Lucene search
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLELINUX_ELSA-2022-9123.NASLHistoryFeb 05, 2022 - 12:00 a.m.
Oracle Linux 7 : qemu (ELSA-2022-9123)
2022-02-0500:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
138
oracle linux 7
vulnerabilities
qemu
malicious user
out of bounds memory
stack overflow
dos attack
crash
guest user
CVSS2
2.1
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
6.5
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
AI Score
6.6
Confidence
Low
EPSS
0.001
Percentile
32.6%
The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-9123 advisory.
-
A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information. (CVE-2021-3947)
-
A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-3416)
-
A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. (CVE-2021-4158)
-
A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device.
This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196) -
An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
(CVE-2021-20203)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2022-9123.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(157387);
script_version("1.7");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/17");
script_cve_id(
"CVE-2021-3416",
"CVE-2021-3947",
"CVE-2021-4158",
"CVE-2021-20196",
"CVE-2021-20203"
);
script_xref(name:"IAVB", value:"2020-B-0075-S");
script_name(english:"Oracle Linux 7 : qemu (ELSA-2022-9123)");
script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2022-9123 advisory.
- A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist()
where a malicious guest controlling certain input can read out of bounds memory. A malicious user could
use this flaw leading to disclosure of sensitive information. (CVE-2021-3947)
- A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions
up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get
bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the
host resulting in DoS scenario. (CVE-2021-3416)
- A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within
the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service
condition. (CVE-2021-4158)
- A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while
processing read/write ioport commands if the selected floppy drive is not initialized with a block device.
This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of
service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)
- An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It
may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A
privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
(CVE-2021-20203)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2022-9123.html");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3947");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/12/03");
script_set_attribute(attribute:"patch_publication_date", value:"2022/02/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/05");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:ivshmem-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-gluster");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-iscsi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-rbd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-img");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm-core");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-aarch64");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-aarch64-core");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-x86");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-x86-core");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Oracle Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");
exit(0);
}
include('audit.inc');
include('global_settings.inc');
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var release = get_kb_item("Host/RedHat/release");
if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
var os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
var pkgs = [
{'reference':'ivshmem-tools-4.2.1-15.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-4.2.1-15.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-4.2.1-15.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-block-gluster-4.2.1-15.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-block-gluster-4.2.1-15.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-block-iscsi-4.2.1-15.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-block-iscsi-4.2.1-15.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-block-rbd-4.2.1-15.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-block-rbd-4.2.1-15.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-common-4.2.1-15.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-common-4.2.1-15.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-img-4.2.1-15.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-img-4.2.1-15.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-kvm-4.2.1-15.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-kvm-4.2.1-15.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-kvm-core-4.2.1-15.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-kvm-core-4.2.1-15.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-system-aarch64-4.2.1-15.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-system-aarch64-core-4.2.1-15.el7', 'cpu':'aarch64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-system-x86-4.2.1-15.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-system-x86-core-4.2.1-15.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var release = NULL;
var sp = NULL;
var cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && release) {
if (exists_check) {
if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
} else {
if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_NOTE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ivshmem-tools / qemu / qemu-block-gluster / etc');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| oracle | linux | 7 | cpe:/o:oracle:linux:7 |
| oracle | linux | ivshmem-tools | p-cpe:/a:oracle:linux:ivshmem-tools |
| oracle | linux | qemu | p-cpe:/a:oracle:linux:qemu |
| oracle | linux | qemu-block-gluster | p-cpe:/a:oracle:linux:qemu-block-gluster |
| oracle | linux | qemu-block-iscsi | p-cpe:/a:oracle:linux:qemu-block-iscsi |
| oracle | linux | qemu-block-rbd | p-cpe:/a:oracle:linux:qemu-block-rbd |
| oracle | linux | qemu-common | p-cpe:/a:oracle:linux:qemu-common |
| oracle | linux | qemu-img | p-cpe:/a:oracle:linux:qemu-img |
| oracle | linux | qemu-kvm | p-cpe:/a:oracle:linux:qemu-kvm |
| oracle | linux | qemu-kvm-core | p-cpe:/a:oracle:linux:qemu-kvm-core |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20196
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20203
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3416
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3947
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4158
linux.oracle.com/errata/ELSA-2022-9123.html
Related
oraclelinux
oraclelinux
qemu security update
2022-02-05 00:00:00
virt:kvm_utils security update
2022-02-25 00:00:00
qemu-kvm security, bug fix, and enhancement update
2022-11-22 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package qemu version 6.1.1-alt1
2022-03-01 00:00:00
nessus
nessus
Oracle Linux 8 : kvm_utils (ELSA-2022-9172)
2022-02-25 00:00:00
openSUSE 15 Security Update : qemu (openSUSE-SU-2022:0177-1)
2022-01-26 00:00:00
RHEL 8 : virt:av and virt-devel:av (RHSA-2022:0325)
2022-02-01 00:00:00
osv
osv
veracode
veracode
Denial Of Service (DoS)
2021-04-11 12:04:51
Denial Of Service (DoS)
2022-01-15 16:40:05
Denial Of Service (DoS)
2022-01-15 21:42:32
redhatcve
redhatcve
openvas
openvas
QEMU <= 5.2.0 DoS Vulnerability
2021-03-04 00:00:00
SUSE: Security Advisory (SUSE-SU-2022:0177-1)
2022-01-26 00:00:00
openSUSE: Security Advisory for qemu (openSUSE-SU-2022:0177-1)
2022-02-08 00:00:00
ubuntucve
ubuntucve
suse
suse
Security update for qemu (low)
2022-01-25 00:00:00
Security update for qemu (low)
2022-01-27 00:00:00
Security update for qemu (low)
2022-02-18 00:00:00
debiancve
debiancve
cbl_mariner
cbl_mariner
CVE-2021-20203 affecting package qemu-kvm 4.2.0-48
2021-04-06 23:50:33
CVE-2021-3947 affecting package qemu for versions less than 6.2.0-2
2022-06-03 17:54:21
CVE-2021-3947 affecting package qemu-kvm 4.2.0-48
2022-04-07 06:04:11
nvd
nvd
cvelist
cvelist
prion
prion
Integer overflow
2021-02-25 20:15:00
Null pointer dereference
2021-05-26 22:15:00
Stack overflow
2022-02-18 18:15:00
alpinelinux
alpinelinux
cve
cve
redhat
redhat
(RHSA-2022:0325) Low: virt:av and virt-devel:av security and bug fix update
2022-01-31 14:57:47
(RHSA-2022:0397) Low: virt:av and virt-devel:av security and bug fix update
2022-02-02 08:22:47
cnvd
cnvd
QEMU Denial of Service Vulnerability (CNVD-2022-84162)
2022-03-02 00:00:00
ubuntu
ubuntu
QEMU vulnerabilities
2022-02-28 00:00:00
debian
debian
[SECURITY] [DLA 2623-1] qemu security update
2021-04-10 21:21:02
[SECURITY] [DLA 2970-1] qemu security update
2022-04-04 13:21:47
[SECURITY] [DLA 3099-1] qemu security update
2022-09-05 03:28:05
citrix
citrix
Citrix Hypervisor Security Update
2021-06-23 11:06:42
amazon
amazon
Medium: qemu
2023-07-17 17:40:00
Medium: qemu
2023-05-25 17:41:00
almalinux
almalinux
Moderate: qemu-kvm security, bug fix, and enhancement update
2022-11-15 00:00:00
Moderate: virt:rhel and virt-devel:rhel security and bug fix update
2021-08-10 11:58:46
rocky
rocky
qemu-kvm security, bug fix, and enhancement update
2022-11-15 06:12:15
virt:rhel and virt-devel:rhel security and bug fix update
2021-08-10 11:58:46
virt:rhel and virt-devel:rhel security, bug fix, and enhancement update
2022-05-10 07:59:57
gentoo
gentoo
QEMU: Multiple Vulnerabilities
2022-08-14 00:00:00
CVSS2
2.1
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS3
6.5
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
AI Score
6.6
Confidence
Low
EPSS
0.001
Percentile
32.6%
Related for ORACLELINUX_ELSA-2022-9123.NASL