Several vulnerabilities were discovered in QEMU, a fast processor emulator (notably used in KVM and Xen HVM virtualization). An attacker could trigger a denial of service (DoS), information leak, and possibly execute arbitrary code with the privileges of the QEMU process on the host.
CVE-2020-15469
A MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.
CVE-2020-15859
QEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data’s address set to the e1000e’s MMIO address.
CVE-2020-25084
QEMU has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.
CVE-2020-28916
hw/net/e1000e_core.c has an infinite loop via an RX descriptor with a NULL buffer address.
CVE-2020-29130
slirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.
CVE-2020-29443
ide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read access because a buffer index is not validated.
CVE-2021-20181
9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege escalation vulnerability.
CVE-2021-20221
aarch64: GIC: out-of-bound heap buffer access via an interrupt ID field.
For Debian 9 stretch, these problems have been fixed in version 1:2.8+dfsg-6+deb9u13.
We recommend that you upgrade your qemu packages.
For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-2560-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(146609);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/22");
script_cve_id(
"CVE-2020-15469",
"CVE-2020-15859",
"CVE-2020-25084",
"CVE-2020-28916",
"CVE-2020-29130",
"CVE-2020-29443",
"CVE-2021-20181",
"CVE-2021-20221"
);
script_name(english:"Debian DLA-2560-1 : qemu security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security update.");
script_set_attribute(attribute:"description", value:
"Several vulnerabilities were discovered in QEMU, a fast processor
emulator (notably used in KVM and Xen HVM virtualization). An attacker
could trigger a denial of service (DoS), information leak, and
possibly execute arbitrary code with the privileges of the QEMU
process on the host.
CVE-2020-15469
A MemoryRegionOps object may lack read/write callback methods, leading
to a NULL pointer dereference.
CVE-2020-15859
QEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS
user can trigger an e1000e packet with the data's address set to the
e1000e's MMIO address.
CVE-2020-25084
QEMU has a use-after-free in hw/usb/hcd-xhci.c because the
usb_packet_map return value is not checked.
CVE-2020-28916
hw/net/e1000e_core.c has an infinite loop via an RX descriptor with a
NULL buffer address.
CVE-2020-29130
slirp.c has a buffer over-read because it tries to read a certain
amount of header data even if that exceeds the total packet length.
CVE-2020-29443
ide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read
access because a buffer index is not validated.
CVE-2021-20181
9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege
escalation vulnerability.
CVE-2021-20221
aarch64: GIC: out-of-bound heap buffer access via an interrupt ID
field.
For Debian 9 stretch, these problems have been fixed in version
1:2.8+dfsg-6+deb9u13.
We recommend that you upgrade your qemu packages.
For the detailed security status of qemu please refer to its security
tracker page at: https://security-tracker.debian.org/tracker/qemu
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues.");
script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2021/02/msg00024.html");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/stretch/qemu");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/qemu");
script_set_attribute(attribute:"solution", value:
"Upgrade the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-20181");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/02");
script_set_attribute(attribute:"patch_publication_date", value:"2021/02/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/02/19");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-block-extra");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-guest-agent");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-kvm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-arm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-mips");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-misc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-ppc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-sparc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-x86");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-user");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-user-binfmt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-user-static");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-utils");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"9.0", prefix:"qemu", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-block-extra", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-guest-agent", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-kvm", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-system", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-system-arm", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-system-common", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-system-mips", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-system-misc", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-system-ppc", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-system-sparc", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-system-x86", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-user", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-user-binfmt", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-user-static", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (deb_check(release:"9.0", prefix:"qemu-utils", reference:"1:2.8+dfsg-6+deb9u13")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | qemu | p-cpe:/a:debian:debian_linux:qemu |
debian | debian_linux | qemu-block-extra | p-cpe:/a:debian:debian_linux:qemu-block-extra |
debian | debian_linux | qemu-guest-agent | p-cpe:/a:debian:debian_linux:qemu-guest-agent |
debian | debian_linux | qemu-kvm | p-cpe:/a:debian:debian_linux:qemu-kvm |
debian | debian_linux | qemu-system | p-cpe:/a:debian:debian_linux:qemu-system |
debian | debian_linux | qemu-system-arm | p-cpe:/a:debian:debian_linux:qemu-system-arm |
debian | debian_linux | qemu-system-common | p-cpe:/a:debian:debian_linux:qemu-system-common |
debian | debian_linux | qemu-system-mips | p-cpe:/a:debian:debian_linux:qemu-system-mips |
debian | debian_linux | qemu-system-misc | p-cpe:/a:debian:debian_linux:qemu-system-misc |
debian | debian_linux | qemu-system-ppc | p-cpe:/a:debian:debian_linux:qemu-system-ppc |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15469
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15859
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25084
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28916
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29130
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29443
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20181
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20221
lists.debian.org/debian-lts-announce/2021/02/msg00024.html
packages.debian.org/source/stretch/qemu
security-tracker.debian.org/tracker/source-package/qemu