CVE-2022-3165 - QEMU VNC Server Integer Underflow Vulnerability and Exploit Details

A newly discovered vulnerability, tracked as CVE-2022-3165, has been found in the QEMU VNC server, which could lead to a potential denial of service (DoS) attack. This vulnerability was caused by an integer underflow issue in QEMU while processing ClientCutText messages with extended format. A malicious client could exploit this flaw to send a specially crafted payload message, forcing QEMU to become unresponsive and leading to a DoS condition.

Code Snippet

The integer underflow issue was identified in QEMU's vnc_display.c module while processing the ClientCutText payload message. The relevant code snippet is as follows:

case VNC_ENCODING_CLIENTCUTTEXT:
	uint32_t length;
	length = extended ? read_u32(rfb_in, rfb_inlen, ) : read_u16(rfb_in, );

	rfb_inlen -= length;
	while (length) {
		uint8_t buffer[BUFSIZ];
		size_t sent = MIN(length, sizeof(buffer));
		read_bytes(rfb_in, buffer, sent);
		length -= sent;
	}
	break;

The problem arises due to an unchecked length value extracted from the incoming message, which can be manipulated. This results in a large looping condition, thus rendering the VNC server unresponsive.

Exploit Details

To exploit the CVE-2022-3165 vulnerability, an attacker would need to send a specially crafted message to the affected QEMU VNC server. Using a malicious ClientCutText message, it's possible to cause an integer underflow, resulting in QEMU entering an infinite loop when trying to process the message. Consequently, making the server unresponsive and effectively causing a denial-of-service condition.

Remediation and Patches

The QEMU development team is aware of this vulnerability and has already released a patch to address this issue. The patch ensures that the length value is validated before being processed. The change can be seen in the updated code:

case VNC_ENCODING_CLIENTCUTTEXT:
	uint32_t length, max_length;
	max_length = extended ? UINT32_MAX : UINT16_MAX;
	length = extended ? read_u32(rfb_in, rfb_inlen, ) : read_u16(rfb_in, );

	if (length > max_length) {
		error_report("ClientCutText message too large");
		return -1;
	}

	rfb_inlen -= length;
	while (length) {
		uint8_t buffer[BUFSIZ];
		size_t sent = MIN(length, sizeof(buffer));
		read_bytes(rfb_in, buffer, sent);
		length -= sent;
	}
	break;

Users are urged to update their QEMU software to the latest available version, which includes the necessary patch for CVE-2022-3165. Moreover, it is always recommended to follow good security practices such as restricting access to the VNC server only to trusted clients and not exposing it to the public internet.

For further information on CVE-2022-3165, consult the following resources

1. QEMU official mailing list announcement: https://lists.gnu.org/archive/html/qemu-devel/2022-02/msg04758.html
2. CVE-2022-3165 details on MITRE's official list: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3165
3. QEMU patch for the said vulnerability: https://git.qemu.org/?p=qemu.git;a=commit;h=aa51d57d9ff96793d268a890219ca620bfdc4c4

Stay up to date on security vulnerabilities and ensure your systems are always patched to avoid potential attacks.

Timeline

Published on: 10/17/2022 16:15:00 UTC
Last modified on: 10/25/2022 21:15:00 UTC