Re: [Libguestfs] [nbdkit PATCH] server: CVE-2021-???? reset structured replies on starttls

https://nostarttls.secvuln.info/ pointed out a common implementation flaw in various SMTP and IMAP servers with regards to improperly caching plaintext state across the STARTTLS encryption boundary. It turns out that nbdkit has the same vulnerability in regards to the NBD protocol: an attacker is able to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server; if the server then acts on that plaintext request (as nbdkit did before this patch), then the server ends up sending structured replies to at least NBD_CMD_READ, even though the client was not expecting them. The NBD spec has been recently tightened to declare the nbdkit behavior to be a security hole. --- [NB: I'm still in the process of getting a CVE assigned; there is no embargo since the issue is already public, but I may wait to apply this patch until the commit message can be tweaked] --- server/protocol-handshake-newstyle.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/server/protocol-handshake-newstyle.c b/server/protocol-handshake-newstyle.c index a2c89c9a..7e6b7b1b 100644 --- a/server/protocol-handshake-newstyle.c +++ b/server/protocol-handshake-newstyle.c @@ -495,7 +495,8 @@ negotiate_handshake_newstyle_options (void) return -1; conn->using_tls = true; debug ("using TLS on this connection"); - /* Wipe out any cached default export name. */ + /* Wipe out any cached state. */ + conn->structured_replies = false; for_each_backend (b) { free (conn->default_exportname[b->i]); conn->default_exportname[b->i] = NULL;