Oracle Linux 7 : qemu (ELSA-2019-4585)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2019-4585.
##

include('compat.inc');

if (description)
{
  script_id(180740);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/08");

  script_cve_id(
    "CVE-2017-2630",
    "CVE-2017-2633",
    "CVE-2017-5715",
    "CVE-2017-5753",
    "CVE-2017-5754",
    "CVE-2017-7471",
    "CVE-2017-7493",
    "CVE-2017-8112",
    "CVE-2017-8309",
    "CVE-2017-8379",
    "CVE-2017-8380",
    "CVE-2017-9503",
    "CVE-2017-10806",
    "CVE-2017-11334",
    "CVE-2017-12809",
    "CVE-2017-13672",
    "CVE-2017-13673",
    "CVE-2017-13711",
    "CVE-2017-14167",
    "CVE-2017-15038",
    "CVE-2017-15119",
    "CVE-2017-15124",
    "CVE-2017-15268",
    "CVE-2017-15289",
    "CVE-2017-16845",
    "CVE-2017-17381",
    "CVE-2017-18030",
    "CVE-2017-18043",
    "CVE-2018-3639",
    "CVE-2018-5683",
    "CVE-2018-7550",
    "CVE-2018-7858",
    "CVE-2018-10839",
    "CVE-2018-11806",
    "CVE-2018-12617",
    "CVE-2018-15746",
    "CVE-2018-16847",
    "CVE-2018-16867",
    "CVE-2018-16872",
    "CVE-2018-17958",
    "CVE-2018-17962",
    "CVE-2018-17963",
    "CVE-2018-18849",
    "CVE-2018-19364",
    "CVE-2018-19489",
    "CVE-2018-20124",
    "CVE-2018-20125",
    "CVE-2018-20126",
    "CVE-2018-20191",
    "CVE-2018-20216"
  );
  script_xref(name:"IAVA", value:"2018-A-0017-S");
  script_xref(name:"IAVA", value:"2018-A-0019");
  script_xref(name:"IAVA", value:"2018-A-0020");
  script_xref(name:"IAVA", value:"2018-A-0022-S");
  script_xref(name:"IAVA", value:"2018-A-0170");

  script_name(english:"Oracle Linux 7 : qemu (ELSA-2019-4585)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2019-4585 advisory.

  - An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display
    driver. This flaw could occur while refreshing the VNC display surface area in the
    'vnc_refresh_server_surface'. A user inside a guest could use this flaw to crash the QEMU process.
    (CVE-2017-2633)

  - Integer overflow in the load_multiboot function in hw/i386/multiboot.c in QEMU (aka Quick Emulator) allows
    local guest OS users to execute arbitrary code on the host via crafted multiboot header address values,
    which trigger an out-of-bounds write. (CVE-2017-14167)

  - The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to
    cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst
    calculation. (CVE-2017-15289)

  - Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow
    unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
    (CVE-2017-5715)

  - Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized
    disclosure of information to an attacker with local user access via a side-channel analysis.
    (CVE-2017-5753)

  - Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow
    unauthorized disclosure of information to an attacker with local user access via a side-channel analysis
    of the data cache. (CVE-2017-5754)

  - The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service
    (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation.
    (CVE-2018-5683)

  - QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS
    privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors
    involving display update. (CVE-2017-13672)

  - Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows
    attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear
    ifq_so from pending packets. (CVE-2017-13711)

  - VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an
    unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If
    the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A
    malicious remote VNC client could use this flaw to cause DoS to the server host. (CVE-2017-15124)

  - Qemu through 2.10.0 allows remote attackers to cause a memory leak by triggering slow data-channel read
    operations, related to io/channel-websock.c. (CVE-2017-15268)

  - Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest
    OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by
    leveraging incorrect region calculation when updating VGA display. (CVE-2018-7858)

  - Systems with microprocessors utilizing speculative execution and speculative execution of memory reads
    before the addresses of all prior memory writes are known may allow unauthorized disclosure of information
    to an attacker with local user access via a side-channel analysis, aka Speculative Store Bypass (SSB),
    Variant 4. (CVE-2018-3639)

  - The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS
    users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than
    mh_bss_end_addr, which triggers an out-of-bounds read or write memory access. (CVE-2018-7550)

  - m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.
    (CVE-2018-11806)

  - qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by
    leveraging mishandling of the seccomp policy for threads other than the main thread. (CVE-2018-15746)

  - qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows
    attackers to cause a denial of service or possibly have unspecified other impact. (CVE-2018-17963)

  - Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is
    used. (CVE-2018-17962)

  - Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data
    type is used. (CVE-2018-17958)

  - Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow,
    which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user
    inside guest could use this flaw to crash the Qemu process resulting in DoS. (CVE-2018-10839)

  - qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in
    QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when
    trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP
    command (including guest-file-read with a large count value) to the agent via the listening socket.
    (CVE-2018-12617)

  - Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support,
    is vulnerable to an improper access control issue. It could occur while accessing files on a shared host
    directory. A privileged user inside guest could use this flaw to access host file system beyond the shared
    folder and potentially escalating their privileges on a host. (CVE-2017-7471)

  - A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network
    Block Device (NBD) client support. The flaw could occur while processing server's response to a
    'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting
    in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process.
    (CVE-2017-2630)

  - Stack-based buffer overflow in hw/usb/redirect.c in QEMU (aka Quick Emulator) allows local guest OS users
    to cause a denial of service (QEMU process crash) via vectors related to logging debug messages.
    (CVE-2017-10806)

  - The address_space_write_continue function in exec.c in QEMU (aka Quick Emulator) allows local guest OS
    privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by
    leveraging use of qemu_map_ram_ptr to access guest ram block area. (CVE-2017-11334)

  - The Virtio Vring implementation in QEMU allows local OS guest users to cause a denial of service (divide-
    by-zero error and QEMU process crash) by unsetting vring alignment while updating Virtio rings.
    (CVE-2017-17381)

  - Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support,
    is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in
    mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest.
    (CVE-2017-7493)

  - hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial
    of service (infinite loop and CPU consumption) via the message ring page count. (CVE-2017-8112)

  - QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows
    local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process
    crash) via vectors involving megasas command processing. (CVE-2017-9503)

  - QEMU (aka Quick Emulator), when built with the IDE disk and CD/DVD-ROM Emulator support, allows local
    guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash)
    by flushing an empty CDROM device drive. (CVE-2017-12809)

  - Race condition in the v9fs_xattrwalk function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local
    guest OS users to obtain sensitive information from host heap memory via vectors related to reading
    extended attributes. (CVE-2017-15038)

  - The Network Block Device (NBD) server in Quick Emulator (QEMU) before 2.11 is vulnerable to a denial of
    service issue. It could occur if a client sent large option requests, making the server waste CPU time on
    reading up to 4GB per request. A client could use this flaw to keep the NBD server from serving other
    requests, resulting in DoS. (CVE-2017-15119)

  - hw/input/ps2.c in Qemu does not validate 'rptr' and 'count' values during guest migration, leading to out-
    of-bounds access. (CVE-2017-16845)

  - The cirrus_invalidate_region function in hw/display/cirrus_vga.c in Qemu allows local OS guest privileged
    users to cause a denial of service (out-of-bounds array access and QEMU process crash) via vectors related
    to negative pitch. (CVE-2017-18030)

  - Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allows a user to cause a denial of
    service (Qemu process crash). (CVE-2017-18043)

  - Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of
    service (memory consumption) by repeatedly starting and stopping audio capture. (CVE-2017-8309)

  - Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest
    OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large
    keyboard events. (CVE-2017-8379)

  - Buffer overflow in the megasas_mmio_write function in Qemu 2.9.0 allows remote attackers to have
    unspecified impact via unknown vectors. (CVE-2017-8380)

  - The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen
    mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty
    function. (CVE-2017-13673)

  - A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in
    usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest
    device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS
    scenario OR possibly lead to code execution on the host. (CVE-2018-16867)

  - hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to
    uar_write), which allows attackers to cause a denial of service (NULL pointer dereference).
    (CVE-2018-20191)

  - A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and
    usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying
    filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical
    TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this
    property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU
    process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.
    (CVE-2018-16872)

  - hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe
    ring element with a large num_sge value. (CVE-2018-20124)

  - QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and
    -1 is mishandled). (CVE-2018-20216)

  - hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference
    or excessive memory allocation) in create_cq_ring or create_qp_rings. (CVE-2018-20125)

  - hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are
    mishandled. (CVE-2018-20126)

  - In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid
    msg_len value. (CVE-2018-18849)

  - An OOB heap buffer r/w access issue was found in the NVM Express Controller emulation in QEMU. It could
    occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU
    process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process.
    (CVE-2018-16847)

  - hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an fid path while it is being accessed by a second
    thread, leading to (for example) a use-after-free outcome. (CVE-2018-19364)

  - v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS users to cause a denial of service (crash) because of a
    race condition during file renaming. (CVE-2018-19489)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2019-4585.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-7471");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2017-16845");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/02/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/03/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/07");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ivshmem-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-gluster");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-iscsi");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-rbd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-img");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm-core");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-aarch64");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-aarch64-core");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Oracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_release = get_kb_item("Host/RedHat/release");
if (isnull(os_release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
if ('aarch64' >!< cpu) audit(AUDIT_ARCH_NOT, 'aarch64', cpu);

var pkgs = [
    {'reference':'ivshmem-tools-3.1.0-1.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
    {'reference':'qemu-3.1.0-1.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
    {'reference':'qemu-block-gluster-3.1.0-1.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
    {'reference':'qemu-block-iscsi-3.1.0-1.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
    {'reference':'qemu-block-rbd-3.1.0-1.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
    {'reference':'qemu-common-3.1.0-1.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
    {'reference':'qemu-img-3.1.0-1.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
    {'reference':'qemu-kvm-3.1.0-1.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
    {'reference':'qemu-kvm-core-3.1.0-1.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
    {'reference':'qemu-system-aarch64-3.1.0-1.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
    {'reference':'qemu-system-aarch64-core-3.1.0-1.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release) {
    if (exists_check) {
        if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    } else {
        if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    }
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ivshmem-tools / qemu / qemu-block-gluster / etc');
}