CVE-2020-25653: 
NixOS vulnerability analysis and mitigation

A race condition vulnerability (CVE-2020-25653) was discovered in the spice-vdagentd daemon's handling of new client connections. The vulnerability affects spice-vdagent versions 0.20 and prior, with the initial disclosure occurring in November 2020. The flaw exists in the way the daemon processes client connections through UNIX domain sockets, specifically in the authentication and session management mechanisms (NVD, OpenWall).

The vulnerability stems from a race condition between when a client performs the connect() call to establish a connection with spice-vdagentd and when the daemon retrieves and checks the PID in its agentconnect() function. The daemon uses SOPEERCRED socket option to obtain peer credentials, but the returned credentials are those that were in effect at the time of the connect() call. This creates a timing window where the PID could be reassigned to an unrelated process, causing the daemon to associate the wrong session with the connection. The vulnerability has been assigned a CVSS v3.1 base score of 6.3 (Medium) with vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:H (NVD).

The vulnerability can allow an unprivileged local guest user to become the active agent for spice-vdagentd, potentially resulting in unauthorized access to host clipboard contents, ability to send malicious clipboard content to the host, retrieve file data from the host, or send invalid screen resolution and display information. If a legitimate spice-vdagent is already running in the victim's graphical session, a successful attack can trigger an information leak protection logic, causing a denial of service where neither the attacker nor the legitimate user can use the SPICE features (OpenWall).

The vulnerability was addressed in spice-vdagent version 0.21.0. The fix includes changes to the session check logic by taking into account the connected client's UID in addition to the PID. If the UID of the determined session and the client don't match, the connection is terminated. Various distributions have released security updates to address this vulnerability, including Red Hat Enterprise Linux 8 via RHSA-2021:1791 and Debian via DLA 2524-1 (Red Hat, Debian).