Eric Blake
2021-Mar-12 23:00 UTC
[Libguestfs] LIBNBD SECURITY: Denial of service vulnerability
We have discovered a denial of service vulnerability in libnbd. Lifecycle --------- Reported: 2021-03-01 Fixed: 2021-03-01 Published: 2021-03-12 This has been assigned CVE-2021-20286. Credit ------ Reported and patched by Eric Blake <eblake at redhat.com> Description ----------- libnbd is a Network Block Device (NBD) client library. A malicious server that disconnects at a certain point in the NBD handshake involving NBD_OPT_GO can cause libnbd to hit an assertion failure related to an unexpected state; this assertion failure can be used as a denial of service attack against the libnbd client. The NBD_OPT_INFO and NBD_OPT_GO handshake commands are a feature of the newstyle NBD protocol allowing a client to respond gracefully to an unavailable export without having to re-establish communication with the server. Although it is unusual that a server would disconnect on failure to either of these commands rather than letting the client try again, the client should not die from an assertion failure based on the server behavior. Test if libnbd is vulnerable ---------------------------- (There is no simple test for this vulnerability) Workarounds ----------- The assertion failure is only triggered in clients that use nbd_set_opt_mode() for manual control over the handshake sequence (for example, using 'nbdsh --opt-mode'). It is recommended to apply the fix or upgrade to a fixed version. Fixes ----- This affects versions of libnbd that contain nbd_set_opt_mode(), first introduced in 1.3.12. A fix is available for 1.6, and the current development branch. * development branch (1.7) https://gitlab.com/nbdkit/libnbd/-/commit/fb4440de9cc76e9c14bd3ddf3333e78621f40ad0 or use libnbd >= 1.7.3 from http://download.libguestfs.org/libnbd/1.7-development/ * stable branch 1.6 https://gitlab.com/nbdkit/libnbd/-/commit/2216190ecbbd853648df6a3280c17b345b0907a0 or use libnbd >= 1.6.2 from http://download.libguestfs.org/libnbd/1.6-stable/ -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org