CVE-2023-3354: 
NixOS vulnerability analysis and mitigation

CVE-2023-3354 is a vulnerability discovered in the QEMU built-in VNC server. The vulnerability was identified in QEMU versions prior to 8.1.0 and was disclosed in July 2023. The issue affects the VNC server component when handling client connections, specifically during the TLS handshake phase (NVD).

The vulnerability occurs when a client connects to the VNC server and QEMU checks if the current number of connections exceeds a threshold. If the threshold is exceeded, QEMU attempts to clean up the previous connection. However, if that connection is in the handshake phase and fails, QEMU attempts to clean up the connection again, resulting in a NULL pointer dereference (Red Hat Bugzilla). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (Ubuntu).

This vulnerability could allow a remote unauthenticated client to cause a denial of service (DoS) in the QEMU VNC server. The impact is limited to availability, with no direct impact on confidentiality or integrity of the system (NVD).

The vulnerability has been fixed in QEMU version 8.1.0. Various Linux distributions have released security updates to address this issue, including Red Hat Enterprise Linux, Ubuntu, and Debian. System administrators are advised to update their QEMU installations to the patched versions (Red Hat Security Advisory).