/commit/eaa4c6e9a

Comment 6 Richard W.M. Jones 2021-08-18 09:21:46 UTC
Upstream fix is:
https://listman.redhat.com/archives/libguestfs/2021-August/msg00077.html

There's no upstream commit yet, I'll add a comment here when
the final patch has been pushed upstream.

Comment 10 Eric Blake 2021-08-19 20:52:16 UTC
Upstream announcement:
https://listman.redhat.com/archives/libguestfs/2021-August/msg00083.html

Comment 11 errata-xmlrpc 2022-02-02 08:47:55 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.5.0.Z

Via RHSA-2022:0397 https://access.redhat.com/errata/RHSA-2022:0397

Comment 12 Product Security DevOps Team 2022-02-02 10:02:19 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3716

Comment 13 errata-xmlrpc 2022-05-10 13:16:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1759 https://access.redhat.com/errata/RHSA-2022:1759


Note You need to log in before you can comment on or make changes to this bug.