PT-2020-6736 · Spice+6 · Spice+6

Pedro Sampaio

Published

2020-12-01

Updated

2024-06-15

CVE-2021-20201

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Name of the Vulnerable Software and Affected Versions spice versions prior to 0.14.92

Description A flaw in the spice system allows remote attackers to cause a denial of service by performing many renegotiations within a single connection, resulting in CPU consumption. The vulnerability is related to the significant difference in resource consumption between the client and server when negotiating a new SSL connection. This can be exploited by a remote attacker to cause a denial of service.

Recommendations For spice versions prior to 0.14.92, update to version 0.14.92 or later to resolve the issue. As a temporary workaround, consider restricting the number of renegotiations allowed within a single connection to minimize the risk of exploitation.

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2021:1924

ALT-PU-2021-1700

ALT-PU-2021-1879

ALT-PU-2021-1963

BDU:2022-05884

CESA-2021_1924

CVE-2021-20201

MGASA-2021-0405

OESA-2021-1233

OPENSUSE-SU-2021:0874-1

OPENSUSE-SU-2021_0874-1

OPENSUSE-SU-2022_2881-1

OPENSUSE-SU-2024:12406-1

OPENSUSE-SU-2024:13045-1

RHSA-2021:1924

RHSA-2021_1924

RLSA-2021:1924

SUSE-SU-2021:14744-1

SUSE-SU-2021:1901-1

SUSE-SU-2021:1902-1

SUSE-SU-2021:1906-1

SUSE-SU-2021:1927-1

SUSE-SU-2021:1956-1

SUSE-SU-2021_14744-1

SUSE-SU-2021_1906-1

SUSE-SU-2021_1927-1

SUSE-SU-2022:2881-1

SUSE-SU-2022:2881-2

SUSE-SU-2022_2881-1

Affected Products

Alt Linux

Almalinux

Centos

Red Hat

Rocky Linux

Suse

Spice

PT-2020-6736 · Spice+6 · Spice+6

CVE-2021-20201

Weakness Enumeration

Related Identifiers

Affected Products

References · 61