A flaw was found in the SPICE file transfer protocol. It was reported by SUSE Security as follows: The host application (tested with `remote-viewer` from the virt-viewer package) chooses an incrementally growing `task_id` for file exchanges which starts counting at 1. Thus the `task_id` is predictable. Since any unauthenticated local client can replace the mapping of `task_id` to client connection by its own client connection, there is a possibility for an attacker to obtain parts of the transferred file data. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Exploitability will be difficult if there is not a suitable side channel with information about file transfers going on. In any case active file transfers from other users can also be interrupted (DoS aspect).
Acknowledgments: Name: Matthias Gerstner (SUSE Security Team)
External References: https://www.openwall.com/lists/oss-security/2020/11/04/1
Created spice-vdagent tracking bugs for this issue: Affects: fedora-all [bug 1894434]
Upstream commits: https://github.com/freedesktop/spice-vd_agent/commit/e4bfd1b632b6c14e8411dbe3565115a78cd3d256 https://github.com/freedesktop/spice-vd_agent/commit/b7db1c20c9f80154fb54392eb44add3486d3e427
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-25651
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:1791 https://access.redhat.com/errata/RHSA-2021:1791