CVE-2019-20432

Vulnerability

In the Lustre file system before version 2.12.3, the mdt module contains an out-of-bounds access vulnerability. The function mdt_file_secctx_unpack fails to validate the name_size field derived from req_capsule_get_size in packets sent by a client [1][2]. This missing validation allows a crafted packet to trigger an out-of-bounds read, leading to a system panic [2]. The issue affects all versions prior to 2.12.3 [1].

Exploitation

An attacker with network access to a Lustre file system can send a specially crafted packet to a server running an affected version. No authentication is required; the exploit is triggered during packet processing. The attacker does not need any special privileges or user interaction [2]. The kernel panic trace shows the call path from mdt_file_secctx_unpack through mdt_open_unpack and mdt_reint_unpack [2].

Impact

Successful exploitation causes a kernel panic (denial of service) on the metadata server (MDS). This disrupts access to the Lustre file system for all clients until the server is restored. The vulnerability does not appear to allow arbitrary code execution or data corruption; the primary impact is availability loss [2].

Mitigation

The vulnerability is fixed in Lustre version 2.12.3, released on an unknown date but documented in the changelog [1]. Users should upgrade to 2.12.3 or later. No workarounds are mentioned in the available references. It is not listed in the CISA Known Exploited Vulnerabilities catalog.