CVE-2017-10664

Vulnerability

The qemu-nbd server in QEMU (Quick Emulator) fails to ignore SIGPIPE signals. When a client disconnects during a server-to-client reply attempt, the SIGPIPE signal is triggered and, because it is not handled, causes the qemu-nbd daemon to crash. This affects QEMU versions shipped in Red Hat Enterprise Linux 7 (qemu-kvm up to version 1.5.3-141.el7_4.1) and the qemu-kvm-rhev package used in Red Hat Virtualization and OpenStack environments [1][2][3][4].

Exploitation

An attacker needs only network access to the qemu-nbd server (default port 10809). The attacker establishes a connection and then abruptly disconnects—for example by closing the TCP socket—during any phase where the server attempts to send data (negotiation or read reply). No authentication is required, and no special privileges are needed. The action is remote and can be performed by any unprivileged network client [1][2].

Impact

A successful exploit causes the qemu-nbd daemon to crash, resulting in a denial of service (DoS). All active NBD connections and any dependent virtual machine operations relying on the NBD export are terminated. The crash does not lead to data loss, privilege escalation, or code execution beyond the denial of service [2][3][4].

Mitigation

Red Hat released fixed packages for RHEL 7 (qemu-kvm-1.5.3-141.el7_4.1) on 2017-08-02 [1], for RHEV (qemu-kvm-rhev) on 2017-08-01 [2], and for Red Hat OpenStack Platform on 2017-12-14 [3][4]. Users should update to the patched versions. The fix ensures that SIGPIPE is ignored (by setting the signal handler to SIG_IGN), preventing the crash. After updating, all virtual machines must be shut down and restarted for the fix to take effect [2]. No workaround other than applying the update is documented.