Re: [Libguestfs] [NBDKIT SECURITY] Denial of Service / Amplification Attack in nbdkit
On Tue, Oct 01, 2019 at 08:34:38AM -0500, Eric Blake wrote:
On 9/20/19 8:58 AM, Eric Blake wrote:
>On 9/12/19 12:41 PM, Richard W.M. Jones wrote:
>>We have discovered a potential Denial of Service / Amplification Attack
>>in nbdkit.
>
>Unfortunately, our fix for this issue cause another potential Denial of
>Service attack:
>
>>
>>Lifecycle
>>---------
>>
>>Reported: 2019-09-11 Fixed: 2019-09-11 Published: 2019-09-12
>>
>>There is no CVE number assigned for this issue yet, but the bug is
>>being categorized and processed by Red Hat's security team which may
>>result in a CVE being published later.
>>
>
>Reported: 2019-09-18 Fixed: 2019-09-19 Published: 2019-09-20
>
>Also pending Red Hat security review for whether this deserves a CVE
>(presumably either both issues, or neither, will have a CVE)
Both CVEs have now been assigned:
CVE-2019-14850 - denial of service due to premature .open, depending
on plugin used
CVE-2019-14851 - denial of service due to assertion after
NBD_OPT_INFO, independent of plugin
I spent a bit of time working on the RHEL BZs for this today, and in
the process I backported the fix for CVE-2019-14850 to
nbdkit 1.8:
https://github.com/libguestfs/nbdkit/commit/f03f18af2fe393776ea3e400f64ff...
and nbdkit 1.4:
https://github.com/libguestfs/nbdkit/commit/111afbacf494e331d8c0e8fc6a6cb...
Both were non-trivial backports, in fact almost complete rewrites of
the patch.
Neither version of nbdkit is vulnerable to CVE-2019-14851 because they
didn't implement NBD_OPT_INFO.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW