The remote NewStart CGSL host, running version MAIN 6.06, has qemu packages installed that are affected by multiple vulnerabilities:
In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances ‘s->dsp’ index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
(CVE-2019-12068)
libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. (CVE-2019-15890)
An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice ‘setup_len’ exceeds its ‘data_buf[4096]’ in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host. (CVE-2020-14364)
An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host. (CVE-2020-1711)
A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)
An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of- bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. (CVE-2021-3713)
A flaw was found in the QEMU implementation of VMWare’s paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
(CVE-2023-1544)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2023-0132. The text
# itself is copyright (C) ZTE, Inc.
##
include('compat.inc');
if (description)
{
script_id(185386);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/08");
script_cve_id(
"CVE-2019-12068",
"CVE-2019-15890",
"CVE-2020-1711",
"CVE-2020-14364",
"CVE-2021-3682",
"CVE-2021-3713",
"CVE-2023-1544"
);
script_xref(name:"IAVB", value:"2020-B-0063-S");
script_xref(name:"IAVB", value:"2023-B-0058-S");
script_name(english:"NewStart CGSL MAIN 6.06 : qemu Multiple Vulnerabilities (NS-SA-2023-0132)");
script_set_attribute(attribute:"synopsis", value:
"The remote NewStart CGSL host is affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version MAIN 6.06, has qemu packages installed that are affected by multiple
vulnerabilities:
- In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2,
and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter
emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode
is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
(CVE-2019-12068)
- libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. (CVE-2019-15890)
- An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before
5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its
'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the
QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the
privileges of the QEMU process on the host. (CVE-2020-14364)
- An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions
2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical
Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the
QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of
the QEMU process on the host. (CVE-2020-1711)
- A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs
when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A
malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,
resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the
host. (CVE-2021-3682)
- An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions
prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-
bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this
flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the
host. (CVE-2021-3713)
- A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a
crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of
descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
(CVE-2023-1544)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/notice/NS-SA-2023-0132");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2019-12068");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2019-15890");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2020-14364");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2020-1711");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2021-3682");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2021-3713");
script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2023-1544");
script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL qemu packages. Note that updated packages may not be available yet. Please contact ZTE for
more information.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3682");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/06");
script_set_attribute(attribute:"patch_publication_date", value:"2023/11/03");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/08");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-block-curl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-block-dmg");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-block-gluster");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-block-iscsi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-block-rbd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-block-ssh");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-img");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-kvm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-tools");
script_set_attribute(attribute:"cpe", value:"cpe:/o:zte:cgsl_main:6");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"NewStart CGSL Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/ZTE-CGSL/release');
if (isnull(os_release) || os_release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');
if (os_release !~ "CGSL MAIN 6.06")
audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 6.06');
if (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);
var flag = 0;
var pkgs = {
'CGSL MAIN 6.06': [
'qemu-4.1.0-2.zncgsl6.tm11.0',
'qemu-block-curl-4.1.0-2.zncgsl6.tm11.0',
'qemu-block-dmg-4.1.0-2.zncgsl6.tm11.0',
'qemu-block-gluster-4.1.0-2.zncgsl6.tm11.0',
'qemu-block-iscsi-4.1.0-2.zncgsl6.tm11.0',
'qemu-block-rbd-4.1.0-2.zncgsl6.tm11.0',
'qemu-block-ssh-4.1.0-2.zncgsl6.tm11.0',
'qemu-common-4.1.0-2.zncgsl6.tm11.0',
'qemu-img-4.1.0-2.zncgsl6.tm11.0',
'qemu-kvm-4.1.0-2.zncgsl6.tm11.0',
'qemu-tools-4.1.0-2.zncgsl6.tm11.0'
]
};
var pkg_list = pkgs[os_release];
foreach (pkg in pkg_list)
if (rpm_check(release:'ZTE ' + os_release, reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu');
}
Vendor | Product | Version | CPE |
---|---|---|---|
zte | cgsl_main | qemu-kvm | p-cpe:/a:zte:cgsl_main:qemu-kvm |
zte | cgsl_main | qemu-img | p-cpe:/a:zte:cgsl_main:qemu-img |
zte | cgsl_main | 6 | cpe:/o:zte:cgsl_main:6 |
zte | cgsl_main | qemu | p-cpe:/a:zte:cgsl_main:qemu |
zte | cgsl_main | qemu-block-curl | p-cpe:/a:zte:cgsl_main:qemu-block-curl |
zte | cgsl_main | qemu-block-dmg | p-cpe:/a:zte:cgsl_main:qemu-block-dmg |
zte | cgsl_main | qemu-block-gluster | p-cpe:/a:zte:cgsl_main:qemu-block-gluster |
zte | cgsl_main | qemu-block-iscsi | p-cpe:/a:zte:cgsl_main:qemu-block-iscsi |
zte | cgsl_main | qemu-block-rbd | p-cpe:/a:zte:cgsl_main:qemu-block-rbd |
zte | cgsl_main | qemu-block-ssh | p-cpe:/a:zte:cgsl_main:qemu-block-ssh |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12068
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15890
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14364
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1711
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3682
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3713
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1544
security.gd-linux.com/info/CVE-2019-12068
security.gd-linux.com/info/CVE-2019-15890
security.gd-linux.com/info/CVE-2020-14364
security.gd-linux.com/info/CVE-2020-1711
security.gd-linux.com/info/CVE-2021-3682
security.gd-linux.com/info/CVE-2021-3713
security.gd-linux.com/info/CVE-2023-1544
security.gd-linux.com/notice/NS-SA-2023-0132