Vulnerabilities > CVE-2013-7441 - Resource Management Errors vulnerability in Wouter Verhelst NBD

047910
CVSS 7.8 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
wouter-verhelst
CWE-399
nessus

Summary

The modern style negotiation in Network Block Device (nbd-server) 2.9.22 through 3.3 allows remote attackers to cause a denial of service (root process termination) by (1) closing the connection during negotiation or (2) specifying a name for a non-existent export.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2676-1.NASL
    descriptionIt was discovered that NBD incorrectly handled IP address matching. A remote attacker could use this issue with an IP address that has a partial match and bypass access restrictions. This issue only affected Ubuntu 12.04 LTS. (CVE-2013-6410) Tuomas Rasanen discovered that NBD incorrectly handled wrong export names and closed connections during negotiation. A remote attacker could use this issue to cause NBD to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2013-7441) Tuomas Rasanen discovered that NBD incorrectly handled signals. A remote attacker could use this issue to cause NBD to crash, resulting in a denial of service. (CVE-2015-0847). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id84958
    published2015-07-23
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84958
    titleUbuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : nbd vulnerabilities (USN-2676-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3271.NASL
    descriptionTuomas Rasanen discovered that unsafe signal handling in nbd-server, the server for the Network Block Device protocol, could allow remote attackers to cause a deadlock in the server process and thus a denial of service. Tuomas Rasanen also discovered that the modern-style negotiation was carried out in the main server process before forking the actual client handler. This could allow a remote attacker to cause a denial of service (crash) by querying a non-existent export. This issue only affected the oldstable distribution (wheezy).
    last seen2020-06-01
    modified2020-06-02
    plugin id83788
    published2015-05-26
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83788
    titleDebian DSA-3271-1 : nbd - security update
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-393.NASL
    description - Fix CVE-2013-7441 (boo#931987) - CVE-2013-7441.patch - Fix CVE-2015-0847 (boo#930173) - nbd_signaling_CVE-2015-0847.patch
    last seen2020-06-05
    modified2015-06-04
    plugin id83981
    published2015-06-04
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/83981
    titleopenSUSE Security Update : nbd (openSUSE-2015-393)