Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-129296

unsanitized hostnames in nbd+ssh URIs allow remote execution

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.2
    • rhel-10.1
    • libnbd
    • None
    • libnbd-1.23.12-1.el10
    • None
    • Important
    • ZStream
    • 1
    • rhel-virt-tools
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • rhel-virt-tools-CY25-Sprint999
    • Regression Exception
    • Requested
    • None
    • Unspecified Release Note Type - Unknown
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      There's a security issue in libnbd in RHEL 10.1 and 10.2.

      Running a command such as:

      $ nbdinfo nbd+ssh://-oProxyCommand=glxgears

      will execute the command given in the hostname. If the command is missing you'll see an error like this instead:

      $ nbdinfo nbd+ssh://-oProxyCommand=xeyes
/bin/bash: line 1: exec: xeyes: not found

      Obviously this is unintended behaviour.

      We asked for a CVE to be assigned, but have been waiting for a while for that. (https://issues.redhat.com/servicedesk/customer/portal/3/PSIRTSUPT-285). This has already been fixed in Fedora. We should fix the issue in RHEL instead of waiting longer.

      The upstream fix is:
      https://gitlab.com/nbdkit/libnbd/-/commit/fffd87a3ba216cf2f9c212e5db96b13b98985edf

              rhn-eng-rjones Richard Jones
              rhn-eng-rjones Richard Jones
              virt-maint virt-maint
              Ganesh Hubale Ganesh Hubale
              Votes:
              0 Vote for this issue
              Watchers:
              11 Start watching this issue

                Created:
                Updated: