[Libguestfs] [nbdkit PATCH] server: CVE-2021-???? reset structured replies on starttls

Richard W.M. Jones rjones at redhat.com
Mon Aug 16 21:49:02 UTC 2021 

On Mon, Aug 16, 2021 at 01:50:46PM -0500, Eric Blake wrote:
> https://nostarttls.secvuln.info/ pointed out a common implementation
> flaw in various SMTP and IMAP servers with regards to improperly
> caching plaintext state across the STARTTLS encryption boundary.  It
> turns out that nbdkit has the same vulnerability in regards to the NBD
> protocol: an attacker is able to inject a plaintext
> NBD_OPT_STRUCTURED_REPLY before proxying everything else a client
> sends to the server; if the server then acts on that plaintext request
> (as nbdkit did before this patch), then the server ends up sending
> structured replies to at least NBD_CMD_READ, even though the client
> was not expecting them.  The NBD spec has been recently tightened to
> declare the nbdkit behavior to be a security hole.
> 
> ---
> 
> [NB: I'm still in the process of getting a CVE assigned; there is no
> embargo since the issue is already public, but I may wait to apply
> this patch until the commit message can be tweaked]
> ---
>  server/protocol-handshake-newstyle.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/server/protocol-handshake-newstyle.c b/server/protocol-handshake-newstyle.c
> index a2c89c9a..7e6b7b1b 100644
> --- a/server/protocol-handshake-newstyle.c
> +++ b/server/protocol-handshake-newstyle.c
> @@ -495,7 +495,8 @@ negotiate_handshake_newstyle_options (void)
>            return -1;
>          conn->using_tls = true;
>          debug ("using TLS on this connection");
> -        /* Wipe out any cached default export name. */
> +        /* Wipe out any cached state. */
> +        conn->structured_replies = false;
>          for_each_backend (b) {
>            free (conn->default_exportname[b->i]);
>            conn->default_exportname[b->i] = NULL;

It's be good to either reference the nostarttls website, or
the relevant section in NBD proto.md (if it's upstream yet)
in the comment.

But yes - ACK.

Thanks,

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW

More information about the Libguestfs mailing list