Bug 1189634 (CVE-2021-3716)

Summary:	VUL-1: CVE-2021-3716: nbdkit: STARTTLS vulnerability for nbdkit
Product:	[openSUSE] openSUSE Distribution	Reporter:	Gianluca Gabrielli <gianluca.gabrielli>
Component:	Other	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	E-mail List <qa-bugs>
Severity:	Normal
Priority:	P4 - Low	CC:	jfehlig
Version:	Leap 15.3
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/307716/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-3716:3.5:(AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:L)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Bug Depends on:
Bug Blocks:	1189208

Description Gianluca Gabrielli 2021-08-20 10:09:48 UTC

A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.

Comment 1 Gianluca Gabrielli 2021-08-20 10:10:17 UTC

Please update to v1.27.5 or above.

Comment 2 James Fehlig 2021-08-25 23:19:53 UTC

(In reply to Gianluca Gabrielli from comment #1)
> Please update to v1.27.5 or above.

Actually it appears to be 1.27.6 or newer

git describe --contains 09a13dafb7bb3a38ab52eb5501cba786365ba7fd
v1.27.6~1

I've submitted 1.27.8 to Factory. For Leap 15.3, I suppose it needs to go the usual route through SUSE:SLE-15-SP3:Update?

Comment 3 OBSbugzilla Bot 2021-08-25 23:50:07 UTC

This is an autogenerated message for OBS integration:
This bug (1189634) was mentioned in
https://build.opensuse.org/request/show/914307 Factory / nbdkit

Comment 6 James Fehlig 2022-02-08 22:52:29 UTC

In the meantime Factory and SLE15 SP3 have nbdkit 1.29.4, which includes the fix for this vulnerability. AFAIK the virt team is done with this bug. Passing to the security team...