Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.NEWSTART_CGSL_NS-SA-2023-0132_QEMU.NASL
HistoryNov 08, 2023 - 12:00 a.m.

NewStart CGSL MAIN 6.06 : qemu Multiple Vulnerabilities (NS-SA-2023-0132)

2023-11-0800:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
3
qemu
vulnerabilities
remote host
libslirp
usb emulator
iscsi block driver
usb redirector
uas device emulation
vmware's paravirtual rdma device

7.7 High

AI Score

Confidence

High

JSON

The remote NewStart CGSL host, running version MAIN 6.06, has qemu packages installed that are affected by multiple vulnerabilities:

  • In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances ‘s->dsp’ index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
    (CVE-2019-12068)

  • libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. (CVE-2019-15890)

  • An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice ‘setup_len’ exceeds its ‘data_buf[4096]’ in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host. (CVE-2020-14364)

  • An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host. (CVE-2020-1711)

  • A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)

  • An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of- bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. (CVE-2021-3713)

  • A flaw was found in the QEMU implementation of VMWare’s paravirtual RDMA device. This flaw allows a crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
    (CVE-2023-1544)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from ZTE advisory NS-SA-2023-0132. The text
# itself is copyright (C) ZTE, Inc.
##

include('compat.inc');

if (description)
{
  script_id(185386);
  script_version("1.0");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/08");

  script_cve_id(
    "CVE-2019-12068",
    "CVE-2019-15890",
    "CVE-2020-1711",
    "CVE-2020-14364",
    "CVE-2021-3682",
    "CVE-2021-3713",
    "CVE-2023-1544"
  );
  script_xref(name:"IAVB", value:"2020-B-0063-S");
  script_xref(name:"IAVB", value:"2023-B-0058-S");

  script_name(english:"NewStart CGSL MAIN 6.06 : qemu Multiple Vulnerabilities (NS-SA-2023-0132)");

  script_set_attribute(attribute:"synopsis", value:
"The remote NewStart CGSL host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote NewStart CGSL host, running version MAIN 6.06, has qemu packages installed that are affected by multiple
vulnerabilities:

  - In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2,
    and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter
    emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode
    is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
    (CVE-2019-12068)

  - libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. (CVE-2019-15890)

  - An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before
    5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its
    'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the
    QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the
    privileges of the QEMU process on the host. (CVE-2020-14364)

  - An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions
    2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical
    Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the
    QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of
    the QEMU process on the host. (CVE-2020-1711)

  - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs
    when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A
    malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,
    resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the
    host. (CVE-2021-3682)

  - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions
    prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-
    bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this
    flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the
    host. (CVE-2021-3713)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a
    crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of
    descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
    (CVE-2023-1544)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/notice/NS-SA-2023-0132");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2019-12068");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2019-15890");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2020-14364");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2020-1711");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2021-3682");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2021-3713");
  script_set_attribute(attribute:"see_also", value:"https://security.gd-linux.com/info/CVE-2023-1544");
  script_set_attribute(attribute:"solution", value:
"Upgrade the vulnerable CGSL qemu packages. Note that updated packages may not be available yet. Please contact ZTE for
more information.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3682");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/06");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/11/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-block-curl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-block-dmg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-block-gluster");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-block-iscsi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-block-rbd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-block-ssh");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-img");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:zte:cgsl_main:qemu-tools");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:zte:cgsl_main:6");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"NewStart CGSL Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu");

  exit(0);
}

include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var os_release = get_kb_item('Host/ZTE-CGSL/release');
if (isnull(os_release) || os_release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');

if (os_release !~ "CGSL MAIN 6.06")
  audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 6.06');

if (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);

var flag = 0;

var pkgs = {
  'CGSL MAIN 6.06': [
    'qemu-4.1.0-2.zncgsl6.tm11.0',
    'qemu-block-curl-4.1.0-2.zncgsl6.tm11.0',
    'qemu-block-dmg-4.1.0-2.zncgsl6.tm11.0',
    'qemu-block-gluster-4.1.0-2.zncgsl6.tm11.0',
    'qemu-block-iscsi-4.1.0-2.zncgsl6.tm11.0',
    'qemu-block-rbd-4.1.0-2.zncgsl6.tm11.0',
    'qemu-block-ssh-4.1.0-2.zncgsl6.tm11.0',
    'qemu-common-4.1.0-2.zncgsl6.tm11.0',
    'qemu-img-4.1.0-2.zncgsl6.tm11.0',
    'qemu-kvm-4.1.0-2.zncgsl6.tm11.0',
    'qemu-tools-4.1.0-2.zncgsl6.tm11.0'
  ]
};
var pkg_list = pkgs[os_release];

foreach (pkg in pkg_list)
  if (rpm_check(release:'ZTE ' + os_release, reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu');
}
VendorProductVersionCPE
ztecgsl_mainqemu-kvmp-cpe:/a:zte:cgsl_main:qemu-kvm
ztecgsl_mainqemu-imgp-cpe:/a:zte:cgsl_main:qemu-img
ztecgsl_main6cpe:/o:zte:cgsl_main:6
ztecgsl_mainqemup-cpe:/a:zte:cgsl_main:qemu
ztecgsl_mainqemu-block-curlp-cpe:/a:zte:cgsl_main:qemu-block-curl
ztecgsl_mainqemu-block-dmgp-cpe:/a:zte:cgsl_main:qemu-block-dmg
ztecgsl_mainqemu-block-glusterp-cpe:/a:zte:cgsl_main:qemu-block-gluster
ztecgsl_mainqemu-block-iscsip-cpe:/a:zte:cgsl_main:qemu-block-iscsi
ztecgsl_mainqemu-block-rbdp-cpe:/a:zte:cgsl_main:qemu-block-rbd
ztecgsl_mainqemu-block-sshp-cpe:/a:zte:cgsl_main:qemu-block-ssh
Rows per page:
1-10 of 121

Related

nessus 61
oraclelinux 4
debian 4
openvas 20
osv 14
ubuntu 3
redhatcve 7
cve 7
ubuntucve 7
debiancve 7
prion 7
veracode 6
f5 2
amazon 3
redhat 23
alpinelinux 4
gentoo 1
centos 1
cbl_mariner 7
fedora 2
huawei 1
xen 1
suse 3
ibm 1
redos 1
rocky 1
almalinux 1
nessus
nessus
NewStart CGSL MAIN 6.02 : qemu Multiple Vulnerabilities (NS-SA-2022-0087)
2022-11-15 00:00:00
NewStart CGSL MAIN 6.02 : qemu Multiple Vulnerabilities (NS-SA-2022-0067)
2022-05-10 00:00:00
Oracle Linux 7 : qemu (ELSA-2020-5576)
2023-09-07 00:00:00
oraclelinux
oraclelinux
qemu security update
2020-03-17 00:00:00
qemu-kvm security update
2020-09-30 00:00:00
qemu-kvm security update
2023-05-16 00:00:00
debian
debian
[SECURITY] [DSA 4616-1] qemu security update
2020-02-02 20:47:01
[SECURITY] [DLA 2373-1] qemu security update
2020-09-13 18:47:47
[SECURITY] [DLA 2753-1] qemu security update
2021-09-02 18:40:09
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2020:1538-1)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2020:1526-1)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2020:1514-1)
2021-04-19 00:00:00
osv
osv
qemu - security update
2020-09-13 00:00:00
qemu - security update
2021-09-01 00:00:00
CVE-2019-15890
2019-09-06 17:15:11
ubuntu
ubuntu
QEMU vulnerabilities
2019-11-14 00:00:00
QEMU vulnerabilities
2019-11-14 00:00:00
QEMU vulnerability
2020-09-17 00:00:00
redhatcve
redhatcve
CVE-2019-12068
2019-11-18 21:07:27
CVE-2019-15890
2020-04-02 08:47:48
CVE-2020-14364
2020-08-24 13:04:32
cve
cve
CVE-2019-12068
2019-09-24 20:15:00
CVE-2019-15890
2019-09-06 17:15:00
CVE-2020-14364
2020-08-31 18:15:00
ubuntucve
ubuntucve
CVE-2019-12068
2019-09-24 00:00:00
CVE-2019-15890
2019-09-06 00:00:00
CVE-2021-3713
2021-08-25 00:00:00
debiancve
debiancve
CVE-2019-12068
2019-09-24 20:15:00
CVE-2019-15890
2019-09-06 17:15:00
CVE-2021-3713
2021-08-25 19:15:00
prion
prion
Code injection
2019-09-24 20:15:00
Design/Logic Flaw
2019-09-06 17:15:00
Cross site scripting
2020-08-31 18:15:00
veracode
veracode
Denial Of Service (DoS)
2020-09-21 06:21:48
Use-after-free
2020-09-21 06:39:39
Denial Of Service
2021-08-31 21:44:02
f5
f5
K75952001 : QEMU vulnerability CVE-2019-15890
2021-01-05 00:00:00
K09081535 : QEMU vulnerability CVE-2020-14364
2020-12-15 00:00:00
amazon
amazon
Medium: qemu-kvm
2021-01-12 22:51:00
Medium: qemu-kvm
2020-12-16 20:31:00
Medium: qemu
2020-12-08 21:30:00
redhat
redhat
(RHSA-2020:4111) Important: qemu-kvm-rhev security update
2020-09-30 09:05:00
(RHSA-2020:4058) Important: virt:rhel security update
2020-09-29 08:09:17
(RHSA-2020:4291) Important: virt:8.2 and virt-devel:8.2 security and bug fix update
2020-10-20 09:06:26
alpinelinux
alpinelinux
CVE-2020-14364
2020-08-31 18:15:00
CVE-2021-3713
2021-08-25 19:15:00
CVE-2021-3682
2021-08-05 20:15:00
gentoo
gentoo
Xen: Buffer overflow
2020-09-29 00:00:00
centos
centos
qemu security update
2020-11-09 13:15:26
cbl_mariner
cbl_mariner
CVE-2021-3713 affecting package qemu 6.1.0-14
2022-06-03 17:54:21
CVE-2020-14364 affecting package qemu-kvm 4.2.0-48
2020-11-30 19:31:04
CVE-2021-3682 affecting package qemu-kvm 4.2.0-48
2021-08-17 15:27:57
fedora
fedora
[SECURITY] Fedora 32 Update: xen-4.13.1-5.fc32
2020-09-15 16:17:33
[SECURITY] Fedora 31 Update: xen-4.12.3-4.fc31
2020-09-10 17:34:33
huawei
huawei
Security Advisory - QEMU Out-of-bound Read and Write Vulnerability in Huawei Product
2020-09-30 00:00:00
xen
xen
QEMU: usb: out-of-bounds r/w access issue
2020-08-24 12:00:00
suse
suse
Security update for qemu (important)
2019-11-14 00:00:00
Security update for qemu (important)
2021-11-03 00:00:00
Security update for qemu (important)
2021-11-08 00:00:00
ibm
ibm
Security Bulletin: Publicly disclosed vulnerability from Qemu affects IBM Netezza Host Management
2020-10-12 11:53:04
redos
redos
ROS-20240328-07
2024-03-28 00:00:00
rocky
rocky
container-tools:rhel8 security, bug fix, and enhancement update
2020-02-04 11:39:46
almalinux
almalinux
Important: virt:rhel security update
2020-09-29 08:09:34

7.7 High

AI Score

Confidence

High

JSON
Related for NEWSTART_CGSL_NS-SA-2023-0132_QEMU.NASL
nessus61oraclelinux4debian4openvas20osv14ubuntu3redhatcve7cve7ubuntucve7debiancve7prion7veracode6f52amazon3redhat23alpinelinux4gentoo1centos1cbl_mariner7fedora2huawei1xen1suse3ibm1redos1rocky1almalinux1