CVE-2021-3716: 
Alma Linux vulnerability analysis and mitigation

A security vulnerability (CVE-2021-3716) was discovered in nbdkit, affecting versions 1.12 through 1.26.4. The flaw was related to improper caching of plaintext state across the STARTTLS encryption boundary. This vulnerability was discovered in August 2021 and was fixed in nbdkit versions 1.24.6, 1.26.5, and 1.27.6 (Red Hat Bugzilla, NVD).

The vulnerability stems from nbdkit improperly caching the result of NBDOPTSTRUCTUREDREPLY from a plaintext Man-in-the-Middle (MitM) attacker prior to acting on NBDOPT_STARTTLS. The CVSS v3.1 base score is 3.1 (LOW) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L. The bug was introduced in nbdkit v1.11.8 (March 2019) with the first implementation of NBD Structured Replies (Openwall, NVD).

The primary impact of this vulnerability is on system availability. When exploited, it could lead to the client terminating the NBD session. The vulnerability specifically affects older clients that understand TLS but not structured replies, such as qemu versions 2.6 through 2.10, and all versions of nbd-client from 3.15 to present (Openwall).

The vulnerability can be mitigated by using nbdkit in forced TLS mode (--tls=require) instead of opportunistic mode. Additionally, all impacted nbdkit versions give successful replies to repeated NBDOPTSTRUCTURED_REPLY requests, so clients that request structured replies after STARTTLS will not see any change in behavior despite the MitM injection (Openwall).