Richard W.M. Jones
2019-Oct-09 08:45 UTC
[Libguestfs] LIBNBD SECURITY: Remote code execution vulnerability
We have discovered a remote code execution vulnerability in libnbd. Lifecycle --------- Reported: 2019-10-05 Fixed: 2019-10-05 Published: 2019-10-09 There is no CVE number assigned for this issue yet, but the bug is being categorized and processed by Red Hat's security team which may result in a CVE being published later. Credit ------ Reported and patched by Richard W.M. Jones <rjones@redhat.com>. Reviewed by Eric Blake <eblake@redhat.com>. Description ----------- libnbd is a Network Block Device (NBD) client library. Because of improper bounds checking, when receiving a structured reply some offset/lengths sent by the server could cause libnbd to execute arbitrary code under control of a malicious server. Structured reply is a feature of the newstyle NBD protocol allowing the server to send a reply in chunks. A bounds check which was supposed to test for chunk offsets smaller than the beginning of the request did not work because of signed/unsigned confusion. If one of these chunks contains a negative offset then data under control of the server is written to memory before the read buffer supplied by the client. If the read buffer is located on the stack then this allows the stack return address from nbd_pread() to be trivially modified, allowing arbitrary code execution under the control of the server. If the buffer is located on the heap then other memory objects before the buffer can be overwritten, which again would usually lead to arbitrary code execution. Test if libnbd is vulnerable ---------------------------- (There is no simple test for this vulnerability) Workarounds ----------- It is highly recommended to apply the fix or upgrade to a fixed version. If you cannot do this, then you could use: nbd_set_tls (h, LIBNBD_TLS_REQUIRE) to only connect to trusted servers over TLS. Fixes ----- This affects all versions of libnbd. A fix is available for 1.0, and the current development branch. * development branch (1.1) https://github.com/libguestfs/libnbd/commit/f75f602a6361c0c5f42debfeea6980f698ce7f09 or use libnbd >= 1.1.4 from http://download.libguestfs.org/libnbd/1.1-development/ * stable branch 1.0 https://github.com/libguestfs/libnbd/commit/2c1987fc23d6d0f537edc6d4701e95a2387f7917 or use libnbd >= 1.0.3 from http://download.libguestfs.org/libnbd/1.0-stable/ -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones Read my programming and virtualization blog: http://rwmj.wordpress.com virt-top is 'top' for virtual machines. Tiny program with many powerful monitoring features, net stats, disk stats, logging, etc. http://people.redhat.com/~rjones/virt-top
Reasonably Related Threads
- [LIBNBD SECURITY PATCH 0/1] NBD Protocol Downgrade Attack in libnbd
- [PATCH libnbd 4/9] api: Change nbd_set_tls (, 2) -> nbd_set_tls (, LIBNBD_TLS_REQUIRE).
- [PATCH libnbd 4/5] interop: Add -DTLS_MODE to the test.
- [libnbd PATCH] states: Avoid magic number for h->tls
- [PATCH libnbd 1/2] api: Add new API to read whether TLS was negotiated.