|
 |
bf9592 |
From 6b9d4380df9bd0be91f49aad8c4f47b4e672adde Mon Sep 17 00:00:00 2001
|
|
|
bf9592 |
From: Eric Blake <eblake@redhat.com>
|
|
|
bf9592 |
Date: Mon, 16 Aug 2021 13:43:29 -0500
|
|
|
bf9592 |
Subject: [PATCH] server: CVE-2021-3716 reset structured replies on starttls
|
|
|
bf9592 |
|
|
|
bf9592 |
https://nostarttls.secvuln.info/ pointed out a series of CVEs in
|
|
|
bf9592 |
common implementation flaw in various SMTP and IMAP clients and
|
|
|
bf9592 |
servers, all with a common thread of improperly caching plaintext
|
|
|
bf9592 |
state across the STARTTLS encryption boundary; and recommended that
|
|
|
bf9592 |
other protocols with a STARTTLS operation perform a similar audit.
|
|
|
bf9592 |
|
|
|
bf9592 |
It turns out that nbdkit has the same vulnerability in regards to the
|
|
|
bf9592 |
NBD protocol: when nbdkit is run in opportunistic TLS mode, an
|
|
|
bf9592 |
attacker is able to inject a plaintext NBD_OPT_STRUCTURED_REPLY before
|
|
|
bf9592 |
proxying everything else a client sends to the server; if the server
|
|
|
bf9592 |
then acts on that plaintext request (as nbdkit did before this patch),
|
|
|
bf9592 |
then the server ends up sending structured replies to at least
|
|
|
bf9592 |
NBD_CMD_READ, even though the client was assuming that the transition
|
|
|
bf9592 |
to TLS has ruled out a MitM attack.
|
|
|
bf9592 |
|
|
|
bf9592 |
On the bright side, nbdkit's behavior on a second
|
|
|
bf9592 |
NBD_OPT_STRUCTURED_REPLY was to still reply with success, so a client
|
|
|
bf9592 |
that always requests structured replies after starting TLS sees no
|
|
|
bf9592 |
difference in behavior (that is, qemu 2.12 and later are immune) (had
|
|
|
bf9592 |
nbdkit given an error to the second request, that may have caused
|
|
|
bf9592 |
confusion to more clients). And there is always the mitigation of
|
|
|
bf9592 |
using --tls=require, which lets nbdkit reject the MitM message
|
|
|
bf9592 |
pre-encryption. However, nbd-client 3.15 to the present do not
|
|
|
bf9592 |
understand structured replies, and I have confirmed that a MitM
|
|
|
bf9592 |
attacker can thus cause a denial-of-service attack that does not
|
|
|
bf9592 |
trigger until the client does its first encrypted NBD_CMD_READ.
|
|
|
bf9592 |
|
|
|
bf9592 |
The NBD spec has been recently tightened to declare the nbdkit
|
|
|
bf9592 |
behavior to be a security hole:
|
|
|
bf9592 |
https://github.com/NetworkBlockDevice/nbd/commit/77e55378096aa
|
|
|
bf9592 |
Fixes: eaa4c6e9a2c4bd (server: Minimal implementation of NBD Structured Replies.)
|
|
|
bf9592 |
|
|
|
bf9592 |
(cherry picked from commit 09a13dafb7bb3a38ab52eb5501cba786365ba7fd)
|
|
|
bf9592 |
(cherry picked from commit 6185b15a81e6915734d678f0781e31d45a7941a1)
|
|
|
bf9592 |
---
|
|
|
bf9592 |
docs/nbdkit-security.pod | 11 +++++++++--
|
|
|
bf9592 |
server/protocol-handshake-newstyle.c | 3 ++-
|
|
|
bf9592 |
2 files changed, 11 insertions(+), 3 deletions(-)
|
|
|
bf9592 |
|
|
|
bf9592 |
diff --git a/docs/nbdkit-security.pod b/docs/nbdkit-security.pod
|
|
|
bf9592 |
index 3a28e54d..5a4e6da8 100644
|
|
|
bf9592 |
--- a/docs/nbdkit-security.pod
|
|
|
bf9592 |
+++ b/docs/nbdkit-security.pod
|
|
|
bf9592 |
@@ -10,7 +10,7 @@ For how to report new security issues, see the C<SECURITY> file in the
|
|
|
bf9592 |
top level source directory, also available online here:
|
|
|
bf9592 |
L<https://github.com/libguestfs/nbdkit/blob/master/SECURITY>
|
|
|
bf9592 |
|
|
|
bf9592 |
-=head2 CVE-2019-14850
|
|
|
bf9592 |
+=head2 CVE-2019-14850
|
|
|
bf9592 |
denial of service due to premature opening of back-end connection
|
|
|
bf9592 |
|
|
|
bf9592 |
See the full announcement and links to mitigation, tests and fixes
|
|
|
bf9592 |
@@ -26,6 +26,13 @@ See the full announcement and links to mitigation, tests and fixes
|
|
|
bf9592 |
here:
|
|
|
bf9592 |
https://www.redhat.com/archives/libguestfs/2019-September/msg00272.html
|
|
|
bf9592 |
|
|
|
bf9592 |
+=head2 CVE-2021-3716
|
|
|
bf9592 |
+structured read denial of service attack against starttls
|
|
|
bf9592 |
+
|
|
|
bf9592 |
+See the full announcement and links to mitigation, tests and fixes
|
|
|
bf9592 |
+here:
|
|
|
bf9592 |
+https://www.redhat.com/archives/libguestfs/2021-August/msg00083.html
|
|
|
bf9592 |
+
|
|
|
bf9592 |
=head1 SEE ALSO
|
|
|
bf9592 |
|
|
|
bf9592 |
L<nbdkit(1)>.
|
|
|
bf9592 |
@@ -38,4 +45,4 @@ Richard W.M. Jones
|
|
|
bf9592 |
|
|
|
bf9592 |
=head1 COPYRIGHT
|
|
|
bf9592 |
|
|
|
bf9592 |
-Copyright (C) 2013-2020 Red Hat Inc.
|
|
|
bf9592 |
+Copyright (C) 2013-2021 Red Hat Inc.
|
|
|
bf9592 |
diff --git a/server/protocol-handshake-newstyle.c b/server/protocol-handshake-newstyle.c
|
|
|
bf9592 |
index 0a76a814..b94950e2 100644
|
|
|
bf9592 |
--- a/server/protocol-handshake-newstyle.c
|
|
|
bf9592 |
+++ b/server/protocol-handshake-newstyle.c
|
|
|
bf9592 |
@@ -495,7 +495,8 @@ negotiate_handshake_newstyle_options (void)
|
|
|
bf9592 |
return -1;
|
|
|
bf9592 |
conn->using_tls = true;
|
|
|
bf9592 |
debug ("using TLS on this connection");
|
|
|
bf9592 |
- /* Wipe out any cached default export name. */
|
|
|
bf9592 |
+ /* Wipe out any cached state. */
|
|
|
bf9592 |
+ conn->structured_replies = false;
|
|
|
bf9592 |
for_each_backend (b) {
|
|
|
bf9592 |
struct handle *h = get_handle (conn, b->i);
|
|
|
bf9592 |
free (h->default_exportname);
|
|
|
bf9592 |
--
|
|
|
bf9592 |
2.31.1
|
|
|
bf9592 |
|