Bug 2234984 (CVE-2020-23793)

Summary: CVE-2020-23793 spice: Improper input validation in function async_READ_handler
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: cfergeau, mkenneth, rh-spice-bugs, saroy, uril, ymankad
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in spice-server in Redhat's VDI product that can restart KVMvirtual machine without any authorization. A handshake is required before spice-server and spice-client can establish communication, and spice-client will send a request containing information that the server needs. This TCP request requires only host and port; A malformed TCP packet causes the vm to crash and the QEMu-KVM process to be restarted.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2235000    
Bug Blocks: 2234985    

Description Pedro Sampaio 2023-08-25 20:46:10 UTC 
An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1.x86_64 of Redhat's VDI product. There is a security vulnerablility that can restart KVMvirtual machine without any authorization. It is not yet known if there will be other other effects.

References:

https://github.com/zelat/spice-security-issues
Comment 2 Uri Lublin 2023-08-27 14:44:35 UTC 
Hi,

The problem is a header with huge 'size' ().

I think it is already known and fixed -- see bug (CVE-2016-9577)

Fixed by upstream commit ec124b982abcd23364963ffcd4c370b1ec962fc9
  "Prevent possible DoS attempts during protocol handshake"

$ git describe ec124b982abcd23364963ffcd4c370b1ec962fc9 --tags
v0.13.3-149-gec124b98

So spice-server-0.14.0 should be fine.

I tested on Fedora 38 and on RHEL-8.8 and the server does not abort.
I'll test soon with RHEL-7.6
Comment 3 Uri Lublin 2023-08-27 14:52:06 UTC 
In the spice-security-issue's script, 'size' field is 0xF0E70000 == 4041670656
Comment 7 Uri Lublin 2023-08-29 14:00:44 UTC 
I quickly tested on a RHEL-7.6 VM, as follows, and did not encounter the problem:
Open two terminals on a RHEL-7.6 machine.
Terminal 1: /usr/libexec/qemu-kvm -S -spice disable-ticketing,port=5900

Terminal 2: python SPICE_CRASH_Expliot.py # modified with "localhost" and 5900.

This results in the following spice-server error message, while the VM keeps running:
(process:14353): Spice-WARNING **: 16:36:55.399: reds.c:2383:reds_handle_read_header_done: bad size 4041670656

# rpm -q spice-server qemu-kvm
spice-server-0.14.0-6.el7_6.1.x86_64
qemu-kvm-1.5.3-160.el7_6.1.x86_64