[Libguestfs] [nbdkit PATCH] server: CVE-2021-???? reset structured replies on starttls

Eric Blake eblake at redhat.com
Mon Aug 16 18:50:46 UTC 2021

https://nostarttls.secvuln.info/ pointed out a common implementation
flaw in various SMTP and IMAP servers with regards to improperly
caching plaintext state across the STARTTLS encryption boundary.  It
turns out that nbdkit has the same vulnerability in regards to the NBD
protocol: an attacker is able to inject a plaintext
NBD_OPT_STRUCTURED_REPLY before proxying everything else a client
sends to the server; if the server then acts on that plaintext request
(as nbdkit did before this patch), then the server ends up sending
structured replies to at least NBD_CMD_READ, even though the client
was not expecting them.  The NBD spec has been recently tightened to
declare the nbdkit behavior to be a security hole.


[NB: I'm still in the process of getting a CVE assigned; there is no
embargo since the issue is already public, but I may wait to apply
this patch until the commit message can be tweaked]
 server/protocol-handshake-newstyle.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/protocol-handshake-newstyle.c b/server/protocol-handshake-newstyle.c
index a2c89c9a..7e6b7b1b 100644
--- a/server/protocol-handshake-newstyle.c
+++ b/server/protocol-handshake-newstyle.c
@@ -495,7 +495,8 @@ negotiate_handshake_newstyle_options (void)
           return -1;
         conn->using_tls = true;
         debug ("using TLS on this connection");
-        /* Wipe out any cached default export name. */
+        /* Wipe out any cached state. */
+        conn->structured_replies = false;
         for_each_backend (b) {
           free (conn->default_exportname[b->i]);
           conn->default_exportname[b->i] = NULL;

More information about the Libguestfs mailing list