CVE-2021-3682 – This vulnerability in QEMU's USB redirector dev... (How to Fix)

Q: What is the severity of CVE-2021-3682?

CVE-2021-3682 has a CVSS score of 8.5 (HIGH). This vulnerability in QEMU's USB redirector device emulation allows a malicious SPICE client to trigger a heap corruption when packet queues fill during bulk transfers. Successful exploitation could lead to denial of service or arbitrary code execution with QEMU process privileges on the host. Systems running QEMU versions prior to 6.1.0-rc2 with SPICE USB redirection enabled are affected.

📋 TL;DR

This vulnerability in QEMU's USB redirector device emulation allows a malicious SPICE client to trigger a heap corruption when packet queues fill during bulk transfers. Successful exploitation could lead to denial of service or arbitrary code execution with QEMU process privileges on the host. Systems running QEMU versions prior to 6.1.0-rc2 with SPICE USB redirection enabled are affected.

💻 Affected Systems

Products:

QEMU
Virtualization platforms using QEMU (KVM, libvirt, Proxmox, etc.)

Versions: All versions prior to 6.1.0-rc2

Operating Systems: Linux distributions with vulnerable QEMU packages, Any OS running vulnerable QEMU

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when SPICE USB redirection is enabled and used. Standard QEMU installations without SPICE or without USB redirection are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full host compromise via arbitrary code execution with QEMU process privileges, potentially leading to host escape if QEMU runs with elevated privileges.

🟠

Likely Case

QEMU process crash causing denial of service to virtual machines using SPICE USB redirection.

🟢

If Mitigated

No impact if SPICE USB redirection is disabled or proper network segmentation isolates SPICE clients.

🌐 Internet-Facing: MEDIUM - SPICE protocol typically used internally, but could be exposed via remote access solutions.

🏢 Internal Only: HIGH - SPICE is commonly used for virtual machine management interfaces in internal virtualization environments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires a malicious SPICE client with USB redirection capability. The vulnerability is in the server-side QEMU component when processing client requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.1.0-rc2 and later

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1989651

Restart Required: Yes

Instructions:

1. Update QEMU to version 6.1.0-rc2 or later. 2. For distributions: Use package manager (apt/yum/dnf) to update qemu packages. 3. Restart all affected virtual machines and QEMU processes.

🔧 Temporary Workarounds

Disable SPICE USB redirection

all

Prevent exploitation by disabling USB redirection in SPICE configuration

Edit VM configuration to remove or comment out USB redirection options in SPICE settings

Network segmentation

all

Isolate SPICE traffic to trusted networks only

Configure firewall rules to restrict SPICE port (default 5900-5920) access to authorized clients only

🧯 If You Can't Patch

Disable SPICE USB redirection on all virtual machines
Implement strict network controls to limit SPICE client access to trusted systems only

🔍 How to Verify

Check if Vulnerable:

Check QEMU version and verify SPICE USB redirection is configured: 'qemu-system-x86_64 --version' and examine VM configuration files for spice usbredir options

Check Version:

qemu-system-x86_64 --version | head -1

Verify Fix Applied:

Confirm QEMU version is 6.1.0-rc2 or later: 'qemu-system-x86_64 --version | grep -E "6\.1\.0-rc[2-9]|[6-9]\.[0-9]+\.[0-9]+"'

📡 Detection & Monitoring

Log Indicators:

QEMU segmentation fault/crash logs
SPICE connection errors with USB redirection
Kernel logs showing QEMU process termination

Network Indicators:

Unusual SPICE traffic patterns from untrusted sources
Multiple failed USB redirection attempts

SIEM Query:

process_name:"qemu-system" AND (event_type:crash OR exit_code:139 OR signal:SIGSEGV)

📊 Metadata

CVE ID: CVE-2021-3682

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-763

Published: August 5, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1989651 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/09/msg00000.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202208-27 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210902-0006/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4980 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1989651 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/09/msg00000.html Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html Mailing List,Third Party Advisory
https://security.gentoo.org/glsa/202208-27 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210902-0006/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4980 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3682, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Debian Linux by Debian

Debian Linux by Debian

Enterprise Linux by Redhat

Enterprise Linux by Redhat

Qemu by Qemu

Qemu by Qemu

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable SPICE USB redirection

Network segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities