Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 19 May 2015 12:16:08 +0200
From: Alessandro Ghedini <alessandro@...dini.me>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE Request: nbd denial of service

Hello,

the following vulnerability was reported in the Debian bug tracker for nbd:

> There's a remotely exploitable denial of service flaw, similar/identical
> to CVE-2011-1925 in nbd-server. It has been documented publicly in
> 2013-01-28[1]. It has been fixed in upstream version 3.4 [2] and hence
> affects only the stable release (1:3.2-4~deb7u4).
> 
> [1]: http://sourceforge.net/p/nbd/mailman/message/30410146/
> [2]: https://github.com/yoe/nbd/commit/741495cb08503fd32a9d22648e63b64390c601f4
> 
> The flaw can be exploited easily by connecting to a server (listening at
> 10.0.0.1 in this example) and asking for a non-existing export:
> 
>   nbd-client 10.0.0.1 -N some-non-existing-export-name /dev/nbd1
> 
> The root (listener) nbd-server process will exit because of failed
> negotiation procedure, effectively denying the service from others.

See https://bugs.debian.org/781547

According to the upstream author (Wouter Verhelst):

> versions <= 2.9.16 and >= 3.4 are definitely not vulnerable. Versions released
> immediately after CVE-2011-1925 are *probably* not vulnerable, but I'm not
> sure (and I don't want to go test all of them...). Versions released between
> 2.9.16 and 2.9.22 (which fixes CVE-2011-1925) are vulnerable in the sense that
> the bad design is still there, but I don't believe they would crash in that
> manner.

Can a CVE be assigned for this please?

Cheers

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ