Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.EULEROS_SA-2021-2844.NASL
HistoryDec 29, 2021 - 12:00 a.m.

EulerOS Virtualization 3.0.2.0 : qemu (EulerOS-SA-2021-2844)

2021-12-2900:00:00
This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
15
JSON

According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  • A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.
    This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)

  • A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the ‘Information Transfer’ command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
    The highest threat from this vulnerability is to system availability. (CVE-2020-35505)

  • A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. (CVE-2021-20181)

  • An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)

  • A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)

  • A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(156382);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/05/06");

  script_cve_id(
    "CVE-2020-35504",
    "CVE-2020-35505",
    "CVE-2021-3527",
    "CVE-2021-3682",
    "CVE-2021-20181",
    "CVE-2021-20221"
  );

  script_name(english:"EulerOS Virtualization 3.0.2.0 : qemu (EulerOS-SA-2021-2844)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is
affected by the following vulnerabilities :

  - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.
    This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of
    service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)

  - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in
    versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw
    allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
    The highest threat from this vulnerability is to system availability. (CVE-2020-35505)

  - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This
    flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges
    on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as
    system availability. (CVE-2021-20181)

  - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of
    QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an
    interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said
    issue while updating controller state fields and their subsequent processing. A privileged guest user may
    use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)

  - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a
    single, large transfer request, to reduce the overhead and improve performance. The combined size of the
    bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper
    validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the
    array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a
    denial of service. (CVE-2021-3527)

  - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs
    when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A
    malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,
    resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the
    host. (CVE-2021-3682)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2844
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cdb939c2");
  script_set_attribute(attribute:"solution", value:
"Update the affected qemu packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-20181");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-3682");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/05/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/12/29");
  script_set_attribute(attribute:"plugin_publication_date", value:"2021/12/29");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-img");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm-tools");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

var flag = 0;

var pkgs = [
  "qemu-img-2.8.1-30.139",
  "qemu-kvm-2.8.1-30.139",
  "qemu-kvm-common-2.8.1-30.139",
  "qemu-kvm-tools-2.8.1-30.139"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu");
}
VendorProductVersionCPE
huaweieulerosqemu-imgp-cpe:/a:huawei:euleros:qemu-img
huaweieulerosqemu-kvmp-cpe:/a:huawei:euleros:qemu-kvm
huaweieulerosqemu-kvm-commonp-cpe:/a:huawei:euleros:qemu-kvm-common
huaweieulerosqemu-kvm-toolsp-cpe:/a:huawei:euleros:qemu-kvm-tools
huaweieulerosuvpcpe:/o:huawei:euleros:uvp:3.0.2.0

Related

openvas 45
nessus 59
ubuntucve 7
suse 5
alpinelinux 6
osv 16
veracode 6
cve 6
redhatcve 6
prion 6
cbl_mariner 7
debiancve 6
zdi 1
redhat 3
debian 4
ubuntu 4
oraclelinux 8
rocky 1
almalinux 1
gentoo 1
amazon 1
openvas
openvas
Huawei EulerOS: Security Advisory for qemu (EulerOS-SA-2021-2844)
2021-12-30 00:00:00
Huawei EulerOS: Security Advisory for qemu-kvm (EulerOS-SA-2023-1051)
2023-01-09 00:00:00
Huawei EulerOS: Security Advisory for qemu (EulerOS-SA-2022-1154)
2022-02-13 00:00:00
nessus
nessus
EulerOS Virtualization 3.0.2.6 : qemu-kvm (EulerOS-SA-2023-1051)
2023-01-06 00:00:00
EulerOS Virtualization 3.0.2.2 : qemu-kvm (EulerOS-SA-2023-1289)
2023-01-30 00:00:00
EulerOS Virtualization 2.9.0 : qemu (EulerOS-SA-2021-2211)
2021-07-13 00:00:00
ubuntucve
ubuntucve
CVE-2020-35505
2021-05-28 00:00:00
CVE-2020-35504
2021-05-28 00:00:00
CVE-2021-20221
2021-05-13 00:00:00
suse
suse
Security update for qemu (moderate)
2021-08-20 00:00:00
Security update for qemu (moderate)
2021-08-27 00:00:00
Security update for qemu (important)
2021-11-04 00:00:00
alpinelinux
alpinelinux
CVE-2020-35505
2021-05-28 11:15:00
CVE-2020-35504
2021-05-28 11:15:00
CVE-2021-20221
2021-05-13 16:15:00
osv
osv
CVE-2020-35505
2021-05-28 11:15:07
CVE-2020-35504
2021-05-28 11:15:07
CVE-2021-20221
2021-05-13 16:15:00
veracode
veracode
Denial Of Service (DoS)
2021-08-12 15:21:34
Denial Of Service (DoS)
2021-08-12 15:21:35
Arbitrary Code Execution
2021-02-15 01:20:37
cve
cve
CVE-2020-35505
2021-05-28 11:15:00
CVE-2020-35504
2021-05-28 11:15:00
CVE-2021-20221
2021-05-13 16:15:00
redhatcve
redhatcve
CVE-2020-35505
2020-12-28 14:33:46
CVE-2020-35504
2020-12-28 14:34:09
CVE-2021-20221
2021-02-03 20:04:14
prion
prion
Null pointer dereference
2021-05-28 11:15:00
Null pointer dereference
2021-05-28 11:15:00
Heap overflow
2021-05-13 16:15:00
cbl_mariner
cbl_mariner
CVE-2020-35504 affecting package qemu-kvm 4.2.0-48
2024-04-26 09:06:29
CVE-2020-35505 affecting package qemu-kvm 4.2.0-45
2022-11-24 00:45:45
CVE-2021-20221 affecting package qemu-kvm 4.2.0-48
2021-07-08 21:56:54
debiancve
debiancve
CVE-2020-35504
2021-05-28 11:15:00
CVE-2020-35505
2021-05-28 11:15:00
CVE-2021-20181
2021-05-13 16:15:00
zdi
zdi
QEMU Plan 9 File System Time-Of-Check Time-Of-Use Privilege Escalation Vulnerability
2021-02-10 00:00:00
redhat
redhat
(RHSA-2021:1125) Low: virt:8.3 and virt-devel:8.3 security and bug fix update
2021-04-07 07:37:40
(RHSA-2021:2521) Moderate: virt:8.2 and virt-devel:8.2 security update
2021-06-22 13:35:00
(RHSA-2021:3061) Moderate: virt:rhel and virt-devel:rhel security and bug fix update
2021-08-10 11:58:46
debian
debian
[SECURITY] [DLA 2753-1] qemu security update
2021-09-02 18:40:09
[SECURITY] [DLA 2560-1] qemu security update
2021-02-18 16:57:32
[SECURITY] [DLA 3099-1] qemu security update
2022-09-05 03:28:05
ubuntu
ubuntu
QEMU vulnerabilities
2021-07-15 00:00:00
QEMU vulnerabilities
2021-02-08 00:00:00
QEMU vulnerabilities
2022-12-12 00:00:00
oraclelinux
oraclelinux
qemu security update
2021-06-06 00:00:00
qemu security update
2021-03-15 00:00:00
virt:ol and virt-devel:rhel security and bug fix update
2021-08-12 00:00:00
rocky
rocky
virt:rhel and virt-devel:rhel security and bug fix update
2021-08-10 11:58:46
almalinux
almalinux
Moderate: virt:rhel and virt-devel:rhel security and bug fix update
2021-08-10 11:58:46
gentoo
gentoo
QEMU: Multiple Vulnerabilities
2022-08-14 00:00:00
amazon
amazon
Medium: qemu
2023-05-25 17:41:00
JSON
Related for EULEROS_SA-2021-2844.NASL
openvas45nessus59ubuntucve7suse5alpinelinux6osv16veracode6cve6redhatcve6prion6cbl_mariner7debiancve6zdi1redhat3debian4ubuntu4oraclelinux8rocky1almalinux1gentoo1amazon1