An issue was discovered in spice-server spice-server-0.14.0-6.el7_6.1.x86_64 of Redhat's VDI product. There is a security vulnerablility that can restart KVMvirtual machine without any authorization. It is not yet known if there will be other other effects. References: https://github.com/zelat/spice-security-issues
Hi, The problem is a header with huge 'size' (). I think it is already known and fixed -- see bug (CVE-2016-9577) Fixed by upstream commit ec124b982abcd23364963ffcd4c370b1ec962fc9 "Prevent possible DoS attempts during protocol handshake" $ git describe ec124b982abcd23364963ffcd4c370b1ec962fc9 --tags v0.13.3-149-gec124b98 So spice-server-0.14.0 should be fine. I tested on Fedora 38 and on RHEL-8.8 and the server does not abort. I'll test soon with RHEL-7.6
In the spice-security-issue's script, 'size' field is 0xF0E70000 == 4041670656
I quickly tested on a RHEL-7.6 VM, as follows, and did not encounter the problem: Open two terminals on a RHEL-7.6 machine. Terminal 1: /usr/libexec/qemu-kvm -S -spice disable-ticketing,port=5900 Terminal 2: python SPICE_CRASH_Expliot.py # modified with "localhost" and 5900. This results in the following spice-server error message, while the VM keeps running: (process:14353): Spice-WARNING **: 16:36:55.399: reds.c:2383:reds_handle_read_header_done: bad size 4041670656 # rpm -q spice-server qemu-kvm spice-server-0.14.0-6.el7_6.1.x86_64 qemu-kvm-1.5.3-160.el7_6.1.x86_64