[Libguestfs] LIBNBD SECURITY: Denial of service vulnerability

Eric Blake eblake at redhat.com
Fri Mar 12 23:00:00 UTC 2021 

We have discovered a denial of service vulnerability in libnbd.

Lifecycle
---------

Reported: 2021-03-01  Fixed: 2021-03-01  Published: 2021-03-12

This has been assigned CVE-2021-20286.

Credit
------

Reported and patched by Eric Blake <eblake at redhat.com>

Description
-----------

libnbd is a Network Block Device (NBD) client library.

A malicious server that disconnects at a certain point in the NBD
handshake involving NBD_OPT_GO can cause libnbd to hit an assertion
failure related to an unexpected state; this assertion failure can be
used as a denial of service attack against the libnbd client.

The NBD_OPT_INFO and NBD_OPT_GO handshake commands are a feature of the
newstyle NBD protocol allowing a client to respond gracefully to an
unavailable export without having to re-establish communication with the
server.  Although it is unusual that a server would disconnect on
failure to either of these commands rather than letting the client try
again, the client should not die from an assertion failure based on the
server behavior.

Test if libnbd is vulnerable
----------------------------

(There is no simple test for this vulnerability)

Workarounds
-----------

The assertion failure is only triggered in clients that use
nbd_set_opt_mode() for manual control over the handshake sequence (for
example, using 'nbdsh --opt-mode').  It is recommended to apply the fix
or upgrade to a fixed version.

Fixes
-----

This affects versions of libnbd that contain nbd_set_opt_mode(), first
introduced in 1.3.12.  A fix is available for 1.6, and the current
development branch.

* development branch (1.7)

https://gitlab.com/nbdkit/libnbd/-/commit/fb4440de9cc76e9c14bd3ddf3333e78621f40ad0
  or use libnbd >= 1.7.3 from
  http://download.libguestfs.org/libnbd/1.7-development/

* stable branch 1.6

https://gitlab.com/nbdkit/libnbd/-/commit/2216190ecbbd853648df6a3280c17b345b0907a0
  or use libnbd >= 1.6.2 from
  http://download.libguestfs.org/libnbd/1.6-stable/

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

More information about the Libguestfs mailing list