1177782 – (CVE-2020-25652) VUL-0: CVE-2020-25652: spice-vdagent: possibility to exhaust file descriptors in `vdagentd`

Bug 1177782 (CVE-2020-25652) - VUL-0: CVE-2020-25652: spice-vdagent: possibility to exhaust file descriptors in `vdagentd`

Summary: VUL-0: CVE-2020-25652: spice-vdagent: possibility to exhaust file descriptors...

Status:	RESOLVED FIXED

Alias:	CVE-2020-25652

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/269401/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-25652:5.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2020-10-16 07:39 UTC by Matthias Gerstner
Modified:	2021-08-23 08:43 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthias Gerstner 2020-10-16 07:39:47 UTC

Split-off from audit bug 1173749:

 ## c) Possibility to Exhaust File Descriptors in `vdagentd`

 `spice-vdagentd` does not apply a limit to the amount of client connections
 that can be established via the UNIX domain socket in
 `/run/spice-vdagentd/spice-vdagent-sock`. Also existing connections aren't
 subject to a timeout or any kind of preconditions for them to stay alive.
 Thus it is easy to exhaust the file descriptor limit for the `spice-vdagentd`
 process (typically 1024 file descriptors by default, this limit is also
 imposed by system calls like `select()`).

 Any local user in the virtual machine can open around ~1020 connections to
 `spice-vdagentd` and simply keep them open without transmitting any data. The
 `spice-vdagentd` will then become unable to open further connections for
 legitimate clients or perform other tasks (like opening the serial device, see
 section 2.a, or invoking systemd library calls that require opening files).

 ### Impact

 By exhausting file descriptors in `spice-vdagentd` the following effects can
 be achieved:

 - The attack can prevent legitimate `spice-vdagent` instances from connecting
   to the `spice-vdagentd`. SPICE features won't be available to affected
   sessions.
 - The attack can cause `vdagentd` to exit on error conditions if tuned
   carefully. For example, an attacker can exhaust all file descriptors in
   `spice-vdagentd` except for one and then wait for a legitimate client from an
   active session to connect. This connection attempt will succeed, but the
   subsequent attempt to open the serial device (see section 2.a) will fail, and
   `spice-vdagentd` will exit. This will then also cause the involved
   `spice-vdagent` to exit, because the connection to the system daemon is
   lost.
 - `spice-vdagentd` will enter a 100 % CPU infinite loop, because it tries to
   `accept()` the new connection, which is impossible, but also doesn't close
   the listening socket or abort execution.
 - This attack vector makes security issue 3.d better exploitable, which will
   be explained there in more detail.

Comment 2 Swamp Workflow Management 2020-11-10 20:15:17 UTC

SUSE-SU-2020:3268-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173749,1177780,1177781,1177782,1177783
CVE References: CVE-2020-25650,CVE-2020-25651,CVE-2020-25652,CVE-2020-25653
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    spice-vdagent-0.19.0-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 3 Swamp Workflow Management 2020-11-11 11:17:33 UTC

openSUSE-SU-2020:1898-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173749,1177780,1177781,1177782,1177783
CVE References: CVE-2020-25650,CVE-2020-25651,CVE-2020-25652,CVE-2020-25653
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    spice-vdagent-0.19.0-lp152.2.3.1

Comment 4 Charles Arnold 2021-07-20 22:07:00 UTC

Submitted to SUSE:SLE-15-SP1:Update with SR#246273
Submitted to SUSE:SLE-15:Update 246274
Submitted to SUSE:SLE-12-SP5:Update with SR#246275
Submitted to SUSE:SLE-12-SP4:Update with SR#246276
Submitted to SUSE:SLE-12-SP3:Update with SR#246277
Submitted to SUSE:SLE-12-SP2:Update with SR#246278

Comment 7 Swamp Workflow Management 2021-08-05 14:30:33 UTC

SUSE-SU-2021:2614-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1173749,1177780,1177781,1177782,1177783
CVE References: CVE-2020-25650,CVE-2020-25651,CVE-2020-25652,CVE-2020-25653
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src):    spice-vdagent-0.21.0-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2021-08-17 19:27:22 UTC

SUSE-SU-2021:2766-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1177780,1177781,1177782,1177783
CVE References: CVE-2020-25650,CVE-2020-25651,CVE-2020-25652,CVE-2020-25653
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    spice-vdagent-0.16.0-8.8.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2021-08-20 13:21:13 UTC

# maintenance_jira_update_notice
SUSE-SU-2021:2803-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1177780,1177781,1177782,1177783
CVE References: CVE-2020-25650,CVE-2020-25651,CVE-2020-25652,CVE-2020-25653
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    spice-vdagent-0.17.0-4.3.1
SUSE Manager Retail Branch Server 4.0 (src):    spice-vdagent-0.17.0-4.3.1
SUSE Manager Proxy 4.0 (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise Server for SAP 15 (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise Server 15-LTSS (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    spice-vdagent-0.17.0-4.3.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    spice-vdagent-0.17.0-4.3.1
SUSE Enterprise Storage 6 (src):    spice-vdagent-0.17.0-4.3.1
SUSE CaaS Platform 4.0 (src):    spice-vdagent-0.17.0-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 10 Wolfgang Frisch 2021-08-23 08:43:12 UTC

Released.