CVE-2019-20424

Vulnerability

In the Lustre file system before version 2.12.3, the mdt_object_remote function in the mdt module lacks validation for specific fields of packets sent by a client. This oversight can trigger a NULL pointer dereference when processing maliciously crafted packets. The vulnerability affects MDS (Metadata Server) nodes and can lead to a kernel panic. Versions prior to 2.12.3 are impacted, including 2.13.0 as noted in references [2].

Exploitation

An attacker with network access to the Lustre file system can send a crafted packet to the MDS. The packet must contain fields that, when processed by mdt_object_remote, cause the code to dereference a NULL pointer. No authentication is required, as the vulnerability is triggered during initial packet handling. The kernel panic trace from [2] shows the crash occurs in mdt_object_lock_internal, called from mdt_object_remote.

Impact

Successful exploitation causes a kernel panic on the MDS, resulting in a denial of service. The system crashes and must be rebooted. There is no indication of privilege escalation or data loss beyond the service disruption.

Mitigation

The issue is fixed in Lustre 2.12.3, released on or before January 27, 2020 [1]. Users should upgrade to version 2.12.3 or later. No workarounds are documented in the available references.