2216478 – (CVE-2023-3354) CVE-2023-3354 QEMU: VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service

Bug 2216478 (CVE-2023-3354) - CVE-2023-3354 QEMU: VNC: improper I/O watch removal in TLS handshake can lead to remote unauthenticated denial of service

Summary: CVE-2023-3354 QEMU: VNC: improper I/O watch removal in TLS handshake can lead...

Keywords:
Status:	NEW
Alias:	CVE-2023-3354
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2216502 2216503 2216504 2216506 2216507 2216508 2216509 2216510 2216511 2218149 2216505 2216517 2216518 2216519
Blocks:	2216474
TreeView+	depends on / blocked

Reported:	2023-06-21 14:50 UTC by Mauro Matteo Cascella
Modified:	2023-07-12 17:08 UTC (History)
CC List:	18 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks whether the current number of connections crosses a certain threshold and if so, cleans up the previous connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated client to cause a denial of service.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Mauro Matteo Cascella 2023-06-21 14:50:09 UTC

When a client connects to the VNC server, QEMU will check whether the current number of connections is greater than the limitation. If so, it will clean up the previous connection. If that connection happens to be in the handshake phase and fails, QEMU will clean up the connection again, which will result in a NULL pointer dereference issue. A remote unauthenticated user could use this flaw to cause a denial of service.

Comment 5 Mauro Matteo Cascella 2023-06-28 10:49:56 UTC

Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 2218149]

Comment 7 Mauro Matteo Cascella 2023-07-05 18:38:04 UTC

Upstream patch:
https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg01014.html

Comment 10 Mauro Matteo Cascella 2023-07-12 17:08:03 UTC

Patch v2:
https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg02668.html

Note You need to log in before you can comment on or make changes to this bug.