We have discovered a denial of service vulnerability in libnbd.
Lifecycle
---------
Reported: 2021-03-01 Fixed: 2021-03-01 Published: 2021-03-12
This has been assigned CVE-2021-20286.
Credit
------
Reported and patched by Eric Blake <eblake(a)redhat.com>
Description
-----------
libnbd is a Network Block Device (NBD) client library.
A malicious server that disconnects at a certain point in the NBD
handshake involving NBD_OPT_GO can cause libnbd to hit an assertion
failure related to an unexpected state; this assertion failure can be
used as a denial of service attack against the libnbd client.
The NBD_OPT_INFO and NBD_OPT_GO handshake commands are a feature of the
newstyle NBD protocol allowing a client to respond gracefully to an
unavailable export without having to re-establish communication with the
server. Although it is unusual that a server would disconnect on
failure to either of these commands rather than letting the client try
again, the client should not die from an assertion failure based on the
server behavior.
Test if libnbd is vulnerable
----------------------------
(There is no simple test for this vulnerability)
Workarounds
-----------
The assertion failure is only triggered in clients that use
nbd_set_opt_mode() for manual control over the handshake sequence (for
example, using 'nbdsh --opt-mode'). It is recommended to apply the fix
or upgrade to a fixed version.
Fixes
-----
This affects versions of libnbd that contain nbd_set_opt_mode(), first
introduced in 1.3.12. A fix is available for 1.6, and the current
development branch.
* development branch (1.7)
https://gitlab.com/nbdkit/libnbd/-/commit/fb4440de9cc76e9c14bd3ddf3333e78...
or use libnbd >= 1.7.3 from
http://download.libguestfs.org/libnbd/1.7-development/
* stable branch 1.6
https://gitlab.com/nbdkit/libnbd/-/commit/2216190ecbbd853648df6a3280c17b3...
or use libnbd >= 1.6.2 from
http://download.libguestfs.org/libnbd/1.6-stable/
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization:
qemu.org |
libvirt.org