Bug 2216478 (CVE-2023-3354) - CVE-2023-3354 QEMU: VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service
Summary: CVE-2023-3354 QEMU: VNC: improper I/O watch removal in TLS handshake can lead...
Keywords:
Status: NEW
Alias: CVE-2023-3354
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2216502 2216503 2216504 2216505 2216506 2216507 2216508 2216509 2216510 2216511 2216517 2216518 2216519 2218149
Blocks: 2216474
TreeView+ depends on / blocked
 
Reported: 2023-06-21 14:50 UTC by Mauro Matteo Cascella
Modified: 2024-01-24 16:41 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:5417 0 None None None 2023-10-03 11:48:42 UTC
Red Hat Product Errata RHBA-2023:5418 0 None None None 2023-10-03 11:59:58 UTC
Red Hat Product Errata RHSA-2023:5094 0 None None None 2023-09-12 10:12:40 UTC
Red Hat Product Errata RHSA-2023:5239 0 None None None 2023-09-19 13:05:00 UTC
Red Hat Product Errata RHSA-2023:5264 0 None None None 2023-09-19 14:37:10 UTC
Red Hat Product Errata RHSA-2023:5587 0 None None None 2023-10-10 14:14:16 UTC
Red Hat Product Errata RHSA-2023:5796 0 None None None 2023-10-17 15:35:23 UTC
Red Hat Product Errata RHSA-2023:6227 0 None None None 2023-11-01 09:06:58 UTC
Red Hat Product Errata RHSA-2024:0404 0 None None None 2024-01-24 16:41:05 UTC

Description Mauro Matteo Cascella 2023-06-21 14:50:09 UTC
When a client connects to the VNC server, QEMU will check whether the current number of connections is greater than the limitation. If so, it will clean up the previous connection. If that connection happens to be in the handshake phase and fails, QEMU will clean up the connection again, which will result in a NULL pointer dereference issue. A remote unauthenticated user could use this flaw to cause a denial of service.

Comment 5 Mauro Matteo Cascella 2023-06-28 10:49:56 UTC
Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2218149]

Comment 7 Mauro Matteo Cascella 2023-07-05 18:38:04 UTC
Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg01014.html

Comment 10 Mauro Matteo Cascella 2023-07-12 17:08:03 UTC
Patch v2:
https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg02668.html

Comment 11 errata-xmlrpc 2023-09-12 10:12:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5094 https://access.redhat.com/errata/RHSA-2023:5094

Comment 12 errata-xmlrpc 2023-09-19 13:04:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions

Via RHSA-2023:5239 https://access.redhat.com/errata/RHSA-2023:5239

Comment 13 errata-xmlrpc 2023-09-19 14:37:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5264 https://access.redhat.com/errata/RHSA-2023:5264

Comment 14 errata-xmlrpc 2023-10-10 14:14:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:5587 https://access.redhat.com/errata/RHSA-2023:5587

Comment 15 errata-xmlrpc 2023-10-17 15:35:21 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:5796 https://access.redhat.com/errata/RHSA-2023:5796

Comment 16 errata-xmlrpc 2023-11-01 09:06:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:6227 https://access.redhat.com/errata/RHSA-2023:6227

Comment 17 Ricky 2023-11-02 19:34:04 UTC Comment hidden (spam)
Comment 18 jackpit 2023-12-14 06:00:12 UTC Comment hidden (spam)
Comment 19 errata-xmlrpc 2024-01-24 16:41:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0404 https://access.redhat.com/errata/RHSA-2024:0404


Note You need to log in before you can comment on or make changes to this bug.