Lucene search
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLELINUX_ELSA-2023-12834.NASLHistorySep 22, 2023 - 12:00 a.m.
Oracle Linux 7 : qemu (ELSA-2023-12834)
2023-09-2200:00:00
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
18
oracle linux 7
qemu
elsa-2023-12834
vulnerability
race scenario
denial of service
lsi53c895a
dma-mmio reentrancy problem
memory corruption
virtio_crypto device
data encryption
heap buffer overflow
6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
7.1 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
5.2%
The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-12834 advisory.
-
A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service. (CVE-2023-3301)
-
A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem may lead to memory corruption bugs like stack overflow or use-after-free. (CVE-2023-0330)
-
A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in virtio_crypto_handle_sym_req. There is no check for the value of
src_lenanddst_lenin virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.
(CVE-2023-3180)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2023-12834.
##
include('compat.inc');
if (description)
{
script_id(181814);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/15");
script_cve_id("CVE-2023-0330", "CVE-2023-3180", "CVE-2023-3301");
script_xref(name:"IAVB", value:"2023-B-0019-S");
script_xref(name:"IAVB", value:"2023-B-0058-S");
script_xref(name:"IAVB", value:"2023-B-0073-S");
script_name(english:"Oracle Linux 7 : qemu (ELSA-2023-12834)");
script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2023-12834 advisory.
- A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device
backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this
time window to trigger an assertion and cause a denial of service. (CVE-2023-3301)
- A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem
may lead to memory corruption bugs like stack overflow or use-after-free. (CVE-2023-0330)
- A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in
virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in
virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.
(CVE-2023-3180)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2023-12834.html");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-3180");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/03/06");
script_set_attribute(attribute:"patch_publication_date", value:"2023/09/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/22");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:linux:7::kvm_utils");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-gluster");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-iscsi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-rbd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-img");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm-core");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-x86");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-x86-core");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Oracle Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_release = get_kb_item("Host/RedHat/release");
if (isnull(os_release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
if ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);
var pkgs = [
{'reference':'qemu-4.2.1-28.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-block-gluster-4.2.1-28.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-block-iscsi-4.2.1-28.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-block-rbd-4.2.1-28.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-common-4.2.1-28.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-img-4.2.1-28.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-kvm-4.2.1-28.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-kvm-core-4.2.1-28.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-system-x86-4.2.1-28.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},
{'reference':'qemu-system-x86-core-4.2.1-28.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release) {
if (exists_check) {
if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
} else {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-block-gluster / qemu-block-iscsi / etc');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| oracle | linux | qemu-img | p-cpe:/a:oracle:linux:qemu-img |
| oracle | linux | qemu-block-gluster | p-cpe:/a:oracle:linux:qemu-block-gluster |
| oracle | linux | qemu-kvm-core | p-cpe:/a:oracle:linux:qemu-kvm-core |
| oracle | linux | 7 | cpe:/o:oracle:linux:7 |
| oracle | linux | qemu-common | p-cpe:/a:oracle:linux:qemu-common |
| oracle | linux | qemu-kvm | p-cpe:/a:oracle:linux:qemu-kvm |
| oracle | linux | qemu-block-iscsi | p-cpe:/a:oracle:linux:qemu-block-iscsi |
| oracle | linux | qemu-system-x86-core | p-cpe:/a:oracle:linux:qemu-system-x86-core |
| oracle | linux | 7 | cpe:/a:oracle:linux:7::kvm_utils |
| oracle | linux | qemu-system-x86 | p-cpe:/a:oracle:linux:qemu-system-x86 |
Related
oraclelinux
oraclelinux
qemu security update
2023-09-22 00:00:00
qemu security update
2023-09-22 00:00:00
virt:kvm_utils1 security update
2024-02-12 00:00:00
nessus
nessus
Oracle Linux 7 : qemu (ELSA-2023-12835)
2023-09-22 00:00:00
Oracle Linux 8 : virt:kvm_utils1 (ELSA-2024-12152)
2024-02-12 00:00:00
SUSE SLES15 Security Update : qemu (SUSE-SU-2023:3444-1)
2023-08-30 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-3604-1)
2023-10-06 00:00:00
SUSE: Security Advisory (SUSE-SU-2023:3444-1)
2023-08-29 00:00:00
openSUSE: Security Advisory for qemu (SUSE-SU-2023:3082-1)
2024-03-04 00:00:00
debian
debian
[SECURITY] [DLA 3604-1] qemu security update
2023-10-05 16:14:21
osv
osv
qemu - security update
2023-10-05 00:00:00
CVE-2023-3301
2023-09-13 17:15:10
CVE-2023-0330
2023-03-06 23:15:11
cve
cve
redhatcve
redhatcve
nvd
nvd
cvelist
cvelist
CVE-2023-3301 Triggerable assertion due to race condition in hot-unplug
2023-09-13 16:09:36
CVE-2023-0330 Qemu: lsi53c895a: dma reentrancy issue leads to stack overflow
2023-03-06 00:00:00
CVE-2023-3180 Heap buffer overflow in virtio_crypto_sym_op_helper()
2023-08-03 14:31:36
prion
prion
debiancve
debiancve
cbl_mariner
cbl_mariner
CVE-2023-3301 affecting package qemu for versions less than 8.2.0-1
2024-03-19 17:21:46
CVE-2023-3180 affecting package qemu for versions less than 8.2.0-1
2024-03-19 17:21:46
veracode
veracode
Denial Of Service (DoS)
2023-08-05 03:34:22
Out-of-bounds Write
2023-08-13 13:35:26
Out-of-bounds Write
2023-06-06 11:25:43
alpinelinux
alpinelinux
CVE-2023-0330
2023-03-06 23:15:11
CVE-2023-3180
2023-08-03 15:15:29
ubuntucve
ubuntucve
amazon
amazon
redos
redos
ROS-20240329-15
2024-03-29 00:00:00
ROS-20240606-01
2024-06-06 00:00:00
almalinux
almalinux
redhat
redhat
rosalinux
rosalinux
Advisory ROSA-SA-2023-2302
2023-12-05 10:39:31
fedora
fedora
[SECURITY] Fedora 38 Update: qemu-7.2.5-1.fc38
2023-08-29 01:35:27
ubuntu
ubuntu
QEMU vulnerabilities
2023-06-19 00:00:00
QEMU vulnerabilities
2024-01-08 00:00:00
QEMU regression
2024-06-06 00:00:00
ics
ics
Siemens SCALANCE XCM-/XRM-300
2024-02-15 12:00:00
6.5 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
7.1 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
5.2%
Related for ORACLELINUX_ELSA-2023-12834.NASL