Bug 2302487 (CVE-2024-7409) - CVE-2024-7409 QEMU: Denial of Service via Improper Synchronization in QEMU NBD Server During Socket Closure
Summary: CVE-2024-7409 QEMU: Denial of Service via Improper Synchronization in QEMU NB...
Keywords:
Status: NEW
Alias: CVE-2024-7409
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-08-02 11:35 UTC by Michal Findra
Modified: 2024-10-01 02:43 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: ---
Doc Text:
A flaw was found in the QEMU NBD Server. This vulnerability allows a denial of service (DoS) attack via improper synchronization during socket closure when a client keeps a socket open as the server is taken offline.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2024:6811 0 None None None 2024-09-25 01:07:00 UTC
Red Hat Product Errata RHSA-2024:6818 0 None None None 2024-09-25 13:59:35 UTC
Red Hat Product Errata RHSA-2024:6824 0 None None None 2024-09-24 15:28:14 UTC
Red Hat Product Errata RHSA-2024:6964 0 None None None 2024-09-24 03:22:43 UTC
Red Hat Product Errata RHSA-2024:7408 0 None None None 2024-10-01 02:43:47 UTC

Description Michal Findra 2024-08-02 11:35:01 UTC
A flaw was discovered in the qemu code for temporarily exposing an NBD 
server (used for storage migration and other tasks), where qemu can
crash if a client still has a socket open at the time the server is
taken offline. Even when qemu is set up to only accept clients with
proper TLS credentials, an attacker without the TLS credentials can
exploit the flaw by connecting a second socket while a storage
migration is ongoing through the intended socket, where the attacker
then stalls the NBD handshake to not reach the point of the TLS
negotiation, then waiting for the server to go offline. When the NBD
server is stopped, closing the attacker's socket can cause qemu to
crash, forming a denial of service attack.

Comment 3 errata-xmlrpc 2024-09-24 03:22:42 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:6964 https://access.redhat.com/errata/RHSA-2024:6964

Comment 4 errata-xmlrpc 2024-09-24 15:28:12 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:6824 https://access.redhat.com/errata/RHSA-2024:6824

Comment 5 errata-xmlrpc 2024-09-25 01:06:58 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:6811 https://access.redhat.com/errata/RHSA-2024:6811

Comment 6 errata-xmlrpc 2024-09-25 13:59:33 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:6818 https://access.redhat.com/errata/RHSA-2024:6818

Comment 7 errata-xmlrpc 2024-10-01 02:43:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:7408 https://access.redhat.com/errata/RHSA-2024:7408


Note You need to log in before you can comment on or make changes to this bug.