PT-2022-2047 · Libnbd+7 · Libnbd+7

Nir Soffer

Published

2022-03-21

Updated

2024-06-15

CVE-2022-0485

CVSS v3.1

4.8

Medium

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions libnbd (affected versions not specified)

Description The issue is related to the handling of exceptions in the nbdcopy tool of the libnbd library. When performing multi-threaded copies using asynchronous nbd calls, the tool may treat the completion of an asynchronous command as successful without checking the error parameter. This could result in the silent creation of a corrupted destination image. The vulnerability can be exploited by a remote attacker to automatically create damaged target images.

Recommendations For libnbd, consider disabling the nbdcopy tool until a patch is available to prevent the creation of corrupted destination images. Restrict access to the nbdcopy tool to minimize the risk of exploitation. Avoid using the nbdcopy tool for multi-threaded copies with asynchronous nbd calls until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Unchecked Return Value

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-252CWE-388

Related Identifiers

ALSA-2022:1759

BDU:2022-01701

CESA-2022_1759

CVE-2022-0485

OPENSUSE-SU-2022_2347-1

OPENSUSE-SU-2022_2754-1

OPENSUSE-SU-2024:11833-1

RHSA-2022:0949

RHSA-2022:0971

RHSA-2022:1759

RHSA-2022:2181

RHSA-2022_1759

RLSA-2022:1759

SUSE-SU-2022:2347-1

SUSE-SU-2022:2754-1

Affected Products

Almalinux

Centos

Debian

Red Hat

Red Os

Rocky Linux

Suse

Libnbd

PT-2022-2047 · Libnbd+7 · Libnbd+7

CVE-2022-0485

Weakness Enumeration

Related Identifiers

Affected Products

References · 185