Bug 1212850 (CVE-2023-3354) - VUL-0: CVE-2023-3354: qemu,kvm: improper I/O watch removal in VNC TLS handshake can lead to remote unauthenticated denial of service
Summary: VUL-0: CVE-2023-3354: qemu,kvm: improper I/O watch removal in VNC TLS handsha...
Status: NEW
Alias: CVE-2023-3354
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/370715/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-3354:7.5:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-29 09:24 UTC by Carlos López
Modified: 2024-07-09 11:12 UTC (History)
8 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2023-06-29 09:24:07 UTC 
CVE-2023-3354

When a client connects to the VNC server, QEMU will check whether the current number of connections is greater than the limitation. If so, it will clean up the previous connection. If that connection happens to be in the handshake phase and fails, QEMU will clean up the connection again, which will result in a NULL pointer dereference issue. A remote unauthenticated user could use this flaw to cause a denial of service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3354
https://bugzilla.redhat.com/show_bug.cgi?id=2216478
Comment 1 Carlos López 2023-06-29 09:24:35 UTC 
No details that I could find yet
Comment 2 Carlos López 2023-07-31 11:34:32 UTC 
Latest version of the patch, still not merged:
https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg02668.html
Comment 3 Dario Faggioli 2023-08-03 10:52:54 UTC 
(In reply to Carlos López from comment #2)
> Latest version of the patch, still not merged:
> https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg02668.html

Committed as: 10be627d2b5ec2d6b3dce045144aa739eef678b4

To which branches do we backport?
Comment 4 Carlos López 2023-08-03 12:07:52 UTC 
(In reply to Dario Faggioli from comment #3)
> (In reply to Carlos López from comment #2)
> > Latest version of the patch, still not merged:
> > https://lists.nongnu.org/archive/html/qemu-devel/2023-07/msg02668.html
> 
> Committed as: 10be627d2b5ec2d6b3dce045144aa739eef678b4
> 
> To which branches do we backport?

The VNC code was introduced very early, so I'd say all of them:
- SUSE:SLE-12-SP2:Update/qemu
- SUSE:SLE-12-SP3:Update/qemu
- SUSE:SLE-12-SP4:Update/qemu
- SUSE:SLE-12-SP5:Update/qemu
- SUSE:SLE-15-SP1:Update/qemu
- SUSE:SLE-15-SP2:Update/qemu
- SUSE:SLE-15-SP3:Update/qemu
- SUSE:SLE-15-SP4:Update/qemu
- SUSE:SLE-15-SP5:Update/qemu
- SUSE:ALP:Source:Standard:1.0/qemu

In older versions qio_channel_add_watch() is used instead of qio_channel_add_watch_full(), but I think the same logic applies.
Comment 7 OBSbugzilla Bot 2023-08-09 06:55:04 UTC 
This is an autogenerated message for OBS integration:
This bug (1212850) was mentioned in
https://build.opensuse.org/request/show/1103082 Factory / qemu
Comment 10 Maintenance Automation 2023-08-28 12:30:37 UTC 
SUSE-SU-2023:3444-1: An update that solves six vulnerabilities can now be installed.

Category: security (important)
Bug References: 1188609, 1190011, 1207205, 1212850, 1213414, 1213925
CVE References: CVE-2021-3638, CVE-2021-3750, CVE-2023-0330, CVE-2023-3180, CVE-2023-3301, CVE-2023-3354
Sources used:
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): qemu-5.2.0-150300.127.3
SUSE Manager Proxy 4.2 (src): qemu-5.2.0-150300.127.3
SUSE Manager Retail Branch Server 4.2 (src): qemu-5.2.0-150300.127.3
SUSE Manager Server 4.2 (src): qemu-5.2.0-150300.127.3
SUSE Enterprise Storage 7.1 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Micro 5.1 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Micro 5.2 (src): qemu-5.2.0-150300.127.3
SUSE Linux Enterprise Micro for Rancher 5.2 (src): qemu-5.2.0-150300.127.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 OBSbugzilla Bot 2023-09-12 14:05:20 UTC 
This is an autogenerated message for OBS integration:
This bug (1212850) was mentioned in
https://build.opensuse.org/request/show/1110620 Factory / qemu
Comment 18 Maintenance Automation 2023-09-21 08:30:02 UTC 
SUSE-SU-2023:3721-1: An update that solves 10 vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1172382, 1188609, 1190011, 1193880, 1197653, 1198712, 1207205, 1212850, 1212968, 1213925, 1215311
CVE References: CVE-2020-13754, CVE-2021-3638, CVE-2021-3750, CVE-2021-3929, CVE-2022-1050, CVE-2022-26354, CVE-2023-0330, CVE-2023-2861, CVE-2023-3180, CVE-2023-3354
Sources used:
openSUSE Leap 15.4 (src): qemu-4.2.1-150200.79.1
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): qemu-4.2.1-150200.79.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): qemu-4.2.1-150200.79.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): qemu-4.2.1-150200.79.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Maintenance Automation 2023-09-27 12:30:07 UTC 
SUSE-SU-2023:3800-1: An update that solves nine vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1172382, 1190011, 1193880, 1197653, 1198712, 1207205, 1212850, 1212968, 1213925, 1215311
CVE References: CVE-2019-13754, CVE-2021-3750, CVE-2021-3929, CVE-2022-1050, CVE-2022-26354, CVE-2023-0330, CVE-2023-2861, CVE-2023-3180, CVE-2023-3354
Sources used:
SUSE CaaS Platform 4.0 (src): qemu-3.1.1.1-150100.80.51.5
SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): qemu-3.1.1.1-150100.80.51.5
SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): qemu-3.1.1.1-150100.80.51.5
SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): qemu-3.1.1.1-150100.80.51.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Maintenance Automation 2023-10-12 12:46:45 UTC 
SUSE-SU-2023:4056-1: An update that solves five vulnerabilities and has four security fixes can now be installed.

Category: security (important)
Bug References: 1179993, 1181740, 1188609, 1190011, 1207205, 1212850, 1213663, 1213925, 1215311
CVE References: CVE-2021-3638, CVE-2021-3750, CVE-2023-0330, CVE-2023-3180, CVE-2023-3354
Sources used:
openSUSE Leap 15.4 (src): qemu-linux-user-6.2.0-150400.37.23.1, qemu-6.2.0-150400.37.23.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): qemu-6.2.0-150400.37.23.1
SUSE Linux Enterprise Micro 5.3 (src): qemu-6.2.0-150400.37.23.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): qemu-6.2.0-150400.37.23.1
SUSE Linux Enterprise Micro 5.4 (src): qemu-6.2.0-150400.37.23.1
Basesystem Module 15-SP4 (src): qemu-6.2.0-150400.37.23.1
Server Applications Module 15-SP4 (src): qemu-6.2.0-150400.37.23.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 33 Maintenance Automation 2023-12-06 16:30:33 UTC 
SUSE-SU-2023:4662-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1188609, 1212850, 1213210, 1213925, 1215311
CVE References: CVE-2021-3638, CVE-2023-3180, CVE-2023-3354
Sources used:
openSUSE Leap 15.5 (src): qemu-linux-user-7.1.0-150500.49.9.1, qemu-7.1.0-150500.49.9.2
SUSE Linux Enterprise Micro 5.5 (src): qemu-7.1.0-150500.49.9.2
Basesystem Module 15-SP5 (src): qemu-7.1.0-150500.49.9.2
Server Applications Module 15-SP5 (src): qemu-7.1.0-150500.49.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 34 Maintenance Automation 2024-02-22 12:30:03 UTC 
SUSE-SU-2024:0589-1: An update that solves three vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1188609, 1212850, 1213210, 1213925, 1215311
CVE References: CVE-2021-3638, CVE-2023-3180, CVE-2023-3354
Sources used:
SUSE Package Hub 15 15-SP5 (src): qemu-7.1.0-150500.49.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 36 Maintenance Automation 2024-04-23 12:30:13 UTC 
SUSE-SU-2024:1395-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1190011, 1198038, 1207205, 1212850, 1213925
CVE References: CVE-2021-3750, CVE-2022-0216, CVE-2023-0330, CVE-2023-3180, CVE-2023-3354
Maintenance Incident: [SUSE:Maintenance:33441](https://smelt.suse.de/incident/33441/)
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 qemu-3.1.1.1-72.1
SUSE Linux Enterprise Server 12 SP5 (src):
 qemu-3.1.1.1-72.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 qemu-3.1.1.1-72.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.