Re: STARTTLS vulnerabilities

[Eric Blake <eblake () redhat com>]

On Wed, Aug 11, 2021 at 06:02:35PM +0200, Hanno Böck wrote:
> On Wed, 11 Aug 2021 10:31:58 -0500
> Eric Blake <eblake () redhat com> wrote:
>
> > Not mentioned in that list was ndb, but as far as I can tell, that
> > project has already documented the ramifications of opportunistic
> > encryption as being a security risk, and all known implementations
> > (both servers and clients) with TLS support have a mode of execution
> > that ensures the connection is dropped if a downgrade attack is
> > attempted:
>
> I should point out that our research is not on simple downgrade attacks.
> These are kinda obvious by the design of STARTTLS if you implement it
> in an opportunistic way.
>
> The buffering vulnerabilities we found are in STARTTLS implementations
> that have the expectation to enforce a secure connection, but suffer
> from various vulnerabilities in the implementation.

Thank you for persisting.  As a result, I have found a security bug in
nbdkit, which improperly cached the result of NBD_OPT_STRUCTURED_REPLY
from a plaintext MitM attacker prior to acting on NBD_OPT_STARTTLS, to
the potential confusion of a client that does not expect structured
replies.  I will follow up again when I have a CVE number.

https://listman.redhat.com/archives/libguestfs/2021-August/msg00077.html

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org