2216478 – (CVE-2023-3354) CVE-2023-3354 QEMU: VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service

Bug 2216478 (CVE-2023-3354) - CVE-2023-3354 QEMU: VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service

Summary: CVE-2023-3354 QEMU: VNC: improper I/O watch removal in TLS handshake can lead...

Keywords:
Status:	NEW
Alias:	CVE-2023-3354
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2216502 2216503 2216504 2216505 2216506 2216507 2216508 2216509 2216510 2216511 2216517 2216518 2216519 2218149
Blocks:	2216474
TreeView+	depends on / blocked

Reported:	2023-06-21 14:50 UTC by Mauro Matteo Cascella
Modified:	2024-01-24 16:41 UTC (History)
CC List:	20 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2023:5417	None	None	None	2023-10-03 11:48:42 UTC
Red Hat Product Errata	RHBA-2023:5418	None	None	None	2023-10-03 11:59:58 UTC
Red Hat Product Errata	RHSA-2023:5094	None	None	None	2023-09-12 10:12:40 UTC
Red Hat Product Errata	RHSA-2023:5239	None	None	None	2023-09-19 13:05:00 UTC
Red Hat Product Errata	RHSA-2023:5264	None	None	None	2023-09-19 14:37:10 UTC
Red Hat Product Errata	RHSA-2023:5587	None	None	None	2023-10-10 14:14:16 UTC
Red Hat Product Errata	RHSA-2023:5796	None	None	None	2023-10-17 15:35:23 UTC
Red Hat Product Errata	RHSA-2023:6227	None	None	None	2023-11-01 09:06:58 UTC
Red Hat Product Errata	RHSA-2024:0404	None	None	None	2024-01-24 16:41:05 UTC

Description Mauro Matteo Cascella 2023-06-21 14:50:09 UTC

When a client connects to the VNC server, QEMU will check whether the current number of connections is greater than the limitation. If so, it will clean up the previous connection. If that connection happens to be in the handshake phase and fails, QEMU will clean up the connection again, which will result in a NULL pointer dereference issue. A remote unauthenticated user could use this flaw to cause a denial of service.

Comment 5 Mauro Matteo Cascella 2023-06-28 10:49:56 UTC

Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2218149]

Comment 7 Mauro Matteo Cascella 2023-07-05 18:38:04 UTC

Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg01014.html

Comment 10 Mauro Matteo Cascella 2023-07-12 17:08:03 UTC

Patch v2:
https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg02668.html

Comment 11 errata-xmlrpc 2023-09-12 10:12:38 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5094 https://access.redhat.com/errata/RHSA-2023:5094

Comment 12 errata-xmlrpc 2023-09-19 13:04:58 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5239 https://access.redhat.com/errata/RHSA-2023:5239

Comment 13 errata-xmlrpc 2023-09-19 14:37:07 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5264 https://access.redhat.com/errata/RHSA-2023:5264

Comment 14 errata-xmlrpc 2023-10-10 14:14:14 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:5587 https://access.redhat.com/errata/RHSA-2023:5587

Comment 15 errata-xmlrpc 2023-10-17 15:35:21 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:5796 https://access.redhat.com/errata/RHSA-2023:5796

Comment 16 errata-xmlrpc 2023-11-01 09:06:56 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:6227 https://access.redhat.com/errata/RHSA-2023:6227

Comment 17 Ricky 2023-11-02 19:34:04 UTC Comment hidden (spam)

Have you ever heard of PaybyPlateMa? It is a new and innovative way to pay bills online. Instead of sending your invoice by mail. https://paybyplatema.site/

Comment 18 jackpit 2023-12-14 06:00:12 UTC Comment hidden (spam)

i have fixed this bug on my website https://lowescomsurvey.online/

Comment 19 errata-xmlrpc 2024-01-24 16:41:03 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0404 https://access.redhat.com/errata/RHSA-2024:0404

Note You need to log in before you can comment on or make changes to this bug.

allupdates7
ddepaula
dhughes
eglynn
jen
jferlan
jjoyce
jmaloy
knoel
lhh
mburns
mgarciac
mkenneth
mrezanin
mst
murtaza.8060
pbonzini
pgrist
virt-maint
ymankad