Bug 1886359 (CVE-2020-25651) - CVE-2020-25651 spice-vdagent: possible file transfer DoS and information leak via active_xfers hash map
Summary: CVE-2020-25651 spice-vdagent: possible file transfer DoS and information leak...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-25651
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1886434 1894434
Blocks: 1882815
TreeView+ depends on / blocked
 
Reported: 2020-10-08 09:34 UTC by Mauro Matteo Cascella
Modified: 2021-05-18 15:05 UTC (History)
7 users (show)

Fixed In Version: spice-vdagent 0.21.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the SPICE file transfer protocol. File data from the host system can partially or fully end up in the client connection of an unauthorized local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest threat from this vulnerability is to confidentiality as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-05-18 14:35:39 UTC
Embargoed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2020-10-08 09:34:33 UTC
A flaw was found in the SPICE file transfer protocol. It was reported by SUSE Security as follows:

The host application (tested with `remote-viewer` from the virt-viewer package) chooses an incrementally growing `task_id` for file exchanges
which starts counting at 1. Thus the `task_id` is predictable. Since any unauthenticated local client can replace the mapping of `task_id` to client
connection by its own client connection, there is a possibility for an attacker to obtain parts of the transferred file data.

File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Exploitability will be difficult if there is not a suitable side channel with information about file transfers going on. In any case active file transfers from other users can also be interrupted (DoS aspect).

Comment 4 Mauro Matteo Cascella 2020-10-14 09:38:15 UTC
Acknowledgments:

Name: Matthias Gerstner (SUSE Security Team)

Comment 5 Mauro Matteo Cascella 2020-11-04 09:34:29 UTC
External References:

https://www.openwall.com/lists/oss-security/2020/11/04/1

Comment 6 Mauro Matteo Cascella 2020-11-04 09:35:14 UTC
Created spice-vdagent tracking bugs for this issue:

Affects: fedora-all [bug 1894434]

Comment 11 Product Security DevOps Team 2021-05-18 14:35:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-25651

Comment 12 errata-xmlrpc 2021-05-18 15:05:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1791 https://access.redhat.com/errata/RHSA-2021:1791


Note You need to log in before you can comment on or make changes to this bug.