Bug 1212850 (CVE-2023-3354)

Summary: VUL-0: CVE-2023-3354: qemu,kvm: improper I/O watch removal in VNC TLS handshake can lead to remote unauthenticated denial of service
Product: [Novell Products] SUSE Security Incidents Reporter: Carlos López <carlos.lopez>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: brahmajit.das, carlos.lopez, dfaggioli, joyeta.modak, matz, meissner, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370715/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-3354:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Carlos López 2023-06-29 09:24:07 UTC 
CVE-2023-3354

When a client connects to the VNC server, QEMU will check whether the current number of connections is greater than the limitation. If so, it will clean up the previous connection. If that connection happens to be in the handshake phase and fails, QEMU will clean up the connection again, which will result in a NULL pointer dereference issue. A remote unauthenticated user could use this flaw to cause a denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354
https://bugzilla.redhat.com/show_bug.cgi?id=2216478
Comment 1 Carlos López 2023-06-29 09:24:35 UTC 
No details that I could find yet
Comment 2 Carlos López 2023-07-31 11:34:32 UTC 
Latest version of the patch, still not merged:
https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg02668.html
Comment 3 Dario Faggioli 2023-08-03 10:52:54 UTC 
(In reply to Carlos López from comment #2)
> Latest version of the patch, still not merged:
> https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg02668.html

Committed as: 10be627d2b5ec2d6b3dce045144aa739eef678b4

To which branches do we backport?
Comment 4 Carlos López 2023-08-03 12:07:52 UTC 
(In reply to Dario Faggioli from comment #3)
> (In reply to Carlos López from comment #2)
> > Latest version of the patch, still not merged:
> > https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg02668.html
> 
> Committed as: 10be627d2b5ec2d6b3dce045144aa739eef678b4
> 
> To which branches do we backport?

The VNC code was introduced very early, so I'd say all of them:
- SUSE:SLE-12-SP2:Update/qemu
- SUSE:SLE-12-SP3:Update/qemu
- SUSE:SLE-12-SP4:Update/qemu
- SUSE:SLE-12-SP5:Update/qemu
- SUSE:SLE-15-SP1:Update/qemu
- SUSE:SLE-15-SP2:Update/qemu
- SUSE:SLE-15-SP3:Update/qemu
- SUSE:SLE-15-SP4:Update/qemu
- SUSE:SLE-15-SP5:Update/qemu
- SUSE:ALP:Source:Standard:1.0/qemu

In older versions qio_channel_add_watch() is used instead of qio_channel_add_watch_full(), but I think the same logic applies.
Comment 7 OBSbugzilla Bot 2023-08-09 06:55:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1212850) was mentioned in
https://build.opensuse.org/request/show/1103082 Factory / qemu
Comment 10 Maintenance Automation 2023-08-28 12:30:37 UTC 
SUSE-SU-2023:3444-1: An update that solves six vulnerabilities can now be installed.

Category: security (important)
Bug References: 1188609, 1190011, 1207205, 1212850, 1213414, 1213925
CVE References: CVE-2021-3638, CVE-2021-3750, CVE-2023-0330, CVE-2023-3180, CVE-2023-3301, CVE-2023-3354
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): qemu-5.2.0-150300.127.3
SUSE Manager Proxy 4.2 (src): qemu-5.2.0-150300.127.3
SUSE Manager Retail Branch Server 4.2 (src): qemu-5.2.0-150300.127.3
SUSE Manager Server 4.2 (src): qemu-5.2.0-150300.127.3
SUSE Enterprise Storage 7.1 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Micro 5.1 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Micro 5.2 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Micro for Rancher 5.2 (src): qemu-5.2.0-150300.127.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 OBSbugzilla Bot 2023-09-12 14:05:20 UTC 
This is an autogenerated message for OBS integration:
This bug (1212850) was mentioned in
https://build.opensuse.org/request/show/1110620 Factory / qemu
Comment 18 Maintenance Automation 2023-09-21 08:30:02 UTC 
SUSE-SU-2023:3721-1: An update that solves 10 vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1172382, 1188609, 1190011, 1193880, 1197653, 1198712, 1207205, 1212850, 1212968, 1213925, 1215311
CVE References: CVE-2020-13754, CVE-2021-3638, CVE-2021-3750, CVE-2021-3929, CVE-2022-1050, CVE-2022-26354, CVE-2023-0330, CVE-2023-2861, CVE-2023-3180, CVE-2023-3354
Sources used:
openSUSE Leap 15.4 (src): qemu-4.2.1-150200.79.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): qemu-4.2.1-150200.79.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): qemu-4.2.1-150200.79.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): qemu-4.2.1-150200.79.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Maintenance Automation 2023-09-27 12:30:07 UTC 
SUSE-SU-2023:3800-1: An update that solves nine vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1172382, 1190011, 1193880, 1197653, 1198712, 1207205, 1212850, 1212968, 1213925, 1215311
CVE References: CVE-2019-13754, CVE-2021-3750, CVE-2021-3929, CVE-2022-1050, CVE-2022-26354, CVE-2023-0330, CVE-2023-2861, CVE-2023-3180, CVE-2023-3354
Sources used:
SUSE CaaS Platform 4.0 (src): qemu-3.1.1.1-150100.80.51.5
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): qemu-3.1.1.1-150100.80.51.5
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): qemu-3.1.1.1-150100.80.51.5
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): qemu-3.1.1.1-150100.80.51.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Maintenance Automation 2023-10-12 12:46:45 UTC 
SUSE-SU-2023:4056-1: An update that solves five vulnerabilities and has four security fixes can now be installed.

Category: security (important)
Bug References: 1179993, 1181740, 1188609, 1190011, 1207205, 1212850, 1213663, 1213925, 1215311
CVE References: CVE-2021-3638, CVE-2021-3750, CVE-2023-0330, CVE-2023-3180, CVE-2023-3354
Sources used:
openSUSE Leap 15.4 (src): qemu-linux-user-6.2.0-150400.37.23.1, qemu-6.2.0-150400.37.23.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): qemu-6.2.0-150400.37.23.1
SUSE Linux Enterprise Micro 5.3 (src): qemu-6.2.0-150400.37.23.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): qemu-6.2.0-150400.37.23.1
SUSE Linux Enterprise Micro 5.4 (src): qemu-6.2.0-150400.37.23.1
Basesystem Module 15-SP4 (src): qemu-6.2.0-150400.37.23.1
Server Applications Module 15-SP4 (src): qemu-6.2.0-150400.37.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Maintenance Automation 2023-12-06 16:30:33 UTC 
SUSE-SU-2023:4662-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1188609, 1212850, 1213210, 1213925, 1215311
CVE References: CVE-2021-3638, CVE-2023-3180, CVE-2023-3354
Sources used:
openSUSE Leap 15.5 (src): qemu-linux-user-7.1.0-150500.49.9.1, qemu-7.1.0-150500.49.9.2
SUSE Linux Enterprise Micro 5.5 (src): qemu-7.1.0-150500.49.9.2
Basesystem Module 15-SP5 (src): qemu-7.1.0-150500.49.9.2
Server Applications Module 15-SP5 (src): qemu-7.1.0-150500.49.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Maintenance Automation 2024-02-22 12:30:03 UTC 
SUSE-SU-2024:0589-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1188609, 1212850, 1213210, 1213925, 1215311
CVE References: CVE-2021-3638, CVE-2023-3180, CVE-2023-3354
Sources used:
SUSE Package Hub 15 15-SP5 (src): qemu-7.1.0-150500.49.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Maintenance Automation 2024-04-23 12:30:13 UTC 
SUSE-SU-2024:1395-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1190011, 1198038, 1207205, 1212850, 1213925
CVE References: CVE-2021-3750, CVE-2022-0216, CVE-2023-0330, CVE-2023-3180, CVE-2023-3354
Maintenance Incident: [SUSE:Maintenance:33441](https://smelt.suse.de/incident/33441/)
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 qemu-3.1.1.1-72.1
SUSE Linux Enterprise Server 12 SP5 (src):
 qemu-3.1.1.1-72.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 qemu-3.1.1.1-72.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.