Stack-based buffer overflow in the reds_handle_ticket function in server/reds.c in SPICE 0.12.0 allows remote attackers to cause a denial of service (crash) via a long password in a SPICE ticket.

Spice was updated to fix four security issues.

The following vulnerabilities were fixed :

  - CVE-2015-3247: heap corruption in the spice server     (bsc#944460)

  - CVE-2015-5261: Guest could have accessed host memory     using crafted images (bsc#948976)

  - CVE-2015-5260: Insufficient validation of surface_id     parameter could have caused a crash (bsc#944460)

  - CVE-2013-4282: Buffer overflow in password handling     (bsc#848279)

The remote desktop software SPICE was updated to address one security issue.

The following vulnerabilitiy was fixed :

  - A stack-based buffer overflow in the password handling     code allowed remote attackers to cause a denial of     service (crash) via a long password in a SPICE ticket.
    (bsc#848279, CVE-2013-4282)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An updated rhev-hypervisor6 package that fixes one security issue and various bugs is now available.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent.

Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions.

Upgrade Note: If you upgrade the Red Hat Enterprise Virtualization Hypervisor through the 3.2 Manager administration portal, the Host may appear with the status of 'Install Failed'. If this happens, place the host into maintenance mode, then activate it again to get the host back to an 'Up' state

A stack-based buffer overflow flaw was found in the way the reds_handle_ticket() function in the spice-server library handled decryption of ticket data provided by the client. A remote attacker able to initiate a SPICE connection to the guest could use this flaw to crash the guest. (CVE-2013-4282)

This issue was discovered by Tomas Jamrisko of Red Hat.

This updated package provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers :

CVE-2013-4162 and CVE-2013-4299 (kernel issues)

CVE-2013-4296 and CVE-2013-4311 (libvirt issues)

CVE-2013-4288 (polkit issue)

This update also contains the fixes from the following advisories :

* vdsm: https://rhn.redhat.com/errata/RHBA-2013-1462.html

* ovirt-node: https://rhn.redhat.com/errata/RHBA-2013-1461.html

Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which corrects these issues.

Updated spice packages fix security vulnerability :

A stack-based buffer overflow flaw was found in the way the reds_handle_ticket() function in the spice-server library handled decryption of ticket data provided by the client. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application (CVE-2013-4282).

Multiple vulnerabilities have been found in spice, a SPICE protocol client and server library. The Common Vulnerabilities and Exposures project identifies the following issues :

  - CVE-2013-4130     David Gibson of Red Hat discovered that SPICE     incorrectly handled certain network errors. A remote     user able to initiate a SPICE connection to an     application acting as a SPICE server could use this flaw     to crash the application.

  - CVE-2013-4282     Tomas Jamrisko of Red Hat discovered that SPICE     incorrectly handled long passwords in SPICE tickets. A     remote user able to initiate a SPICE connection to an     application acting as a SPICE server could use this flaw     to crash the application.

Applications acting as a SPICE server must be restarted for this update to take effect.

Tomas Jamrisko discovered that SPICE incorrectly handled long passwords in SPICE tickets. An attacker could use this issue to cause the SPICE server to crash, resulting in a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update fixes CVE-2013-4282

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A stack-based buffer overflow flaw was found in the way the reds_handle_ticket() function in the spice-server library handled decryption of ticket data provided by the client. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. (CVE-2013-4282)

Updated qspice packages that fix one security issue are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors.

A stack-based buffer overflow flaw was found in the way the reds_handle_ticket() function in the spice-server library handled decryption of ticket data provided by the client. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. (CVE-2013-4282)

This issue was discovered by Tomas Jamrisko of Red Hat.

All qspice users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.

An updated spice-server package that fixes one security issue is now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors.

A stack-based buffer overflow flaw was found in the way the reds_handle_ticket() function in the spice-server library handled decryption of ticket data provided by the client. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. (CVE-2013-4282)

This issue was discovered by Tomas Jamrisko of Red Hat.

All spice-server users are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

From Red Hat Security Advisory 2013:1474 :

Updated qspice packages that fix one security issue are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors.

A stack-based buffer overflow flaw was found in the way the reds_handle_ticket() function in the spice-server library handled decryption of ticket data provided by the client. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. (CVE-2013-4282)

This issue was discovered by Tomas Jamrisko of Red Hat.

All qspice users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.

From Red Hat Security Advisory 2013:1473 :

An updated spice-server package that fixes one security issue is now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors.

A stack-based buffer overflow flaw was found in the way the reds_handle_ticket() function in the spice-server library handled decryption of ticket data provided by the client. A remote user able to initiate a SPICE connection to an application acting as a SPICE server could use this flaw to crash the application. (CVE-2013-4282)

This issue was discovered by Tomas Jamrisko of Red Hat.

All spice-server users are advised to upgrade to this updated package, which contains a backported patch to correct this issue.

ID	Name	Product	Family	Severity
86392	openSUSE Security Update : spice (openSUSE-2015-657)	Nessus	SuSE Local Security Checks	high
83726	SUSE SLED12 / SLES12 Security Update : spice (SUSE-SU-2015:0884-1)	Nessus	SuSE Local Security Checks	medium
78977	RHEL 6 : rhev-hypervisor6 (RHSA-2013:1460)	Nessus	Red Hat Local Security Checks	high
72100	Mandriva Linux Security Advisory : spice (MDVSA-2014:016)	Nessus	Mandriva Local Security Checks	medium
71867	Debian DSA-2839-1 : spice - denial of service	Nessus	Debian Local Security Checks	medium
70874	Ubuntu 13.04 / 13.10 : spice vulnerability (USN-2027-1)	Nessus	Ubuntu Local Security Checks	medium
70827	Fedora 20 : spice-0.12.4-3.fc20 (2013-20310)	Nessus	Fedora Local Security Checks	medium
70788	Fedora 18 : spice-0.12.4-3.fc18 (2013-20360)	Nessus	Fedora Local Security Checks	medium
70787	Fedora 19 : spice-0.12.4-3.fc19 (2013-20340)	Nessus	Fedora Local Security Checks	medium
70707	Scientific Linux Security Update : spice-server on SL6.x x86_64 (20131029)	Nessus	Scientific Linux Local Security Checks	medium
70706	Scientific Linux Security Update : qspice on SL5.x x86_64 (20131029)	Nessus	Scientific Linux Local Security Checks	medium
70695	RHEL 5 : qspice (RHSA-2013:1474)	Nessus	Red Hat Local Security Checks	medium
70694	RHEL 6 : spice-server (RHSA-2013:1473)	Nessus	Red Hat Local Security Checks	medium
70691	Oracle Linux 5 : qspice (ELSA-2013-1474)	Nessus	Oracle Linux Local Security Checks	medium
70690	Oracle Linux 6 : spice-server (ELSA-2013-1473)	Nessus	Oracle Linux Local Security Checks	medium
70686	CentOS 5 : qspice (CESA-2013:1474)	Nessus	CentOS Local Security Checks	medium
70685	CentOS 6 : spice-server (CESA-2013:1473)	Nessus	CentOS Local Security Checks	medium

Detections

Analytics

CVE-2013-4282

high

Tenable Plugins

high

medium

high

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium