[Libguestfs] [nbdkit PATCH] server: CVE-2021-???? reset structured replies on starttls
Richard W.M. Jones
rjones at redhat.com
Mon Aug 16 21:49:02 UTC 2021
On Mon, Aug 16, 2021 at 01:50:46PM -0500, Eric Blake wrote:
> https://nostarttls.secvuln.info/ pointed out a common implementation
> flaw in various SMTP and IMAP servers with regards to improperly
> caching plaintext state across the STARTTLS encryption boundary. It
> turns out that nbdkit has the same vulnerability in regards to the NBD
> protocol: an attacker is able to inject a plaintext
> NBD_OPT_STRUCTURED_REPLY before proxying everything else a client
> sends to the server; if the server then acts on that plaintext request
> (as nbdkit did before this patch), then the server ends up sending
> structured replies to at least NBD_CMD_READ, even though the client
> was not expecting them. The NBD spec has been recently tightened to
> declare the nbdkit behavior to be a security hole.
>
> ---
>
> [NB: I'm still in the process of getting a CVE assigned; there is no
> embargo since the issue is already public, but I may wait to apply
> this patch until the commit message can be tweaked]
> ---
> server/protocol-handshake-newstyle.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/server/protocol-handshake-newstyle.c b/server/protocol-handshake-newstyle.c
> index a2c89c9a..7e6b7b1b 100644
> --- a/server/protocol-handshake-newstyle.c
> +++ b/server/protocol-handshake-newstyle.c
> @@ -495,7 +495,8 @@ negotiate_handshake_newstyle_options (void)
> return -1;
> conn->using_tls = true;
> debug ("using TLS on this connection");
> - /* Wipe out any cached default export name. */
> + /* Wipe out any cached state. */
> + conn->structured_replies = false;
> for_each_backend (b) {
> free (conn->default_exportname[b->i]);
> conn->default_exportname[b->i] = NULL;
It's be good to either reference the nostarttls website, or
the relevant section in NBD proto.md (if it's upstream yet)
in the comment.
But yes - ACK.
Thanks,
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
More information about the Libguestfs
mailing list