Bug 2302865 (CVE-2024-7383) - CVE-2024-7383 libnbd: NBD server improper certificate validation
Summary: CVE-2024-7383 libnbd: NBD server improper certificate validation
Keywords:
Status: NEW
Alias: CVE-2024-7383
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2303078
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-08-05 13:03 UTC by RaTasha Tillery-Smith
Modified: 2024-09-24 03:22 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:6757 0 None None None 2024-09-18 13:07:55 UTC
Red Hat Product Errata RHSA-2024:6964 0 None None None 2024-09-24 03:22:43 UTC

Description RaTasha Tillery-Smith 2024-08-05 13:03:52 UTC 
A flaw was found in libnbd. A client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This would allow a man-in-the-middle attack on NBD traffic. After investigation, several separate related problems were found.

Reference:
https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/message/LHR3BW6RJ7K4BJBQIYV3GTZLSY27VZO2
Comment 1 Salvatore Bonaccorso 2024-08-05 20:02:02 UTC 
I'm bit sconfused about the exact scope of this CVE, does it apply to the whole set of separate related problems found?
Comment 2 Salvatore Bonaccorso 2024-08-05 20:20:25 UTC 
More concretely:

https://gitlab.com/nbdkit/libnbd/-/commit/87ef41b69929d5d293390ec36b1c10aba2c9a57a (v1.20.2)                          
https://gitlab.com/nbdkit/libnbd/-/commit/6ed47a27d14f6f11946bb096d94e5bf21d97083d (v1.20.2)
https://gitlab.com/nbdkit/libnbd/-/commit/5ff09cdbbd19226dd2d5015d76134f88dee9321e (v1.20.2)
https://gitlab.com/nbdkit/libnbd/-/commit/7a45b5db68c59cc620ba328f0ebec1e7058cd95a (v1.21.1)
https://gitlab.com/nbdkit/libnbd/-/commit/e62185645c4d1a833d40aa79f3fee4ed477827c2 (v1.21.1)

Are the later two as well considered part of CVE-2024-7383 ?
Comment 3 Richard W.M. Jones 2024-08-06 08:15:35 UTC 
(In reply to Salvatore Bonaccorso from comment #1)
> I'm bit sconfused about the exact scope of this CVE, does it apply to the
> whole set of separate related problems found?

Yes, the single CVE applies to all the problems.

They are fixed in the following versions of libnbd:

 - 1.21.1 (development)
 - 1.20.2 (stable)
 - 1.18.5 (stable)
Comment 4 Richard W.M. Jones 2024-08-06 08:19:50 UTC 
(In reply to Salvatore Bonaccorso from comment #2)
> More concretely:
> 
> https://gitlab.com/nbdkit/libnbd/-/commit/
> 87ef41b69929d5d293390ec36b1c10aba2c9a57a (v1.20.2)                          
> https://gitlab.com/nbdkit/libnbd/-/commit/
> 6ed47a27d14f6f11946bb096d94e5bf21d97083d (v1.20.2)
> https://gitlab.com/nbdkit/libnbd/-/commit/
> 5ff09cdbbd19226dd2d5015d76134f88dee9321e (v1.20.2)
> https://gitlab.com/nbdkit/libnbd/-/commit/
> 7a45b5db68c59cc620ba328f0ebec1e7058cd95a (v1.21.1)
> https://gitlab.com/nbdkit/libnbd/-/commit/
> e62185645c4d1a833d40aa79f3fee4ed477827c2 (v1.21.1)
> 
> Are the later two as well considered part of CVE-2024-7383 ?

The latter two are nice to have, but not part of the security fix.  That's
why there were not backported.

If you update Debian to >= 1.18.5 or >= 1.20.2 or >= 1.21.1, then you
will have fixed everything for the CVE.
Comment 5 Richard W.M. Jones 2024-08-06 10:24:28 UTC 
Salvatore:

Checking the Debian packages, I see you also have 1.6.1 and 1.14.2 in
the oldstable and stable branches respectively.  Do you need backports
to those?

https://packages.debian.org/search?keywords=libnbd

As it happens, we may also need to backport the fix to 1.6 branch (because
of RHEL 8).

Anyway let me know if you need this.
Comment 6 errata-xmlrpc 2024-09-18 13:07:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:6757 https://access.redhat.com/errata/RHSA-2024:6757
Comment 7 errata-xmlrpc 2024-09-24 03:22:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6964 https://access.redhat.com/errata/RHSA-2024:6964
Note You need to log in before you can comment on or make changes to this bug.