Bug 1886372 (CVE-2020-25653) - CVE-2020-25653 spice-vdagent: UNIX domain socket peer PID retrieved via `SO_PEERCRED` is subject to race condition
Summary: CVE-2020-25653 spice-vdagent: UNIX domain socket peer PID retrieved via `SO_P...
Keywords:
Status: NEW
Alias: CVE-2020-25653
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1886512 1894436
Blocks: 1882815
TreeView+ depends on / blocked
 
Reported: 2020-10-08 10:12 UTC by Mauro Matteo Cascella
Modified: 2020-11-09 11:22 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A race condition vulnerability was found in the way the spice-vdagentd daemon handled new client connections. This flaw may allow an unprivileged local guest user to become the active agent for spice-vdagentd, possibly resulting in a denial of service or information leakage from the host. The highest threat from this vulnerability is to data confidentiality as well as system availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Mauro Matteo Cascella 2020-10-08 10:12:40 UTC
The following flaw was reported by SUSE Security:

One major security property of `spice-vdagentd` is that it only allows those clients access to most of the SPICE features (like clipboard, file transfer) that are currently in an active session according to systemd. It is possible for arbitrary local users (like *nobody*) to connect to
`spice-vdagentd` but these connections should not be able to interact with the host machine, because they don't belong to the active session.

There is a race condition between the point in time when a client performs the `connect()` call to establish a connection with `spice-vdagentd` and the time `spice-vdagentd` retrieves and checks the PID in its `agent_connect()` function. The described race condition is very hard to hit under normal circumstances, because the `agent_connect()` function in `spice-vdagentd` is very likely to run before an unrelated process gets reassigned the malicious PID in question. When combined with the file descriptor exhaustion security issue however, then this attack will become way more feasible.

An unprivileged local attacker inside a VM could use this flaw to become the "active agent" for `spice-vdagentd` for the graphical session of a legitimate local user. If successful then the attacker can access the host's clipboard contents or send malicious clipboard content to the host. The attacker can also retrieve file data from the host or send invalid screen resolution and display information to the host. If the victim's graphical session already runs a legitimate `spice-vdagent` then a successful attack will trigger an information leak protection logic in `vdagentd.c:874`. This has the effect of a denial-of-service, because neither the attacker nor the legitimate user will be able to use the SPICE features anymore.

Comment 4 Mauro Matteo Cascella 2020-10-14 09:39:17 UTC
Acknowledgments:

Name: Matthias Gerstner (SUSE Security Team)

Comment 5 Mauro Matteo Cascella 2020-11-04 09:35:31 UTC
External References:

https://www.openwall.com/lists/oss-security/2020/11/04/1

Comment 6 Mauro Matteo Cascella 2020-11-04 09:35:57 UTC
Created spice-vdagent tracking bugs for this issue:

Affects: fedora-all [bug 1894436]


Note You need to log in before you can comment on or make changes to this bug.