English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.892524
Category:Debian Local Security Checks
Title:Debian: Security Advisory (DLA-2524-1)
Summary:The remote host is missing an update for the Debian 'spice-vdagent' package(s) announced via the DLA-2524-1 advisory.
Description:Summary:
The remote host is missing an update for the Debian 'spice-vdagent' package(s) announced via the DLA-2524-1 advisory.

Vulnerability Insight:
Several vulnerabilities were discovered in spice-vdagent, a spice guest agent for enchancing SPICE integeration and experience.

CVE-2017-15108

spice-vdagent does not properly escape save directory before passing to shell, allowing local attacker with access to the session the agent runs in to inject arbitrary commands to be executed.

CVE-2020-25650

A flaw was found in the way the spice-vdagentd daemon handled file transfers from the host system to the virtual machine. Any unprivileged local guest user with access to the UNIX domain socket path `/run/spice-vdagentd/spice-vdagent-sock` could use this flaw to perform a memory denial of service for spice-vdagentd or even other processes in the VM system. The highest threat from this vulnerability is to system availability. This flaw affects spice-vdagent versions 0.20 and previous versions.

CVE-2020-25651

A flaw was found in the SPICE file transfer protocol. File data from the host system can end up in full or in parts in the client connection of an illegitimate local user in the VM system. Active file transfers from other users could also be interrupted, resulting in a denial of service. The highest threat from this vulnerability is to data confidentiality as well as system availability.

CVE-2020-25652

A flaw was found in the spice-vdagentd daemon, where it did not properly handle client connections that can be established via the UNIX domain socket in `/run/spice-vdagentd/spice-vdagent-sock`. Any unprivileged local guest user could use this flaw to prevent legitimate agents from connecting to the spice-vdagentd daemon, resulting in a denial of service. The highest threat from this vulnerability is to system availability.

CVE-2020-25653

A race condition vulnerability was found in the way the spice-vdagentd daemon handled new client connections. This flaw may allow an unprivileged local guest user to become the active agent for spice-vdagentd, possibly resulting in a denial of service or information leakage from the host. The highest threat from this vulnerability is to data confidentiality as well as system availability.

For Debian 9 stretch, these problems have been fixed in version 0.17.0-1+deb9u1.

We recommend that you upgrade your spice-vdagent packages.

For the detailed security status of spice-vdagent please refer to its security tracker page at: [link moved to references]

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]

Affected Software/OS:
'spice-vdagent' package(s) on Debian 9.

Solution:
Please install the updated package(s).

CVSS Score:
5.4

CVSS Vector:
AV:L/AC:M/Au:N/C:P/I:N/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2017-15108
GLSA-201804-09
https://security.gentoo.org/glsa/201804-09
[debian-lts-announce] 20210113 [SECURITY] [DLA 2524-1] spice-vdagent security update
https://lists.debian.org/debian-lts-announce/2021/01/msg00012.html
https://cgit.freedesktop.org/spice/linux/vd_agent/commit/?id=8ba174816d245757e743e636df357910e1d5eb61
Common Vulnerability Exposure (CVE) ID: CVE-2020-25650
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OIWJ2EIQXWEA2VDBODEATHAT37X4CREP/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GQT56LATVTB2DJOVVJOKQVMVUXYCT2VB/
https://bugzilla.redhat.com/show_bug.cgi?id=1886345
https://www.openwall.com/lists/oss-security/2020/11/04/1
Common Vulnerability Exposure (CVE) ID: CVE-2020-25651
https://bugzilla.redhat.com/show_bug.cgi?id=1886359
Common Vulnerability Exposure (CVE) ID: CVE-2020-25652
https://bugzilla.redhat.com/show_bug.cgi?id=1886366
Common Vulnerability Exposure (CVE) ID: CVE-2020-25653
https://bugzilla.redhat.com/show_bug.cgi?id=1886372
CopyrightCopyright (C) 2021 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.