Vigil@nce: QEMU, Linux KVM, infinite loop of VNC
December 2008 by Vigil@nce
SYNTHESIS
An attacker can send a special message to the VNC service of QEMU
or Linux Kernel-Based Virtual Machine in order to create a denial
of service.
Gravity: 2/4
Consequences: denial of service of service
Provenance: intranet client
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 23/12/2008
IMPACTED PRODUCTS
– Fedora
– Unix - plateform
DESCRIPTION
The QEMU emulator implements VNC for remote administration. Linux
Kernel-Based Virtual Machine contains a copy of QEMU source code.
The protocol_client_msg() function of the vnc.c file (or
qemu/vnc.c for KVM) reads client messages. The first byte
indicates the message type. When the type is 2 (encoding
definition via set_encodings()), bytes 3 and 4 indicate the size
of the encoding array.
However, if bytes 3 and 4 are null, the protocol_client_msg()
function is indefinitely called.
An attacker can therefore send a special message to the VNC
service of QEMU or Linux Kernel-Based Virtual Machine in order to
create a denial of service.
CHARACTERISTICS
Identifiers: BID-32910, CORE-2008-1210, CVE-2008-2382,
FEDORA-2008-11705, FEDORA-2008-11727, VIGILANCE-VUL-8354