CVE-2019-20427

Vulnerability

In the Lustre file system versions before 2.12.3, the ptlrpc module contains a buffer overflow vulnerability caused by the lack of validation for specific fields in packets sent by a client [1]. The issue lies in the interaction between req_capsule_get_size and tgt_brw_write, which results in an integer signedness error in tgt_shortio2pages. This allows an attacker to overwrite up to 0xffffffff bytes of kernel memory [2]. The vulnerability affects Lustre versions prior to 2.12.3 [1].

Exploitation

An attacker needs to be able to send crafted packets to a Lustre server. No authentication is required if the server allows unauthenticated client connections, which is common in Lustre setups. The attacker sends a maliciously crafted packet with a negative or oversized length field that bypasses size checks. This triggers the signedness error, leading to a call to memcpy with a huge length (0xffffffff), causing a buffer overflow [2]. The crash shown in the kernel trace confirms exploitation is possible by a remote client [2].

Impact

Successful exploitation can cause a kernel panic (denial of service) and potentially remote code execution (RCE) in the kernel context. The attacker can overwrite arbitrary kernel memory, which likely allows complete compromise of the system, including reading, writing, or destroying files, and executing code with full privileges [1][2]. Confidentiality, integrity, and availability are all at high risk.

Mitigation

The fix is included in Lustre version 2.12.3, released on January 10, 2020 [1]. Users should upgrade to 2.12.3 or later immediately. There is no known workaround. Systems running older versions are vulnerable and should be patched. No CISA KEV listing known.