Bug 1189634 (CVE-2021-3716) - VUL-1: CVE-2021-3716: nbdkit: STARTTLS vulnerability for nbdkit
Summary: VUL-1: CVE-2021-3716: nbdkit: STARTTLS vulnerability for nbdkit
Status: RESOLVED FIXED
Alias: CVE-2021-3716
Product: openSUSE Distribution
Classification: openSUSE
Component: Other (show other bugs)
Version: Leap 15.3
Hardware: Other Other
: P4 - Low : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL: https://smash.suse.de/issue/307716/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-3716:3.5:(AV:N...
Keywords:
Depends on:
Blocks: NOSTARTTLS
  Show dependency treegraph
 
Reported: 2021-08-20 10:09 UTC by Gianluca Gabrielli
Modified: 2022-02-22 12:58 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Gianluca Gabrielli 2021-08-20 10:09:48 UTC 
A flaw was found in nbdkit due to to improperly caching plaintext state across the STARTTLS encryption boundary. A MitM attacker could use this flaw to inject a plaintext NBD_OPT_STRUCTURED_REPLY before proxying everything else a client sends to the server, potentially leading the client to terminate the NBD session. The highest threat from this vulnerability is to system availability.
Comment 1 Gianluca Gabrielli 2021-08-20 10:10:17 UTC 
Please update to v1.27.5 or above.
Comment 2 James Fehlig 2021-08-25 23:19:53 UTC 
(In reply to Gianluca Gabrielli from comment #1)
> Please update to v1.27.5 or above.

Actually it appears to be 1.27.6 or newer

git describe --contains 09a13dafb7bb3a38ab52eb5501cba786365ba7fd
v1.27.6~1

I've submitted 1.27.8 to Factory. For Leap 15.3, I suppose it needs to go the usual route through SUSE:SLE-15-SP3:Update?
Comment 3 OBSbugzilla Bot 2021-08-25 23:50:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1189634) was mentioned in
https://build.opensuse.org/request/show/914307 Factory / nbdkit
Comment 6 James Fehlig 2022-02-08 22:52:29 UTC 
In the meantime Factory and SLE15 SP3 have nbdkit 1.29.4, which includes the fix for this vulnerability. AFAIK the virt team is done with this bug. Passing to the security team...