libnbd TLS Verification Vulnerability Allows Man-in-the-Middle Attack

CVE-2024-7383

7.4HIGH

Key Information

Vendor: Red Hat
Status: Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 9; Red Hat Enterprise Linux 8 Advanced Virtualization
Vendor: CVE Published:; 5 August 2024

Summary

A flaw was found in libnbd. The client did not always correctly verify the NBD server's certificate when using TLS to connect to an NBD server. This issue allows a man-in-the-middle attack on NBD traffic.

Affected Version(s)

Red Hat Enterprise Linux 8 <= 8100020240905091210.489197e6

Red Hat Enterprise Linux 9 <= 0:1.18.1-4.el9_4

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Risk change from: 5.9 to: 7.4 - (HIGH)
Aug 6, 2024
Risk change from: null to: 5.9 - (MEDIUM)
Aug 5, 2024
Vulnerability published.
Aug 5, 2024
Reported to Red Hat.
Aug 4, 2024
Vulnerability Reserved.
Aug 1, 2024

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Jon Szymaniak for reporting this issue.