ArchLinuxASA-202005-6[ASA-202005-6] qemu: multiple issues
6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
74.0%
Arch Linux Security Advisory ASA-202005-6
Severity: High
Date : 2020-05-07
CVE-ID : CVE-2019-20382 CVE-2020-1711 CVE-2020-7039
Package : qemu
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1110
Summary
The package qemu before version 5.0.0-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.
Resolution
Upgrade to 5.0.0-1.
pacman -Syu “qemu>=5.0.0-1”
The problems have been fixed upstream in version 5.0.0.
Workaround
None.
Description
- CVE-2019-20382 (denial of service)
A memory leak has been found in in the way VNC display driver of QEMU
<= 4.2.0 handled connection disconnect, when ZRLE, Tight encoding is
enabled. It creates two vncState objects, one of which allocates memory
for Zlib’s data object. This allocated memory is not free’d upon
disconnection resulting in the said memory leakage issue.
A user able to connect to the VNC server could use this flaw to leak
host memory leading to a potential DoS scenario.
- CVE-2020-1711 (arbitrary code execution)
An out-of-bounds heap buffer access flaw was found in the way the iSCSI
Block driver in QEMU handled a response coming from an iSCSI server
while checking the status of a Logical Address Block (LBA) in an
iscsi_co_block_status() routine. A remote user could use this flaw to
crash the QEMU process, resulting in a denial of service or potential
execution of arbitrary code with privileges of the QEMU process on the
host.
- CVE-2020-7039 (arbitrary code execution)
A heap buffer overflow issue was found in the SLiRP networking
implementation of the QEMU emulator. This flaw occurs in the tcp_emu()
routine while emulating IRC and other protocols. An attacker could use
this flaw to crash the QEMU process on the host, resulting in a denial
of service or potential execution of arbitrary code with privileges of
the QEMU process.
Impact
A remote attacker can crash the QEMU process, and potentially execute
arbitrary code on the host.
References
https://www.openwall.com/lists/oss-security/2020/03/05/1
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0
https://www.openwall.com/lists/oss-security/2020/01/23/3
https://www.openwall.com/lists/oss-security/2020/01/16/2
https://security.archlinux.org/CVE-2019-20382
https://security.archlinux.org/CVE-2020-1711
https://security.archlinux.org/CVE-2020-7039
References
git.qemu.org/?p=qemu.git;a=commitdiff;h=6bf21f3d83e95bcc4ba35a7a07cc6655e8b010b0
security.archlinux.org/AVG-1110
security.archlinux.org/CVE-2019-20382
security.archlinux.org/CVE-2020-1711
security.archlinux.org/CVE-2020-7039
www.openwall.com/lists/oss-security/2020/01/16/2
www.openwall.com/lists/oss-security/2020/01/23/3
www.openwall.com/lists/oss-security/2020/03/05/1
Related
6 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.004 Low
EPSS
Percentile
74.0%