We have discovered a remote code execution vulnerability in libnbd.
Lifecycle
---------
Reported: 2019-10-05 Fixed: 2019-10-05 Published: 2019-10-09
There is no CVE number assigned for this issue yet, but the bug is
being categorized and processed by Red Hat's security team which may
result in a CVE being published later.
Credit
------
Reported and patched by Richard W.M. Jones <rjones(a)redhat.com>.
Reviewed by Eric Blake <eblake(a)redhat.com>.
Description
-----------
libnbd is a Network Block Device (NBD) client library.
Because of improper bounds checking, when receiving a structured reply
some offset/lengths sent by the server could cause libnbd to execute
arbitrary code under control of a malicious server.
Structured reply is a feature of the newstyle NBD protocol allowing
the server to send a reply in chunks. A bounds check which was
supposed to test for chunk offsets smaller than the beginning of the
request did not work because of signed/unsigned confusion. If one of
these chunks contains a negative offset then data under control of the
server is written to memory before the read buffer supplied by the
client. If the read buffer is located on the stack then this allows
the stack return address from nbd_pread() to be trivially modified,
allowing arbitrary code execution under the control of the server. If
the buffer is located on the heap then other memory objects before the
buffer can be overwritten, which again would usually lead to arbitrary
code execution.
Test if libnbd is vulnerable
----------------------------
(There is no simple test for this vulnerability)
Workarounds
-----------
It is highly recommended to apply the fix or upgrade to a fixed
version. If you cannot do this, then you could use:
nbd_set_tls (h, LIBNBD_TLS_REQUIRE)
to only connect to trusted servers over TLS.
Fixes
-----
This affects all versions of libnbd. A fix is available for 1.0, and
the current development branch.
* development branch (1.1)
https://github.com/libguestfs/libnbd/commit/f75f602a6361c0c5f42debfeea698...
or use libnbd >= 1.1.4 from
http://download.libguestfs.org/libnbd/1.1-development/
* stable branch 1.0
https://github.com/libguestfs/libnbd/commit/2c1987fc23d6d0f537edc6d4701e9...
or use libnbd >= 1.0.3 from
http://download.libguestfs.org/libnbd/1.0-stable/
--
Richard Jones, Virtualization Group, Red Hat
http://people.redhat.com/~rjones
Read my programming and virtualization blog:
http://rwmj.wordpress.com
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top