Bug 2234984 (CVE-2020-23793)
Summary: | CVE-2020-23793 spice: Improper input validation in function async_READ_handler | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | cfergeau, mkenneth, rh-spice-bugs, saroy, uril, ymankad |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in spice-server in Redhat's VDI product that can restart KVMvirtual machine without any authorization. A handshake is required before spice-server and spice-client can establish communication, and spice-client will send a request containing information that the server needs. This TCP request requires only host and port; A malformed TCP packet causes the vm to crash and the QEMu-KVM process to be restarted.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2235000 | ||
Bug Blocks: | 2234985 |
Description
Pedro Sampaio
2023-08-25 20:46:10 UTC
Hi, The problem is a header with huge 'size' (). I think it is already known and fixed -- see bug (CVE-2016-9577) Fixed by upstream commit ec124b982abcd23364963ffcd4c370b1ec962fc9 "Prevent possible DoS attempts during protocol handshake" $ git describe ec124b982abcd23364963ffcd4c370b1ec962fc9 --tags v0.13.3-149-gec124b98 So spice-server-0.14.0 should be fine. I tested on Fedora 38 and on RHEL-8.8 and the server does not abort. I'll test soon with RHEL-7.6 In the spice-security-issue's script, 'size' field is 0xF0E70000 == 4041670656 I quickly tested on a RHEL-7.6 VM, as follows, and did not encounter the problem: Open two terminals on a RHEL-7.6 machine. Terminal 1: /usr/libexec/qemu-kvm -S -spice disable-ticketing,port=5900 Terminal 2: python SPICE_CRASH_Expliot.py # modified with "localhost" and 5900. This results in the following spice-server error message, while the VM keeps running: (process:14353): Spice-WARNING **: 16:36:55.399: reds.c:2383:reds_handle_read_header_done: bad size 4041670656 # rpm -q spice-server qemu-kvm spice-server-0.14.0-6.el7_6.1.x86_64 qemu-kvm-1.5.3-160.el7_6.1.x86_64 |