[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Libguestfs] [NBDKIT SECURITY] Denial of Service / Amplification Attack in nbdkit



We have discovered a potential Denial of Service / Amplification Attack
in nbdkit.

Lifecycle
---------

Reported: 2019-09-11  Fixed: 2019-09-11  Published: 2019-09-12

There is no CVE number assigned for this issue yet, but the bug is
being categorized and processed by Red Hat's security team which may
result in a CVE being published later.

Credit
------

Reported and patched by Richard W.M. Jones <rjones redhat com>.

Reviewed by Eric Blake <eblake redhat com> and
Daniel Berrangé <berrange redhat com>.

Description
-----------

nbdkit is a Network Block Device (NBD) server with multiple plugins.

An attacker, by connecting to nbdkit’s TCP port, is able to make the
current plugin’s .open() callback run.  For some plugins this callback
does a considerable amount of work, for example connecting to a remote
machine (nbdkit-ssh-plugin) or launching a small VM
(nbdkit-guestfs-plugin).  Thus for a small amount of work done by the
attacker (opening many TCP connections but not sending any data), a
large amount of work is done by nbdkit (eg. making many full ssh
connections to a remote machine or launching hundreds of VMs).

A related problem is that if nbdkit is configured to use TLS for
client authentication, even clients which are not authorized are able
to attack nbdkit in this way because all they have to do is open a TCP
connection.

Mitigating this is that the current plugin is NOT selected by the
attacker, but is part of the server configuration.  Therefore the
effectiveness of the attack depends on the particular configuration.

There are two situations in which you will NOT be affected:

 * You are not exposing nbdkit over TCP (eg. using nbdkit -U), or the
   TCP port is not accessible to untrusted attackers (eg. private LAN,
   firewall rules).

 * The plugin you are using does not do much work in its .open()
   callback.  For example the memory plugin does nothing in its
   callback so is not vulnerable:
   https://github.com/libguestfs/nbdkit/blob/afbe7f11098df256acf8eafa9d4ec1e3cfd32910/plugins/memory/memory.c#L110-L115

Test if nbdkit is a vulnerable version
--------------------------------------

Run the following command (requires bash):

nbdkit -fv null --run 'sleep 1 >/dev/tcp/localhost/10809' 2>&1 |
  grep -q 'open readonly' && echo vulnerable || echo patched

Workarounds
-----------

It is recommended to upgrade to a fixed version of nbdkit (see next
section).  However if this cannot be done, apply network filtering
(eg. firewall, TCP wrappers, etc.) to ensure that untrusted clients
cannot connect to nbdkit’s public TCP port.  Or use a Unix domain
socket instead of a loopback TCP connection.

Fixes
-----

This affects all versions of nbdkit.  A fix is available for 1.12,
1.14 and the current development branch.

* development branch (1.15)
  https://github.com/libguestfs/nbdkit/commit/c05686f9577fa91b6a3a4d8c065954ca6fc3fd62
  or use nbdkit >= 1.15.1 from
  http://download.libguestfs.org/nbdkit/1.15-development/

* stable branch 1.14
  https://github.com/libguestfs/nbdkit/commit/e06cde00659ff97182173d0e33fff784041bcb4a
  or use nbdkit >= 1.14.1 from
  http://download.libguestfs.org/nbdkit/1.14-stable/

* stable branch 1.12
  https://github.com/libguestfs/nbdkit/commit/22b30adb796bb6dca264a38598f80b8a234ff978
  or use nbdkit >= 1.12.7 from
  http://download.libguestfs.org/nbdkit/1.12-stable/



-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-df lists disk usage of guests without needing to install any
software inside the virtual machine.  Supports Linux and Windows.
http://people.redhat.com/~rjones/virt-df/


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]