CVE-2019-20425

Vulnerability

The Lustre file system before version 2.12.3 contains an out-of-bounds access vulnerability in the ptlrpc module, specifically in the function lustre_msg_string. The function fails to validate a length value derived from lustre_msg_buflen_v2 in packets sent by a client. This lack of validation allows an attacker to craft malicious network packets that cause the kernel to read beyond allocated memory, triggering a panic. The issue is fixed in Lustre 2.12.3 [1] [2].

Exploitation

An attacker with network access to a Lustre server or client can send specially crafted packets with manipulated length fields. No authentication is required because the vulnerable code path is reachable from unauthenticated network messages. The attacker triggers the vulnerability by sending a packet where the lustre_msg_buflen_v2 value points outside the bounds of the actual buffer, causing lustre_msg_string to attempt a read beyond the intended region [2].

Impact

Successful exploitation results in an out-of-bounds read and kernel panic, leading to a denial of service (DoS) on the affected Lustre system component. The crash can disrupt file system operations, potentially affecting all clients and servers connected to the same Lustre cluster. The vulnerability does not grant code execution or privilege escalation based on available information [2].

Mitigation

The vulnerability is fixed in Lustre version 2.12.3, which was released on or before January 27, 2020 [1]. Users should upgrade to this version or later. There are no known workarounds; the fix requires deploying the updated software on all Lustre servers and clients. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.