620355 – (CVE-2010-2793) CVE-2010-2793 spice activex/spicec named pipe races

Bug 620355 (CVE-2010-2793) - CVE-2010-2793 spice activex/spicec named pipe races

Summary: CVE-2010-2793 spice activex/spicec named pipe races

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2010-2793
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	594000 620484
Blocks:
TreeView+	depends on / blocked

Reported:	2010-08-02 09:54 UTC by Petr Matousek
Modified:	2021-10-19 09:12 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2021-10-19 09:12:58 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2010:0818	0	normal	SHIPPED_LIVE	Important: Red Hat Enterprise Virtualization Manager security update	2010-12-06 18:59:30 UTC

Description Petr Matousek 2010-08-02 09:54:39 UTC

There is a race in spice-activex when a local attacker is able to create a named pipe with the expected name that is used for parameter passing (password, cert file) between spice-activex and spice client. 

Also ImpersonateNamedPipeClient() function that allows server to impersonate security context of connected user could be used to gain privileges of the spice user.

Comment 5 errata-xmlrpc 2010-12-06 18:59:35 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Virtualization Manager

Via RHSA-2010:0818 https://rhn.redhat.com/errata/RHSA-2010-0818.html

Note You need to log in before you can comment on or make changes to this bug.