[Libguestfs] LIBNBD SECURITY: Remote code execution vulnerability

Richard W.M. Jones rjones at redhat.com
Wed Oct 9 08:45:05 UTC 2019 

We have discovered a remote code execution vulnerability in libnbd.

Lifecycle
---------

Reported: 2019-10-05  Fixed: 2019-10-05  Published: 2019-10-09

There is no CVE number assigned for this issue yet, but the bug is
being categorized and processed by Red Hat's security team which may
result in a CVE being published later.

Credit
------

Reported and patched by Richard W.M. Jones <rjones at redhat.com>.

Reviewed by Eric Blake <eblake at redhat.com>.

Description
-----------

libnbd is a Network Block Device (NBD) client library.

Because of improper bounds checking, when receiving a structured reply
some offset/lengths sent by the server could cause libnbd to execute
arbitrary code under control of a malicious server.

Structured reply is a feature of the newstyle NBD protocol allowing
the server to send a reply in chunks.  A bounds check which was
supposed to test for chunk offsets smaller than the beginning of the
request did not work because of signed/unsigned confusion.  If one of
these chunks contains a negative offset then data under control of the
server is written to memory before the read buffer supplied by the
client.  If the read buffer is located on the stack then this allows
the stack return address from nbd_pread() to be trivially modified,
allowing arbitrary code execution under the control of the server.  If
the buffer is located on the heap then other memory objects before the
buffer can be overwritten, which again would usually lead to arbitrary
code execution.

Test if libnbd is vulnerable
----------------------------

(There is no simple test for this vulnerability)

Workarounds
-----------

It is highly recommended to apply the fix or upgrade to a fixed
version.  If you cannot do this, then you could use:

  nbd_set_tls (h, LIBNBD_TLS_REQUIRE)

to only connect to trusted servers over TLS.

Fixes
-----

This affects all versions of libnbd.  A fix is available for 1.0, and
the current development branch.

* development branch (1.1)
  https://github.com/libguestfs/libnbd/commit/f75f602a6361c0c5f42debfeea6980f698ce7f09
  or use libnbd >= 1.1.4 from
  http://download.libguestfs.org/libnbd/1.1-development/

* stable branch 1.0
  https://github.com/libguestfs/libnbd/commit/2c1987fc23d6d0f537edc6d4701e95a2387f7917
  or use libnbd >= 1.0.3 from
  http://download.libguestfs.org/libnbd/1.0-stable/

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://people.redhat.com/~rjones/virt-top

More information about the Libguestfs mailing list