CVE-2023-3354: QEMU Built-in VNC Server Vulnerability Discovered - Denial of Service Attack Risk

Summary: A recently discovered flaw in the QEMU (Quick Emulator) built-in VNC (Virtual Network Computing) server exposes a potential risk of denial of service (DoS) attacks. Remote unauthenticated clients can exploit the vulnerability to cause disruptions in service. This article delves into the details of CVE-2023-3354, complete with code snippets, links to original references, and information about the exploit.

Background

QEMU is an open-source processor emulator widely used for hardware virtualization. It supports various architectures, such as x86, ARM, MIPS, and more. One of the key features of QEMU is its built-in VNC server, which allows users to remotely access and manage virtual machines.

The Flaw

A vulnerability was identified in QEMU's VNC server due to a NULL pointer dereference. This issue arises when a client connects to the VNC server and QEMU checks whether the number of connections exceeds a predefined threshold. If the threshold is surpassed, QEMU attempts to clean up the previous connection.

However, when the previous connection is still in the handshake phase and fails, QEMU incorrectly cleans it up again. This results in a NULL pointer dereference issue, which can be exploited by a remote unauthenticated client to cause a denial of service.

To further illustrate the flaw, consider the following code snippet from the QEMU VNC server

void vnc_disconnect_start(VncState *vs)
{
    ...
    main_loop_remove_idle(vnc_client_termination_thread_id)
    ...
    vnc_locals.state = VNC_DISCONNECTED;
}

In this code example, the connections are cleaned by removing their idle event handlers. However, a race condition can occur if a new connection is made concurrently with a prior connection's handshake failure.

If two connections are in the handshake phase simultaneously and one handshake process fails, it may invoke the vnc_disconnect_start() function for the other connection. Since both connections use the same termination_thread_id, it results in an unintended cleanup of the second connection. Consequently, when the second connection's handshake process fails, QEMU unknowingly cleans up the connection again, causing the NULL pointer dereference vulnerability.

Proof of Concept

A remote unauthenticated attacker can exploit this vulnerability by repeatedly attempting to establish connections to the VNC server. By causing multiple connections to fail during the handshake phase, the attacker can trigger the NULL pointer dereference, leading to a denial of service.

References

- QEMU Official Website
- QEMU Mailing List Archive - VNC Server Vulnerability Announcement
- CVE-2023-3354 - Vulnerability Details

Mitigation

As of now, no software patch has been released to address CVE-2023-3354. However, QEMU users can protect themselves by implementing strict firewall rules to limit access to their VNC servers. This precaution should only allow trusted clients to connect, mitigating the risk of malicious exploitation. Additionally, users should keep an eye out for patches and updates from the QEMU development team and apply them promptly when available.

Timeline

Published on: 07/11/2023 17:15:00 UTC
Last modified on: 08/29/2023 03:15:00 UTC