CVE-2019-14850 : A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.

A denial of service vulnerability was discovered in nbdkit 1.12.7, 1.14.1 and 1.15.1. An attacker could connect to the nbdkit service and cause it to perform a large amount of work in initializing backend plugins, by simply opening a connection to the service. This vulnerability could cause resource consumption and degradation of service in nbdkit, depending on the plugins configured on the server-side.

Published 2021-03-18 19:15:13

Updated 2021-03-24 18:05:15

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2019-14850

Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0 Advanced Virtualization Edition
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:advanced_virtualization:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Virtualization » Version: 4.0
cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*
Matching versions
Nbdkit Project » Nbdkit
Versions from including (>=) 1.15.0 and before (<) 1.15.1
cpe:2.3:a:nbdkit_project:nbdkit:*:*:*:*:*:*:*:*
Matching versions
Nbdkit Project » Nbdkit
Versions from including (>=) 1.14.0 and before (<) 1.14.1
cpe:2.3:a:nbdkit_project:nbdkit:*:*:*:*:*:*:*:*
Matching versions
Nbdkit Project » Nbdkit
Versions before (<) 1.12.7
cpe:2.3:a:nbdkit_project:nbdkit:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2019-14850

Top countries where our scanners detected CVE-2019-14850

Top open port discovered on systems with this issue 53

IPs affected by CVE-2019-14850 61,437

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2019-14850!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2019-14850

EPSS FAQ

0.17%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 39 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-14850

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
2.6	LOW	AV:N/AC:H/Au:N/C:N/I:N/A:P	4.9	2.9	NIST
Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
3.7	LOW	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L	2.2	1.4	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: Low

CWE ids for CVE-2019-14850

CWE-406 Insufficient Control of Network Message Volume (Network Amplification)

The product does not sufficiently monitor or control transmitted network traffic volume, so that an actor can cause the product to transmit more traffic than should be allowed for that actor.

Assigned by: secalert@redhat.com (Primary)

References for CVE-2019-14850

https://www.redhat.com/archives/libguestfs/2019-September/msg00084.html

[Libguestfs] [NBDKIT SECURITY] Denial of Service / Amplification Attack
Exploit;Mailing List;Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1757258

1757258 – (CVE-2019-14850) CVE-2019-14850 nbdkit: denial of service due to premature opening of back-end connection
Issue Tracking;Patch;Third Party Advisory