ID CVE-2013-4130
Summary The (1) red_channel_pipes_add_type and (2) red_channel_pipes_add_empty_msg functions in server/red_channel.c in SPICE before 0.12.4 do not properly perform ring loops, which might allow remote attackers to cause a denial of service (reachable assertion and server exit) by triggering a network error.
References
Vulnerable Configurations
  • Spice Project SPICE 0.12.3
    cpe:2.3:a:spice_project:spice:0.12.3
  • Spice Project SPICE 0.12.2
    cpe:2.3:a:spice_project:spice:0.12.2
  • Spice Project SPICE 0.12.0
    cpe:2.3:a:spice_project:spice:0.12.0
  • Spice Project SPICE 0.11.3
    cpe:2.3:a:spice_project:spice:0.11.3
  • Spice Project SPICE 0.11.0
    cpe:2.3:a:spice_project:spice:0.11.0
  • Spice Project SPICE 0.10.1
    cpe:2.3:a:spice_project:spice:0.10.1
  • Spice Project SPICE 0.10.0
    cpe:2.3:a:spice_project:spice:0.10.0
  • Spice Project SPICE 0.8.3
    cpe:2.3:a:spice_project:spice:0.8.3
  • Spice Project SPICE 0.9.1
    cpe:2.3:a:spice_project:spice:0.9.1
  • Spice Project SPICE 0.9.0
    cpe:2.3:a:spice_project:spice:0.9.0
  • Spice Project SPICE 0.8.2
    cpe:2.3:a:spice_project:spice:0.8.2
  • Spice Project SPICE 0.8.1
    cpe:2.3:a:spice_project:spice:0.8.1
  • Spice Project SPICE 0.8.0
    cpe:2.3:a:spice_project:spice:0.8.0
  • Spice Project SPICE 0.6.4
    cpe:2.3:a:spice_project:spice:0.6.4
  • Spice Project SPICE 0.6.3
    cpe:2.3:a:spice_project:spice:0.6.3
  • Spice Project SPICE 0.6.2
    cpe:2.3:a:spice_project:spice:0.6.2
  • Spice Project SPICE 0.7.3
    cpe:2.3:a:spice_project:spice:0.7.3
  • Spice Project SPICE 0.7.2
    cpe:2.3:a:spice_project:spice:0.7.2
  • Spice Project SPICE 0.7.1
    cpe:2.3:a:spice_project:spice:0.7.1
  • Spice Project SPICE 0.7.0
    cpe:2.3:a:spice_project:spice:0.7.0
  • Spice Project SPICE 0.6.1
    cpe:2.3:a:spice_project:spice:0.6.1
  • Spice Project SPICE 0.6.0
    cpe:2.3:a:spice_project:spice:0.6.0
  • Spice Project SPICE 0.5.3
    cpe:2.3:a:spice_project:spice:0.5.3
  • Spice Project SPICE 0.5.2
    cpe:2.3:a:spice_project:spice:0.5.2
  • Canonical Ubuntu Linux 13.04
    cpe:2.3:o:canonical:ubuntu_linux:13.04
CVSS
Base: 5.0 (as of 20-08-2013 - 11:24)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1926-1.NASL
    description David Gibson discovered that SPICE incorrectly handled certain network errors. An attacker could use this issue to cause the SPICE server to crash, resulting in a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 69366
    published 2013-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69366
    title Ubuntu 13.04 : spice vulnerability (USN-1926-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130903_SPICE_SERVER_ON_SL6_X.NASL
    description A flaw was found in the way concurrent access to the clients ring buffer was performed in the spice-server library. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. (CVE-2013-4130) Applications acting as a SPICE server must be restarted for this update to take effect. Note that QEMU-KVM guests providing SPICE console access must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 69786
    published 2013-09-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69786
    title Scientific Linux Security Update : spice-server on SL6.x x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-14110.NASL
    description - New upstream bug-fix release 0.12.4 - Fixes a client triggerable abort CVE-2013-4130 - Add patches from upstream git to fix sound-channel-free crash (rhbz#986407) - Stop building spicec, it's obsolete and superseded by remote-viewer (part of virt-viewer) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 69299
    published 2013-08-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69299
    title Fedora 19 : spice-0.12.4-1.fc19 (2013-14110)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-1192.NASL
    description An updated spice-server package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A flaw was found in the way concurrent access to the clients ring buffer was performed in the spice-server library. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. (CVE-2013-4130) This issue was discovered by David Gibson of Red Hat. Users of spice-server are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Applications acting as a SPICE server must be restarted for this update to take effect. Note that QEMU-KVM guests providing SPICE console access must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 69779
    published 2013-09-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69779
    title CentOS 6 : spice-server (CESA-2013:1192)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-14362.NASL
    description - New upstream bug-fix release 0.12.4 - Fixes a client triggerable abort CVE-2013-4130 - Add patches from upstream git to fix sound-channel-free crash (rhbz#986407) - Stop building spicec, it's obsolete and superseded by remote-viewer (part of virt-viewer) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 69363
    published 2013-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69363
    title Fedora 18 : spice-0.12.4-1.fc18 (2013-14362)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-1192.NASL
    description From Red Hat Security Advisory 2013:1192 : An updated spice-server package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A flaw was found in the way concurrent access to the clients ring buffer was performed in the spice-server library. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. (CVE-2013-4130) This issue was discovered by David Gibson of Red Hat. Users of spice-server are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Applications acting as a SPICE server must be restarted for this update to take effect. Note that QEMU-KVM guests providing SPICE console access must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2015-12-01
    plugin id 69776
    published 2013-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69776
    title Oracle Linux 6 : spice-server (ELSA-2013-1192)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1192.NASL
    description An updated spice-server package that fixes one security issue is now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A flaw was found in the way concurrent access to the clients ring buffer was performed in the spice-server library. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. (CVE-2013-4130) This issue was discovered by David Gibson of Red Hat. Users of spice-server are advised to upgrade to this updated package, which contains a backported patch to correct this issue. Applications acting as a SPICE server must be restarted for this update to take effect. Note that QEMU-KVM guests providing SPICE console access must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 69777
    published 2013-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69777
    title RHEL 6 : spice-server (RHSA-2013:1192)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-217.NASL
    description Updated spice packages fix security vulnerability : An user able to initiate spice connection to the guest could use a flaw in server/red_channel.c to crash the guest (CVE-2013-4130).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 69466
    published 2013-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69466
    title Mandriva Linux Security Advisory : spice (MDVSA-2013:217)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-1260.NASL
    description An updated rhev-hypervisor6 package that fixes one security issue and various bugs is now available. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. Upgrade Note: If you upgrade the Red Hat Enterprise Virtualization Hypervisor through the 3.2 Manager administration portal, the Host may appear with the status of 'Install Failed'. If this happens, place the host into maintenance mode, then activate it again to get the host back to an 'Up' state. A flaw was found in the way concurrent access to the clients ring buffer was performed in the spice-server library. A remote user able to initiate a SPICE connection to a guest could use this flaw to crash the guest. (CVE-2013-4130) This issue was discovered by David Gibson of Red Hat. This update also contains the fix from the following errata : * vdsm: RHBA-2013:1261 https://rhn.redhat.com/errata/RHBA-2013-1261.html Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which corrects these issues.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 78972
    published 2014-11-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=78972
    title RHEL 6 : rhev-hypervisor6 (RHSA-2013:1260)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2839.NASL
    description Multiple vulnerabilities have been found in spice, a SPICE protocol client and server library. The Common Vulnerabilities and Exposures project identifies the following issues : - CVE-2013-4130 David Gibson of Red Hat discovered that SPICE incorrectly handled certain network errors. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. - CVE-2013-4282 Tomas Jamrisko of Red Hat discovered that SPICE incorrectly handled long passwords in SPICE tickets. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. Applications acting as a SPICE server must be restarted for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 71867
    published 2014-01-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=71867
    title Debian DSA-2839-1 : spice - denial of service
redhat via4
advisories
  • bugzilla
    id 984769
    title CVE-2013-4130 spice: unsafe clients ring access abort
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment spice-server is earlier than 0:0.12.0-12.el6_4.3
          oval oval:com.redhat.rhsa:tst:20131192005
        • comment spice-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131192006
      • AND
        • comment spice-server-devel is earlier than 0:0.12.0-12.el6_4.3
          oval oval:com.redhat.rhsa:tst:20131192007
        • comment spice-server-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20131192008
    rhsa
    id RHSA-2013:1192
    released 2013-09-03
    severity Moderate
    title RHSA-2013:1192: spice-server security update (Moderate)
  • rhsa
    id RHSA-2013:1260
rpms
  • spice-server-0:0.12.0-12.el6_4.3
  • spice-server-devel-0:0.12.0-12.el6_4.3
refmap via4
confirm
debian DSA-2839
mlist [oss-security] 20130715 Re: CVE Request -- spice: unsafe clients ring access abort
ubuntu USN-1926-1
Last major update 23-01-2014 - 23:35
Published 20-08-2013 - 18:55
Back to Top