The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-4556 advisory.
A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS scenario OR possibly lead to code execution on the host. (CVE-2018-16867)
hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference).
(CVE-2018-20191)
A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn’t consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.
(CVE-2018-16872)
hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value. (CVE-2018-20124)
QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and
-1 is mishandled). (CVE-2018-20216)
hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings. (CVE-2018-20125)
hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled. (CVE-2018-20126)
pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error.
(CVE-2018-20123)
In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. (CVE-2019-6778)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2019-4556.
##
include('compat.inc');
if (description)
{
script_id(180708);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/07");
script_cve_id(
"CVE-2018-16867",
"CVE-2018-16872",
"CVE-2018-20123",
"CVE-2018-20124",
"CVE-2018-20125",
"CVE-2018-20126",
"CVE-2018-20191",
"CVE-2018-20216",
"CVE-2019-6778"
);
script_name(english:"Oracle Linux 7 : qemu (ELSA-2019-4556)");
script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2019-4556 advisory.
- A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in
usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest
device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS
scenario OR possibly lead to code execution on the host. (CVE-2018-16867)
- hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to
uar_write), which allows attackers to cause a denial of service (NULL pointer dereference).
(CVE-2018-20191)
- A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and
usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying
filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical
TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this
property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU
process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.
(CVE-2018-16872)
- hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe
ring element with a large num_sge value. (CVE-2018-20124)
- QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and
-1 is mishandled). (CVE-2018-20216)
- hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference
or excessive memory allocation) in create_cq_ring or create_qp_rings. (CVE-2018-20125)
- hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are
mishandled. (CVE-2018-20126)
- pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error.
(CVE-2018-20123)
- In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. (CVE-2019-6778)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2019-4556.html");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6778");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/12");
script_set_attribute(attribute:"patch_publication_date", value:"2019/02/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/07");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-gluster");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-iscsi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-rbd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-img");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm-core");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-x86");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-x86-core");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Oracle Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_release = get_kb_item("Host/RedHat/release");
if (isnull(os_release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
if ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);
var pkgs = [
{'reference':'qemu-2.9.0-20.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-block-gluster-2.9.0-20.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-block-iscsi-2.9.0-20.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-block-rbd-2.9.0-20.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-common-2.9.0-20.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-img-2.9.0-20.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-kvm-2.9.0-20.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-kvm-core-2.9.0-20.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-system-x86-2.9.0-20.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-system-x86-core-2.9.0-20.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release) {
if (exists_check) {
if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
} else {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-block-gluster / qemu-block-iscsi / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
oracle | linux | 7 | cpe:/o:oracle:linux:7 |
oracle | linux | qemu | p-cpe:/a:oracle:linux:qemu |
oracle | linux | qemu-block-gluster | p-cpe:/a:oracle:linux:qemu-block-gluster |
oracle | linux | qemu-block-iscsi | p-cpe:/a:oracle:linux:qemu-block-iscsi |
oracle | linux | qemu-block-rbd | p-cpe:/a:oracle:linux:qemu-block-rbd |
oracle | linux | qemu-common | p-cpe:/a:oracle:linux:qemu-common |
oracle | linux | qemu-img | p-cpe:/a:oracle:linux:qemu-img |
oracle | linux | qemu-kvm | p-cpe:/a:oracle:linux:qemu-kvm |
oracle | linux | qemu-kvm-core | p-cpe:/a:oracle:linux:qemu-kvm-core |
oracle | linux | qemu-system-x86 | p-cpe:/a:oracle:linux:qemu-system-x86 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16867
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16872
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20123
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20124
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20125
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20126
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20191
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20216
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6778
linux.oracle.com/errata/ELSA-2019-4556.html