1177781 – (CVE-2020-25651) VUL-0: CVE-2020-25651: spice-vdagent: possible file transfer DoS and information leak via `active_xfers` hash map

Bug 1177781 (CVE-2020-25651) - VUL-0: CVE-2020-25651: spice-vdagent: possible file transfer DoS and information leak via `active_xfers` hash map

Summary: VUL-0: CVE-2020-25651: spice-vdagent: possible file transfer DoS and informat...

Status:	RESOLVED FIXED

Alias:	CVE-2020-25651

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/269399/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-25651:6.4:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2020-10-16 07:37 UTC by Matthias Gerstner
Modified:	2021-08-23 08:43 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Gerstner 2020-10-16 07:37:37 UTC

Split-off from audit bug 1173749:

 ## b) Possible File Transfer DoS and Information Leak via `active_xfers` Hash Map

 The same basic problem as described in section 3.a can lead to a file transfer
 information leak. The file transfer protocol roughly works like this:

 - The host will send a `VD_AGENT_FILE_XFER_START` message that is forwarded to
   the user agent (function `do_client_file_xfer()`, specifically
   `vdagentd.c:376`). This message contains a `task_id` that identifies the file
   transfer process in future messages.
 - The `spice-vdagent` will check free disk space and allocate a file of the
   expected size in the file system. If all checks pass then it will reply with
   a `VDAGENTD_FILE_XFER_STATUS_CAN_SEND_DATA` message, which causes
   `spice-vdagentd` to associate the client connection with the ongoing file
   transfer.
 - The host will now start sending out chunks of the file data with
   `VDAGENTD_FILE_XFER_DATA` messages (processed in function
   `do_client_file_xfer()`, specifically `vdagentd.c:386`). `spice-vdagentd` will
   forward each chunk to the client connection stored in the `active_xfers`
   hash map.

 The host application (tested with `remote-viewer` from the virt-viewer
 package) chooses an incrementally growing `task_id` for file exchanges
 which starts counting at 1. Thus the `task_id` is predictable. Since any
 unauthenticated local client can replace the mapping of `task_id` to client
 connection by its own client connection, there is a possibility for an
 attacker to obtain parts of the transferred file data.

 The attacker needs to win a race condition here, because it needs to hit the
 time window after the legitimate client sends out the
 `VDAGENTD_FILE_XFER_STATUS_CAN_SEND_DATA` message and before the host starts
 sending out file chunks via `VDAGENTD_FILE_XFER_DATA`. If the attacker sends
 his own `VDAGENTD_FILE_XFER_STATUS_CAN_SEND_DATA` using the correct `task_id`
 during this time window, then he can obtain the complete file. At least for
 large file exchanges bigger parts of the file are feasible to be
 obtained, even when the initial parts of the file are transferred to the
 legitimate client.

 The more difficult part for an attacker will be to identify when such a file
 transfer will take place. The reproducer shows the basic attack technique.

 ### Impact

 File data from the host system can end up in full or in parts in the client
 connection of an illegitimate local user in the VM system. Exploitability will
 be difficult if there is not a suitable side channel with information about
 file transfers going on.

 In any case active file transfers from other users can also be interrupted
 (DoS aspect).

Comment 2 Swamp Workflow Management 2020-11-10 20:15:11 UTC

SUSE-SU-2020:3268-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173749,1177780,1177781,1177782,1177783
CVE References: CVE-2020-25650,CVE-2020-25651,CVE-2020-25652,CVE-2020-25653
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    spice-vdagent-0.19.0-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 3 Swamp Workflow Management 2020-11-11 11:17:27 UTC

openSUSE-SU-2020:1898-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173749,1177780,1177781,1177782,1177783
CVE References: CVE-2020-25650,CVE-2020-25651,CVE-2020-25652,CVE-2020-25653
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    spice-vdagent-0.19.0-lp152.2.3.1

Comment 4 Charles Arnold 2021-07-20 22:06:56 UTC

Submitted to SUSE:SLE-15-SP1:Update with SR#246273
Submitted to SUSE:SLE-15:Update 246274
Submitted to SUSE:SLE-12-SP5:Update with SR#246275
Submitted to SUSE:SLE-12-SP4:Update with SR#246276
Submitted to SUSE:SLE-12-SP3:Update with SR#246277
Submitted to SUSE:SLE-12-SP2:Update with SR#246278

Comment 7 Swamp Workflow Management 2021-08-05 14:18:50 UTC

openSUSE-SU-2021:2614-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173749,1177780,1177781,1177782,1177783
CVE References: CVE-2020-25650,CVE-2020-25651,CVE-2020-25652,CVE-2020-25653
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    spice-vdagent-0.21.0-3.3.1

Comment 8 Swamp Workflow Management 2021-08-05 14:30:26 UTC

SUSE-SU-2021:2614-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173749,1177780,1177781,1177782,1177783
CVE References: CVE-2020-25650,CVE-2020-25651,CVE-2020-25652,CVE-2020-25653
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    spice-vdagent-0.21.0-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2021-08-17 19:27:15 UTC

SUSE-SU-2021:2766-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1177780,1177781,1177782,1177783
CVE References: CVE-2020-25650,CVE-2020-25651,CVE-2020-25652,CVE-2020-25653
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    spice-vdagent-0.16.0-8.8.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Swamp Workflow Management 2021-08-20 13:21:06 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2803-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1177780,1177781,1177782,1177783
CVE References: CVE-2020-25650,CVE-2020-25651,CVE-2020-25652,CVE-2020-25653
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    spice-vdagent-0.17.0-4.3.1
SUSE Manager Retail Branch Server 4.0 (src):    spice-vdagent-0.17.0-4.3.1
SUSE Manager Proxy 4.0 (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise Server for SAP 15 (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise Server 15-LTSS (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    spice-vdagent-0.17.0-4.3.1
SUSE Enterprise Storage 6 (src):    spice-vdagent-0.17.0-4.3.1
SUSE CaaS Platform 4.0 (src):    spice-vdagent-0.17.0-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 11 Wolfgang Frisch 2021-08-23 08:43:05 UTC

Released.