Vulnerabilities > CVE-2015-3247 - Race Condition vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Race condition in the worker_update_monitors_config function in SPICE 0.12.4 allows a remote authenticated guest user to cause a denial of service (heap-based memory corruption and QEMU-KVM crash) or possibly execute arbitrary code on the host via unspecified vectors.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1733-1.NASL description Spice was updated to fix three security issues. The following vulnerabilities were fixed : - CVE-2015-3247: heap corruption in the spice server (bsc#944460) - CVE-2015-5261: Guest could have accessed host memory using crafted images (bsc#948976) - CVE-2015-5260: Insufficient validation of surface_id parameter could have caused a crash (bsc#944460) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 86397 published 2015-10-15 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86397 title SUSE SLED12 / SLES12 Security Update : spice (SUSE-SU-2015:1733-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1715.NASL description An updated spice-server package that fixes one security issue is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A race condition flaw, leading to a heap-based memory corruption, was found in spice last seen 2020-06-01 modified 2020-06-02 plugin id 85976 published 2015-09-17 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85976 title RHEL 6 : spice-server (RHSA-2015:1715) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-1715.NASL description An updated spice-server package that fixes one security issue is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A race condition flaw, leading to a heap-based memory corruption, was found in spice last seen 2020-06-01 modified 2020-06-02 plugin id 86508 published 2015-10-22 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86508 title CentOS 6 : spice-server (CESA-2015:1715) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-1714.NASL description An updated spice package that fixes one security issue is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A race condition flaw, leading to a heap-based memory corruption, was found in spice last seen 2020-06-01 modified 2020-06-02 plugin id 86507 published 2015-10-22 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86507 title CentOS 7 : spice (CESA-2015:1714) NASL family Fedora Local Security Checks NASL id FEDORA_2015-7FCC957BA6.NASL description Update spice-gtk/spice-protocol/spice to new upstream releases. The spice update fixes CVE-2015-3247, CVE-2015-5260 and CVE-2015-5261. ---- Update to spice- gtk 0.29 ---- Update to release 0.12.7 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-04 plugin id 89303 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89303 title Fedora 22 : mingw-spice-gtk-0.30-1.fc22 / mingw-spice-protocol-0.12.10-1.fc22 / spice-0.12.6-1.fc22 / etc (2015-7fcc957ba6) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1259-1.NASL description Spice was updated to fix three security issues. The following vulnerabilities were fixed : - CVE-2015-3247: heap corruption in the spice server (bsc#944460) - CVE-2015-5261: Guest could have accessed host memory using crafted images (bsc#948976) - CVE-2015-5260: Insufficient validation of surface_id parameter could have caused a crash (bsc#944787) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 90995 published 2016-05-09 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90995 title SUSE SLES11 Security Update : spice (SUSE-SU-2016:1259-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-1715.NASL description From Red Hat Security Advisory 2015:1715 : An updated spice-server package that fixes one security issue is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A race condition flaw, leading to a heap-based memory corruption, was found in spice last seen 2020-06-01 modified 2020-06-02 plugin id 85782 published 2015-09-04 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85782 title Oracle Linux 6 : spice-server (ELSA-2015-1715) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-1714.NASL description From Red Hat Security Advisory 2015:1714 : An updated spice package that fixes one security issue is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A race condition flaw, leading to a heap-based memory corruption, was found in spice last seen 2020-06-01 modified 2020-06-02 plugin id 85781 published 2015-09-04 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85781 title Oracle Linux 7 : spice (ELSA-2015-1714) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2736-1.NASL description Frediano Ziglio discovered that Spice incorrectly handled monitor configs. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 85873 published 2015-09-09 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85873 title Ubuntu 14.04 LTS / 15.04 : spice vulnerability (USN-2736-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1714.NASL description An updated spice package that fixes one security issue is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to the server. SPICE is used in Red Hat Enterprise Linux for viewing virtualized guests running on the Kernel-based Virtual Machine (KVM) hypervisor or on Red Hat Enterprise Virtualization Hypervisors. A race condition flaw, leading to a heap-based memory corruption, was found in spice last seen 2020-06-01 modified 2020-06-02 plugin id 85975 published 2015-09-17 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85975 title RHEL 7 : spice (RHSA-2015:1714) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1713.NASL description Updated rhev-hypervisor packages that fix multiple security issues, several bugs, and add various enhancements are now available. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A heap-based buffer overflow flaw was found in the way JasPer decoded JPEG 2000 image files. A specially crafted file could cause an application using JasPer to crash or, possibly, execute arbitrary code. (CVE-2014-8138) A race condition flaw, leading to a heap-based memory corruption, was found in spice last seen 2020-06-01 modified 2020-06-02 plugin id 85999 published 2015-09-18 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85999 title RHEL 6 : rhev-hypervisor (RHSA-2015:1713) NASL family Fedora Local Security Checks NASL id FEDORA_2015-A78EBCC142.NASL description Update spice-gtk/spice-protocol/spice to new upstream releases. The spice update fixes CVE-2015-3247, CVE-2015-5260 and CVE-2015-5261. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-03-04 plugin id 89356 published 2016-03-04 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89356 title Fedora 23 : mingw-spice-gtk-0.30-1.fc23 / mingw-spice-protocol-0.12.10-1.fc23 / spice-0.12.6-1.fc23 / etc (2015-a78ebcc142) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-657.NASL description Spice was updated to fix four security issues. The following vulnerabilities were fixed : - CVE-2015-3247: heap corruption in the spice server (bsc#944460) - CVE-2015-5261: Guest could have accessed host memory using crafted images (bsc#948976) - CVE-2015-5260: Insufficient validation of surface_id parameter could have caused a crash (bsc#944460) - CVE-2013-4282: Buffer overflow in password handling (bsc#848279) last seen 2020-06-05 modified 2015-10-15 plugin id 86392 published 2015-10-15 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86392 title openSUSE Security Update : spice (openSUSE-2015-657) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3354.NASL description Frediano Ziglio of Red Hat discovered a race condition flaw in spice last seen 2020-06-01 modified 2020-06-02 plugin id 85851 published 2015-09-09 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85851 title Debian DSA-3354-1 : spice - security update NASL family Scientific Linux Local Security Checks NASL id SL_20150903_SPICE_SERVER_ON_SL7_X.NASL description A race condition flaw, leading to a heap-based memory corruption, was found in spice last seen 2020-03-18 modified 2015-09-04 plugin id 85790 published 2015-09-04 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85790 title Scientific Linux Security Update : spice-server on SL7.x x86_64 (20150903) NASL family Scientific Linux Local Security Checks NASL id SL_20150903_SPICE_SERVER_ON_SL6_X.NASL description A race condition flaw, leading to a heap-based memory corruption, was found in spice last seen 2020-03-18 modified 2015-09-04 plugin id 85789 published 2015-09-04 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85789 title Scientific Linux Security Update : spice-server on SL6.x x86_64 (20150903) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-583.NASL description Spice was updated to fix a heap corruption in the spice server (CVE-2015-3247). last seen 2020-06-05 modified 2015-09-18 plugin id 85998 published 2015-09-18 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85998 title openSUSE Security Update : spice (openSUSE-2015-583)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://rhn.redhat.com/errata/RHSA-2015-1714.html
- http://rhn.redhat.com/errata/RHSA-2015-1715.html
- http://www.securitytracker.com/id/1033459
- http://rhn.redhat.com/errata/RHSA-2015-1713.html
- http://lists.freedesktop.org/archives/spice-devel/2015-October/022191.html
- http://www.ubuntu.com/usn/USN-2736-1
- http://www.securitytracker.com/id/1033460
- http://www.debian.org/security/2015/dsa-3354
- http://lists.opensuse.org/opensuse-updates/2015-09/msg00018.html
- http://www.securitytracker.com/id/1033753