OpenCVE

A flaw was found in libnbd, due to a malicious Network Block Device (NBD), a protocol for accessing Block Devices such as hard disks over a Network. This issue may allow a malicious NBD server to cause a Denial of Service.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Enterprise Linux Libnbd

Configuration 1 [-]

OR	cpe:2.3:a:redhat:libnbd::::::::
	cpe:2.3:a:redhat:libnbd:1.19.1:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 9
libnbd-0:1.18.1-3.el9	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:2204	2024-04-30T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2024:2204
https://access.redhat.com/security/cve/CVE-2023-5871
https://bugzilla.redhat.com/show_bug.cgi?id=2247308
https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/PFVUCMPFQUDC23JXSCUUPXIGDZ7XCFMD/
https://nvd.nist.gov/vuln/detail/CVE-2023-5871
https://www.cve.org/CVERecord?id=CVE-2023-5871

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-11-27T11:58:44.737Z

Updated: 2024-09-16T15:58:38.908Z

Reserved: 2023-10-31T05:04:33.007Z

Link: CVE-2023-5871

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-11-27T12:15:07.940

Modified: 2024-04-30T14:15:11.680

Link: CVE-2023-5871

Redhat

Severity : Moderate

Publid Date: 2023-10-31T19:11:00Z

Links: CVE-2023-5871 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-5871", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-10-31T05:04:33.007Z", "datePublished": "2023-11-27T11:58:44.737Z", "dateUpdated": "2024-09-16T15:58:38.908Z"}, "containers": {"cna": {"title": "Libnbd: malicious nbd server may crash libnbd", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in libnbd, due to a malicious Network Block Device (NBD), a protocol for accessing Block Devices such as hard disks over a Network. This issue may allow a malicious NBD server to cause a Denial of Service."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libnbd", "defaultStatus": "affected", "versions": [{"version": "0:1.18.1-3.el9", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libnbd", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "libnbd", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "virt:rhel/libnbd", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:2204", "name": "RHSA-2024:2204", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5871", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2247308", "name": "RHBZ#2247308", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/PFVUCMPFQUDC23JXSCUUPXIGDZ7XCFMD/"}], "datePublic": "2023-10-31T19:11:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-617", "description": "Reachable Assertion", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-617: Reachable Assertion", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2023-10-31T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-10-31T19:11:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-09-16T15:58:38.908Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T08:14:24.747Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:2204", "name": "RHSA-2024:2204", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-5871", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2247308", "name": "RHBZ#2247308", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/PFVUCMPFQUDC23JXSCUUPXIGDZ7XCFMD/", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:libnbd:*:*:*:*:*:*:*:*", "matchCriteriaId": "CC0C405B-6B3C-4B02-955E-78D0C5EB5921", "versionEndExcluding": "1.18.2", "versionStartIncluding": "1.17.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:libnbd:1.19.1:*:*:*:*:*:*:*", "matchCriteriaId": "8897ADBA-AC01-499C-8EAB-5AFB5486B821", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in libnbd, due to a malicious Network Block Device (NBD), a protocol for accessing Block Devices such as hard disks over a Network. This issue may allow a malicious NBD server to cause a Denial of Service."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en libnbd debido a un Network Block Device (NBD) malicioso, un protocolo para acceder a dispositivos de bloque, como discos duros, a trav\u00e9s de una red. Este problema puede permitir que un servidor NBD malintencionado provoque una Denegaci\u00f3n de Servicio."}], "id": "CVE-2023-5871", "lastModified": "2024-04-30T14:15:11.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2023-11-27T12:15:07.940", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:2204"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-5871"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2247308"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Patch"], "url": "https://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/PFVUCMPFQUDC23JXSCUUPXIGDZ7XCFMD/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-617"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-617"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:2204", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "libnbd-0:1.18.1-3.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}], "bugzilla": {"description": "libnbd: Malicious NBD server may crash libnbd", "id": "2247308", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2247308"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-617", "details": ["A flaw was found in libnbd, due to a malicious Network Block Device (NBD), a protocol for accessing Block Devices such as hard disks over a Network. This issue may allow a malicious NBD server to cause a Denial of Service.", "A flaw was found in libnbd, due to a malicious Network Block Device (NBD), a protocol for accessing Block Devices such as hard disks over a Network. This issue may allow a malicious NBD server to cause a Denial of Service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-5871", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "libnbd", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "libnbd", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "virt:rhel/libnbd", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2023-10-31T19:11:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-5871\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5871\nhttps://lists.libguestfs.org/archives/list/guestfs@lists.libguestfs.org/thread/PFVUCMPFQUDC23JXSCUUPXIGDZ7XCFMD/"], "statement": "Libnbd 1.16.x and earlier are not impacted, these versions gracefully reject an extended response from a malicious server as unknown since they lack extended headers support.", "threat_severity": "Moderate", "upstream_fix": "libnbd 1.18.2"}