{"id": "QEMU_WIN_5_2_RC3.NASL", "bulletinFamily": "scanner", "title": "QEMU < 5.2.0-rc3 Heap Use-After-Free DoS (CVE-2020-28916)", "description": "The version of QEMU installed on the remote Windows host may be affected by a denial of service (DoS) vulnerability in\nthe e1000e device emulator due to a heap use-after-free. An attacker can exploit this by sending packets to be received by\ne1000e_write_packet_to_guest() in order to induce a DoS.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version \nnumber.", "published": "2020-12-04T00:00:00", "modified": "2020-12-04T00:00:00", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "href": "https://www.tenable.com/plugins/nessus/143479", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bugs.launchpad.net/qemu/+bug/1892978", "https://www.openwall.com/lists/oss-security/2020/12/01/2"], "cvelist": ["CVE-2020-28916"], "type": "nessus", "lastseen": "2020-12-08T04:53:54", "edition": 2, "viewCount": 7, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-28916"]}, {"type": "nessus", "idList": ["EULEROS_SA-2021-1275.NASL", "ORACLELINUX_ELSA-2021-9034.NASL", "DEBIAN_DLA-2560.NASL", "UBUNTU_USN-4725-1.NASL", "EULEROS_SA-2021-1256.NASL"]}, {"type": "archlinux", "idList": ["ASA-202012-26"]}, {"type": "ubuntu", "idList": ["USN-4725-1"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2560-1:73BB2"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-9034"]}], "modified": "2020-12-08T04:53:54", "rev": 2}, "score": {"value": 4.9, "vector": "NONE", "modified": "2020-12-08T04:53:54", "rev": 2}, "vulnersScore": 4.9}, "sourceData": "##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143479);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/07\");\n\n script_cve_id(\"CVE-2020-28916\");\n script_xref(name:\"IAVB\", value:\"2020-B-0075\");\n\n script_name(english:\"QEMU < 5.2.0-rc3 Heap Use-After-Free DoS (CVE-2020-28916)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has virtualization software installed that is affected by a denial of service vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of QEMU installed on the remote Windows host may be affected by a denial of service (DoS) vulnerability in\nthe e1000e device emulator due to a heap use-after-free. An attacker can exploit this by sending packets to be received by\ne1000e_write_packet_to_guest() in order to induce a DoS.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version \nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.openwall.com/lists/oss-security/2020/12/01/2\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugs.launchpad.net/qemu/+bug/1892978\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to QEMU 5.2.0-rc3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-28916\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/04\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:qemu:qemu\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"qemu_installed_windows.nbin\");\n script_require_keys(\"installed_sw/QEMU\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\n# Paranoid due to uncertain min_version, max_version found by searching releases for last one where\n# https://git.qemu.org/?p=qemu.git;a=commitdiff;h=c2cb511634012344e3d0fe49a037a33b12d8a98a isn't uupdated\nif (report_paranoia < 2)\n audit(AUDIT_PARANOID);\n\napp_info = vcf::get_app_info(app:'QEMU', win_local:TRUE);\n\nconstraints = [{'min_version':'0.0', 'max_version' : '5.1.92.0', 'fixed_display':'5.2.0-rc3' }];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);\n", "naslFamily": "Windows", "pluginID": "143479", "cpe": ["cpe:/a:qemu:qemu"], "cvss3": {"score": 5.5, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}, "scheme": null}

{"cve": [{"lastseen": "2021-02-25T14:50:57", "description": "hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.", "edition": 5, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 5.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-12-04T07:15:00", "title": "CVE-2020-28916", "type": "cve", "cwe": ["CWE-835"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-28916"], "modified": "2021-02-24T19:13:00", "cpe": ["cpe:/a:qemu:qemu:5.0.0", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2020-28916", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28916", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:qemu:qemu:5.0.0:*:*:*:*:*:*:*"]}], "archlinux": [{"lastseen": "2020-12-31T13:40:52", "bulletinFamily": "unix", "cvelist": ["CVE-2020-14364", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-28916"], "description": "Arch Linux Security Advisory ASA-202012-26\n==========================================\n\nSeverity: Medium\nDate : 2020-12-16\nCVE-ID : CVE-2020-14364 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723\nCVE-2020-28916\nPackage : qemu\nType : multiple issues\nRemote : No\nLink : https://security.archlinux.org/AVG-1300\n\nSummary\n=======\n\nThe package qemu before version 5.2.0-1 is vulnerable to multiple\nissues including arbitrary code execution and denial of service.\n\nResolution\n==========\n\nUpgrade to 5.2.0-1.\n\n# pacman -Syu \"qemu>=5.2.0-1\"\n\nThe problems have been fixed upstream in version 5.2.0.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2020-14364 (arbitrary code execution)\n\nAn out-of-bounds read/write access flaw was found in the USB emulator\nof the QEMU in versions before 5.2.0. This issue occurs while\nprocessing USB packets from a guest when USBDevice 'setup_len' exceeds\nits 'data_buf[4096]' in the do_token_in, do_token_out routines. This\nflaw allows a guest user to crash the QEMU process, resulting in a\ndenial of service, or the potential execution of arbitrary code with\nthe privileges of the QEMU process on the host.\n\n- CVE-2020-25624 (arbitrary code execution)\n\nA flaw was found in QEMU before version 5.2.0. An out-of-bounds\nread/write access issue was found in the USB OHCI controller emulator.\nThe issue could occur while servicing transfer descriptors (TD), as\nOHCI controller derives variables 'start_addr', 'end_addr', and 'len'\nfrom values supplied by the host controller driver. The host controller\ndriver may supply values such that using these variables leads to an\nout-of-bounds access issue leading to a guest user/process using this\nflaw to crash the QEMU process on the host resulting in a denial of\nservice (DoS) scenario. The highest threat from this vulnerability is\nto data confidentiality and integrity as well as system availability.\n\n- CVE-2020-25625 (denial of service)\n\nAn infinite loop issue was found in the USB OHCI controller emulator of\nQEMU before version 5.2.0. It could occur while servicing OHCI\nisochronous transfer descriptors (TD) in ohci_service_iso_td routine,\nas it retires a TD if it has passed its time frame. While doing so it\ndoes not check if the TD was already processed ones and holds an error\ncode in TD_CC. It may happen if the TD list has a loop.\n\nA guest user/process may use this flaw to consume cpu cycles on the\nhost resulting in a DoS scenario.\n\n- CVE-2020-25723 (denial of service)\n\nA reachable assertion issue was found in the USB EHCI emulation code of\nQEMU before version 5.2.0. It could occur while processing USB requests\ndue to missing handling of DMA memory map failure. A malicious\nprivileged user within the guest may abuse this flaw to send bogus USB\nrequests and crash the QEMU process on the host, resulting in a denial\nof service.\n\n- CVE-2020-28916 (denial of service)\n\nAn infinite loop issue was found in the e1000e device emulator in QEMU\nbefore version 5.2.0. The issue could occur while receiving packets via\ne1000e_write_packet_to_guest() routine, if the receive(RX) descriptor\nhas NULL buffer address. A privileged guest user may use this flaw to\ninduce a DoS scenario on the host.\n\nImpact\n======\n\nA guest might be able to cause a denial of service or execute arbitrary\ncode on the host.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/68356\nhttps://www.openwall.com/lists/oss-security/2020/08/24/2\nhttps://www.openwall.com/lists/oss-security/2020/08/24/3\nhttps://git.qemu.org/?p=qemu.git;a=commitdiff;h=b946434f2659a182afc17e155be6791ebfb302eb\nhttps://git.qemu.org/?p=qemu.git;a=commitdiff;h=1328fe0c32d5474604105b8105310e944976b058\nhttps://www.openwall.com/lists/oss-security/2020/09/17/1\nhttps://git.qemu.org/?p=qemu.git;a=commitdiff;h=1be90ebecc95b09a2ee5af3f60c412b45a766c4f\nhttps://git.qemu.org/?p=qemu.git;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6\nhttps://www.openwall.com/lists/oss-security/2020/12/01/2\nhttps://git.qemu.org/?p=qemu.git;a=commitdiff;h=c2cb511634012344e3d0fe49a037a33b12d8a98a\nhttps://security.archlinux.org/CVE-2020-14364\nhttps://security.archlinux.org/CVE-2020-25624\nhttps://security.archlinux.org/CVE-2020-25625\nhttps://security.archlinux.org/CVE-2020-25723\nhttps://security.archlinux.org/CVE-2020-28916", "modified": "2020-12-16T00:00:00", "published": "2020-12-16T00:00:00", "id": "ASA-202012-26", "href": "https://security.archlinux.org/ASA-202012-26", "type": "archlinux", "title": "[ASA-202012-26] qemu: multiple issues", "cvss": {"score": 4.7, "vector": "AV:L/AC:M/Au:N/C:N/I:N/A:C"}}], "nessus": [{"lastseen": "2021-02-10T09:09:02", "description": "According to the versions of the qemu package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - In QEMU through 5.0.0, an integer overflow was found in\n the SM501 display driver implementation. This flaw\n occurs in the COPY_AREA macro while handling MMIO write\n operations through the sm501_2d_engine_write()\n callback. A local attacker could abuse this flaw to\n crash the QEMU process in sm501_2d_operation() in\n hw/display/sm501.c on the host, resulting in a denial\n of service.(CVE-2020-12829)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based\n buffer over-read via values obtained from the host\n controller driver.(CVE-2020-25624)\n\n - A reachable assertion issue was found in the USB EHCI\n emulation code of QEMU. It could occur while processing\n USB requests due to missing handling of DMA memory map\n failure. A malicious privileged user within the guest\n may abuse this flaw to send bogus USB requests and\n crash the QEMU process on the host, resulting in a\n denial of service.(CVE-2020-25723)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop\n when a TD list has a loop.(CVE-2020-25625)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop\n via an RX descriptor with a NULL buffer\n address.(CVE-2020-28916)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 2, "cvss3": {"score": 5.0, "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L"}, "published": "2021-02-05T00:00:00", "title": "EulerOS : qemu (EulerOS-SA-2021-1275)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-25625", "CVE-2020-12829", "CVE-2020-25723", "CVE-2020-28916", "CVE-2020-25624"], "modified": "2021-02-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu-img", "cpe:/o:huawei:euleros:"], "id": "EULEROS_SA-2021-1275.NASL", "href": "https://www.tenable.com/plugins/nessus/146243", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146243);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/09\");\n\n script_cve_id(\n \"CVE-2020-12829\",\n \"CVE-2020-25624\",\n \"CVE-2020-25625\",\n \"CVE-2020-25723\",\n \"CVE-2020-28916\"\n );\n\n script_name(english:\"EulerOS : qemu (EulerOS-SA-2021-1275)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - In QEMU through 5.0.0, an integer overflow was found in\n the SM501 display driver implementation. This flaw\n occurs in the COPY_AREA macro while handling MMIO write\n operations through the sm501_2d_engine_write()\n callback. A local attacker could abuse this flaw to\n crash the QEMU process in sm501_2d_operation() in\n hw/display/sm501.c on the host, resulting in a denial\n of service.(CVE-2020-12829)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based\n buffer over-read via values obtained from the host\n controller driver.(CVE-2020-25624)\n\n - A reachable assertion issue was found in the USB EHCI\n emulation code of QEMU. It could occur while processing\n USB requests due to missing handling of DMA memory map\n failure. A malicious privileged user within the guest\n may abuse this flaw to send bogus USB requests and\n crash the QEMU process on the host, resulting in a\n denial of service.(CVE-2020-25723)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop\n when a TD list has a loop.(CVE-2020-25625)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop\n via an RX descriptor with a NULL buffer\n address.(CVE-2020-28916)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1275\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eaa0c799\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25624\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release (\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS \");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"qemu-img-4.1.0-16.h4.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-10T09:09:00", "description": "According to the versions of the qemu package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - In QEMU through 5.0.0, an integer overflow was found in\n the SM501 display driver implementation. This flaw\n occurs in the COPY_AREA macro while handling MMIO write\n operations through the sm501_2d_engine_write()\n callback. A local attacker could abuse this flaw to\n crash the QEMU process in sm501_2d_operation() in\n hw/display/sm501.c on the host, resulting in a denial\n of service.(CVE-2020-12829)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based\n buffer over-read via values obtained from the host\n controller driver.(CVE-2020-25624)\n\n - A reachable assertion issue was found in the USB EHCI\n emulation code of QEMU. It could occur while processing\n USB requests due to missing handling of DMA memory map\n failure. A malicious privileged user within the guest\n may abuse this flaw to send bogus USB requests and\n crash the QEMU process on the host, resulting in a\n denial of service.(CVE-2020-25723)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop\n when a TD list has a loop.(CVE-2020-25625)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop\n via an RX descriptor with a NULL buffer\n address.(CVE-2020-28916)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 2, "cvss3": {"score": 5.0, "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L"}, "published": "2021-02-05T00:00:00", "title": "EulerOS 2.0 SP9 : qemu (EulerOS-SA-2021-1256)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-25625", "CVE-2020-12829", "CVE-2020-25723", "CVE-2020-28916", "CVE-2020-25624"], "modified": "2021-02-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu-img", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1256.NASL", "href": "https://www.tenable.com/plugins/nessus/146222", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146222);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/09\");\n\n script_cve_id(\n \"CVE-2020-12829\",\n \"CVE-2020-25624\",\n \"CVE-2020-25625\",\n \"CVE-2020-25723\",\n \"CVE-2020-28916\"\n );\n\n script_name(english:\"EulerOS 2.0 SP9 : qemu (EulerOS-SA-2021-1256)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - In QEMU through 5.0.0, an integer overflow was found in\n the SM501 display driver implementation. This flaw\n occurs in the COPY_AREA macro while handling MMIO write\n operations through the sm501_2d_engine_write()\n callback. A local attacker could abuse this flaw to\n crash the QEMU process in sm501_2d_operation() in\n hw/display/sm501.c on the host, resulting in a denial\n of service.(CVE-2020-12829)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based\n buffer over-read via values obtained from the host\n controller driver.(CVE-2020-25624)\n\n - A reachable assertion issue was found in the USB EHCI\n emulation code of QEMU. It could occur while processing\n USB requests due to missing handling of DMA memory map\n failure. A malicious privileged user within the guest\n may abuse this flaw to send bogus USB requests and\n crash the QEMU process on the host, resulting in a\n denial of service.(CVE-2020-25723)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop\n when a TD list has a loop.(CVE-2020-25625)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop\n via an RX descriptor with a NULL buffer\n address.(CVE-2020-28916)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1256\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fed5c9e2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25624\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"qemu-img-4.1.0-16.h4.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 4.4, "vector": "AV:L/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-28T07:46:48", "description": "The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by multiple\nvulnerabilities as referenced in the USN-4725-1 advisory.\n\n - iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose\n unrelated information from process memory to an attacker. (CVE-2020-11947)\n\n - QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e\n packet with the data's address set to the e1000e's MMIO address. (CVE-2020-15859)\n\n - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.\n This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO\n operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial\n of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.\n (CVE-2020-28916)\n\n - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer\n index is not validated. (CVE-2020-29443)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 3, "cvss3": {"score": 3.9, "vector": "AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L"}, "published": "2021-02-08T00:00:00", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : QEMU vulnerabilities (USN-4725-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-15859", "CVE-2020-27821", "CVE-2021-20181", "CVE-2020-11947", "CVE-2020-29443", "CVE-2020-28916"], "modified": "2021-02-08T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x", "p-cpe:/a:canonical:ubuntu_linux:qemu-block-extra", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-xen", "p-cpe:/a:canonical:ubuntu_linux:qemu-system", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-microvm", "cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64", "p-cpe:/a:canonical:ubuntu_linux:qemu-utils", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86", "p-cpe:/a:canonical:ubuntu_linux:qemu", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:qemu-guest-agent", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:qemu-user", "p-cpe:/a:canonical:ubuntu_linux:qemu-user-static", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips", "cpe:/o:canonical:ubuntu_linux:20.10", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-gui", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc", "p-cpe:/a:canonical:ubuntu_linux:qemu-kvm", "p-cpe:/a:canonical:ubuntu_linux:qemu-user-binfmt", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-data", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-common"], "id": "UBUNTU_USN-4725-1.NASL", "href": "https://www.tenable.com/plugins/nessus/146303", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4725-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146303);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/26\");\n\n script_cve_id(\n \"CVE-2020-11947\",\n \"CVE-2020-15859\",\n \"CVE-2020-27821\",\n \"CVE-2020-28916\",\n \"CVE-2020-29443\",\n \"CVE-2021-20181\"\n );\n script_xref(name:\"USN\", value:\"4725-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : QEMU vulnerabilities (USN-4725-1)\");\n script_summary(english:\"Checks the dpkg output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by multiple\nvulnerabilities as referenced in the USN-4725-1 advisory.\n\n - iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose\n unrelated information from process memory to an attacker. (CVE-2020-11947)\n\n - QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e\n packet with the data's address set to the e1000e's MMIO address. (CVE-2020-15859)\n\n - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.\n This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO\n operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial\n of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.\n (CVE-2020-28916)\n\n - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer\n index is not validated. (CVE-2020-29443)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4725-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-29443\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-block-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-microvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-user\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-user-binfmt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-user-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-utils\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021 Canonical, Inc. / NASL script (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|20\\.04|20\\.10)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04 / 20.04 / 20.10', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '16.04', 'pkgname': 'qemu', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-block-extra', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-kvm', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-aarch64', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-arm', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-common', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-mips', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-misc', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-x86', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-user', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-user-static', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-utils', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '18.04', 'pkgname': 'qemu', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-block-extra', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-kvm', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-arm', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-common', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-mips', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-misc', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-x86', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-user', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-user-static', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-utils', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '20.04', 'pkgname': 'qemu', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-block-extra', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-kvm', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-arm', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-common', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-data', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-gui', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-mips', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-misc', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-x86', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-x86-microvm', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-x86-xen', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-user', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-user-static', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-utils', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.10', 'pkgname': 'qemu', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-block-extra', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-kvm', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-arm', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-common', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-data', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-gui', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-mips', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-misc', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-x86', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-x86-microvm', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-x86-xen', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-user', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-user-static', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-utils', 'pkgver': '1:5.0-5ubuntu9.4'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-block-extra / qemu-guest-agent / qemu-kvm / qemu-system / etc');\n}", "cvss": {"score": 3.3, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:P"}}, {"lastseen": "2021-02-25T17:50:26", "description": "Several vulnerabilities were discovered in QEMU, a fast processor\nemulator (notably used in KVM and Xen HVM virtualization). An attacker\ncould trigger a denial of service (DoS), information leak, and\npossibly execute arbitrary code with the privileges of the QEMU\nprocess on the host.\n\nCVE-2020-15469\n\nA MemoryRegionOps object may lack read/write callback methods, leading\nto a NULL pointer dereference.\n\nCVE-2020-15859\n\nQEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS\nuser can trigger an e1000e packet with the data's address set to the\ne1000e's MMIO address.\n\nCVE-2020-25084\n\nQEMU has a use-after-free in hw/usb/hcd-xhci.c because the\nusb_packet_map return value is not checked.\n\nCVE-2020-28916\n\nhw/net/e1000e_core.c has an infinite loop via an RX descriptor with a\nNULL buffer address.\n\nCVE-2020-29130\n\nslirp.c has a buffer over-read because it tries to read a certain\namount of header data even if that exceeds the total packet length.\n\nCVE-2020-29443\n\nide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read\naccess because a buffer index is not validated.\n\nCVE-2021-20181\n\n9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege\nescalation vulnerability.\n\nCVE-2021-20221\n\naarch64: GIC: out-of-bound heap buffer access via an interrupt ID\nfield.\n\nFor Debian 9 stretch, these problems have been fixed in version\n1:2.8+dfsg-6+deb9u13.\n\nWe recommend that you upgrade your qemu packages.\n\nFor the detailed security status of qemu please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/qemu\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 2, "cvss3": {"score": 4.3, "vector": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}, "published": "2021-02-19T00:00:00", "title": "Debian DLA-2560-1 : qemu security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-15859", "CVE-2020-15469", "CVE-2020-29130", "CVE-2020-25084", "CVE-2021-20181", "CVE-2021-20221", "CVE-2020-29443", "CVE-2020-28916"], "modified": "2021-02-19T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:qemu-system-mips", "p-cpe:/a:debian:debian_linux:qemu-system-sparc", "p-cpe:/a:debian:debian_linux:qemu-utils", "p-cpe:/a:debian:debian_linux:qemu-kvm", "p-cpe:/a:debian:debian_linux:qemu-system-x86", "p-cpe:/a:debian:debian_linux:qemu", "p-cpe:/a:debian:debian_linux:qemu-system", "p-cpe:/a:debian:debian_linux:qemu-guest-agent", "p-cpe:/a:debian:debian_linux:qemu-user-binfmt", "p-cpe:/a:debian:debian_linux:qemu-system-common", "p-cpe:/a:debian:debian_linux:qemu-user", "p-cpe:/a:debian:debian_linux:qemu-system-ppc", "p-cpe:/a:debian:debian_linux:qemu-system-misc", "p-cpe:/a:debian:debian_linux:qemu-block-extra", "p-cpe:/a:debian:debian_linux:qemu-user-static", "p-cpe:/a:debian:debian_linux:qemu-system-arm", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2560.NASL", "href": "https://www.tenable.com/plugins/nessus/146609", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2560-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(146609);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/23\");\n\n script_cve_id(\"CVE-2020-15469\", \"CVE-2020-15859\", \"CVE-2020-25084\", \"CVE-2020-28916\", \"CVE-2020-29130\", \"CVE-2020-29443\", \"CVE-2021-20181\", \"CVE-2021-20221\");\n\n script_name(english:\"Debian DLA-2560-1 : qemu security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities were discovered in QEMU, a fast processor\nemulator (notably used in KVM and Xen HVM virtualization). An attacker\ncould trigger a denial of service (DoS), information leak, and\npossibly execute arbitrary code with the privileges of the QEMU\nprocess on the host.\n\nCVE-2020-15469\n\nA MemoryRegionOps object may lack read/write callback methods, leading\nto a NULL pointer dereference.\n\nCVE-2020-15859\n\nQEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS\nuser can trigger an e1000e packet with the data's address set to the\ne1000e's MMIO address.\n\nCVE-2020-25084\n\nQEMU has a use-after-free in hw/usb/hcd-xhci.c because the\nusb_packet_map return value is not checked.\n\nCVE-2020-28916\n\nhw/net/e1000e_core.c has an infinite loop via an RX descriptor with a\nNULL buffer address.\n\nCVE-2020-29130\n\nslirp.c has a buffer over-read because it tries to read a certain\namount of header data even if that exceeds the total packet length.\n\nCVE-2020-29443\n\nide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read\naccess because a buffer index is not validated.\n\nCVE-2021-20181\n\n9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege\nescalation vulnerability.\n\nCVE-2021-20221\n\naarch64: GIC: out-of-bound heap buffer access via an interrupt ID\nfield.\n\nFor Debian 9 stretch, these problems have been fixed in version\n1:2.8+dfsg-6+deb9u13.\n\nWe recommend that you upgrade your qemu packages.\n\nFor the detailed security status of qemu please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/qemu\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2021/02/msg00024.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/qemu\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/qemu\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-29130\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-block-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-mips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-sparc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user-binfmt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"qemu\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-block-extra\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-guest-agent\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-kvm\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-arm\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-common\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-mips\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-misc\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-ppc\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-sparc\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-x86\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-user\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-user-binfmt\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-user-static\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-utils\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2021-02-09T21:36:00", "description": "The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2021-9034 advisory.\n\n - An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before\n 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its\n 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the\n QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the\n privileges of the QEMU process on the host. (CVE-2020-14364)\n\n - In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects\n the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the\n QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in\n hw/net/net_tx_pkt.c. (CVE-2020-16092)\n\n - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address\n in an msi-x mmio operation. (CVE-2020-13754)\n\n - In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a\n crafted reply_queue_head field from a guest OS user. (CVE-2020-13362)\n\n - hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame\n size is not validated against the r/w data length. (CVE-2020-11102)\n\n - hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This\n occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or\n process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or\n potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555.\n (CVE-2020-15863)\n\n - hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an\n address near the end of the PCI configuration space. (CVE-2020-13791)\n\n - address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.\n (CVE-2020-13659)\n\n - sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read\n during sdhci_write() operations. A guest OS user can crash the QEMU process. (CVE-2020-13253)\n\n - A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM\n introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation\n process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could\n obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all\n programs running on QEMU. (CVE-2020-10702)\n\n - hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading\n to a buffer overflow involving the PCIe extended config space. (CVE-2019-15034)\n\n - In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw\n occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write()\n callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in\n hw/display/sm501.c on the host, resulting in a denial of service. (CVE-2020-12829)\n\n - oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position. (CVE-2020-14415)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. (CVE-2020-25625)\n\n - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not\n checked. (CVE-2020-25084)\n\n - ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a\n calculation. A guest can crash the QEMU process. (CVE-2020-27616)\n\n - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of\n header data even if that exceeds the total packet length. (CVE-2020-29129)\n\n - slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of\n header data even if that exceeds the total packet length. (CVE-2020-29130)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host\n controller driver. (CVE-2020-25624)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.\n (CVE-2020-28916)\n\n - An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator.\n This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known\n as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible\n information disclosure. This flaw affects versions of libslirp before 4.3.1. (CVE-2020-10756)\n\n - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while\n processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user\n within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host,\n resulting in a denial of service. (CVE-2020-25723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 5.6, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2021-02-05T00:00:00", "title": "Oracle Linux 7 : qemu (ELSA-2021-9034)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-15863", "CVE-2020-14364", "CVE-2020-25625", "CVE-2020-16092", "CVE-2020-13791", "CVE-2020-13754", "CVE-2020-13659", "CVE-2020-11102", "CVE-2020-29130", "CVE-2019-15034", "CVE-2020-25084", "CVE-2020-12829", "CVE-2020-10702", "CVE-2020-29129", "CVE-2020-25723", "CVE-2020-10756", "CVE-2020-27616", "CVE-2020-28916", "CVE-2020-25624", "CVE-2020-14415", "CVE-2020-13253", "CVE-2020-13362"], "modified": "2021-02-05T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:qemu-system-x86-core", "p-cpe:/a:oracle:linux:qemu-kvm-core", "p-cpe:/a:oracle:linux:qemu-common", "p-cpe:/a:oracle:linux:qemu-system-x86", "p-cpe:/a:oracle:linux:qemu", "p-cpe:/a:oracle:linux:qemu-img", "p-cpe:/a:oracle:linux:qemu-block-iscsi", "p-cpe:/a:oracle:linux:qemu-block-rbd", "cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:qemu-kvm", "p-cpe:/a:oracle:linux:qemu-block-gluster"], "id": "ORACLELINUX_ELSA-2021-9034.NASL", "href": "https://www.tenable.com/plugins/nessus/146269", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-9034.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146269);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/08\");\n\n script_cve_id(\n \"CVE-2019-15034\",\n \"CVE-2020-10702\",\n \"CVE-2020-10756\",\n \"CVE-2020-11102\",\n \"CVE-2020-12829\",\n \"CVE-2020-13253\",\n \"CVE-2020-13362\",\n \"CVE-2020-13659\",\n \"CVE-2020-13754\",\n \"CVE-2020-13791\",\n \"CVE-2020-14364\",\n \"CVE-2020-14415\",\n \"CVE-2020-15863\",\n \"CVE-2020-16092\",\n \"CVE-2020-25084\",\n \"CVE-2020-25624\",\n \"CVE-2020-25625\",\n \"CVE-2020-25723\",\n \"CVE-2020-27616\",\n \"CVE-2020-28916\",\n \"CVE-2020-29129\",\n \"CVE-2020-29130\"\n );\n\n script_name(english:\"Oracle Linux 7 : qemu (ELSA-2021-9034)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2021-9034 advisory.\n\n - An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before\n 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its\n 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the\n QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the\n privileges of the QEMU process on the host. (CVE-2020-14364)\n\n - In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects\n the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the\n QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in\n hw/net/net_tx_pkt.c. (CVE-2020-16092)\n\n - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address\n in an msi-x mmio operation. (CVE-2020-13754)\n\n - In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a\n crafted reply_queue_head field from a guest OS user. (CVE-2020-13362)\n\n - hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame\n size is not validated against the r/w data length. (CVE-2020-11102)\n\n - hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This\n occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or\n process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or\n potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555.\n (CVE-2020-15863)\n\n - hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an\n address near the end of the PCI configuration space. (CVE-2020-13791)\n\n - address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.\n (CVE-2020-13659)\n\n - sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read\n during sdhci_write() operations. A guest OS user can crash the QEMU process. (CVE-2020-13253)\n\n - A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM\n introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation\n process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could\n obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all\n programs running on QEMU. (CVE-2020-10702)\n\n - hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading\n to a buffer overflow involving the PCIe extended config space. (CVE-2019-15034)\n\n - In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw\n occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write()\n callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in\n hw/display/sm501.c on the host, resulting in a denial of service. (CVE-2020-12829)\n\n - oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position. (CVE-2020-14415)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. (CVE-2020-25625)\n\n - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not\n checked. (CVE-2020-25084)\n\n - ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a\n calculation. A guest can crash the QEMU process. (CVE-2020-27616)\n\n - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of\n header data even if that exceeds the total packet length. (CVE-2020-29129)\n\n - slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of\n header data even if that exceeds the total packet length. (CVE-2020-29130)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host\n controller driver. (CVE-2020-25624)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.\n (CVE-2020-28916)\n\n - An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator.\n This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known\n as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible\n information disclosure. This flaw affects versions of libslirp before 4.3.1. (CVE-2020-10756)\n\n - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while\n processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user\n within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host,\n resulting in a denial of service. (CVE-2020-25723)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-9034.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-11102\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-block-gluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-block-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-system-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-system-x86-core\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\npkgs = [\n {'reference':'qemu-4.2.1-4.el7', 'cpu':'aarch64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-4.2.1-4.el7', 'cpu':'x86_64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-block-gluster-4.2.1-4.el7', 'cpu':'aarch64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-block-gluster-4.2.1-4.el7', 'cpu':'x86_64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-block-iscsi-4.2.1-4.el7', 'cpu':'aarch64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-block-iscsi-4.2.1-4.el7', 'cpu':'x86_64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-block-rbd-4.2.1-4.el7', 'cpu':'aarch64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-block-rbd-4.2.1-4.el7', 'cpu':'x86_64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-common-4.2.1-4.el7', 'cpu':'aarch64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-common-4.2.1-4.el7', 'cpu':'x86_64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-img-4.2.1-4.el7', 'cpu':'aarch64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-img-4.2.1-4.el7', 'cpu':'x86_64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-kvm-4.2.1-4.el7', 'cpu':'aarch64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-kvm-4.2.1-4.el7', 'cpu':'x86_64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-kvm-core-4.2.1-4.el7', 'cpu':'aarch64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-kvm-core-4.2.1-4.el7', 'cpu':'x86_64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-system-x86-4.2.1-4.el7', 'cpu':'x86_64', 'release':'7', 'epoch':'15'},\n {'reference':'qemu-system-x86-core-4.2.1-4.el7', 'cpu':'x86_64', 'release':'7', 'epoch':'15'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n rpm_prefix = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['rpm_prefix'])) rpm_prefix = package_array['rpm_prefix'];\n if (reference && release) {\n if (rpm_prefix) {\n if (rpm_exists(release:release, rpm:rpm_prefix) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-block-gluster / qemu-block-iscsi / etc');\n}", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ubuntu": [{"lastseen": "2021-02-26T16:00:45", "bulletinFamily": "unix", "cvelist": ["CVE-2020-15859", "CVE-2020-27821", "CVE-2021-20181", "CVE-2020-11947", "CVE-2020-29443", "CVE-2020-28916"], "description": "It was discovered that QEMU incorrectly handled memory in iSCSI emulation. \nAn attacker inside the guest could possibly use this issue to obtain \nsensitive information. This issue only affected Ubuntu 16.04 LTS, Ubuntu \n18.04 LTS, and Ubuntu 20.04 LTS. (CVE-2020-11947)\n\nAlexander Bulekov discovered that QEMU incorrectly handled Intel e1000e \nemulation. An attacker inside the guest could use this issue to cause QEMU \nto crash, resulting in a denial of service. (CVE-2020-15859)\n\nAlexander Bulekov discovered that QEMU incorrectly handled memory region \ncache. An attacker inside the guest could use this issue to cause QEMU to \ncrash, resulting in a denial of service. This issue only affected Ubuntu \n20.04 LTS, and Ubuntu 20.10. (CVE-2020-27821)\n\nCheol-woo Myung discovered that QEMU incorrectly handled Intel e1000e \nemulation. An attacker inside the guest could use this issue to cause a \ndenial of service. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 \nLTS, and Ubuntu 20.10. (CVE-2020-28916)\n\nWenxiang Qian discovered that QEMU incorrectly handled ATAPI emulation. An \nattacker inside the guest could use this issue to cause QEMU to crash, \nresulting in a denial of service. (CVE-2020-29443)\n\nIt was discovered that QEMU incorrectly handled VirtFS directory sharing. \nAn attacker inside the guest could use this issue to cause QEMU to crash, \nresulting in a denial of service. (CVE-2021-20181)", "edition": 2, "modified": "2021-02-08T00:00:00", "published": "2021-02-08T00:00:00", "id": "USN-4725-1", "href": "https://ubuntu.com/security/notices/USN-4725-1", "title": "QEMU vulnerabilities", "type": "ubuntu", "cvss": {"score": 3.3, "vector": "AV:L/AC:M/Au:N/C:P/I:N/A:P"}}], "debian": [{"lastseen": "2021-02-19T01:26:33", "bulletinFamily": "unix", "cvelist": ["CVE-2020-15859", "CVE-2020-15469", "CVE-2020-29130", "CVE-2020-25084", "CVE-2021-20181", "CVE-2021-20221", "CVE-2020-29443", "CVE-2020-28916"], "description": "--------------------------------------------------------------------------\nDebian LTS Advisory DLA-2560-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Sylvain Beucler\nFebruary 18, 2021 https://wiki.debian.org/LTS\n--------------------------------------------------------------------------\n\nPackage : qemu\nVersion : 1:2.8+dfsg-6+deb9u13\nCVE ID : CVE-2020-15469 CVE-2020-15859 CVE-2020-25084 CVE-2020-28916 \n CVE-2020-29130 CVE-2020-29443 CVE-2021-20181 CVE-2021-20221\nDebian Bug : 970253 965978 970539 974687 976388\n\nSeveral vulnerabilities were discovered in QEMU, a fast processor\nemulator (notably used in KVM and Xen HVM virtualization). An attacker\ncould trigger a denial-of-service (DoS), information leak, and\npossibly execute arbitrary code with the privileges of the QEMU\nprocess on the host.\n\nCVE-2020-15469\n\n A MemoryRegionOps object may lack read/write callback methods,\n leading to a NULL pointer dereference.\n\nCVE-2020-15859\n\n QEMU has a use-after-free in hw/net/e1000e_core.c because a guest\n OS user can trigger an e1000e packet with the data&#x27;s address set\n to the e1000e&#x27;s MMIO address.\n\nCVE-2020-25084\n\n QEMU has a use-after-free in hw/usb/hcd-xhci.c because the\n usb_packet_map return value is not checked.\n\nCVE-2020-28916\n\n hw/net/e1000e_core.c has an infinite loop via an RX descriptor\n with a NULL buffer address.\n\nCVE-2020-29130\n\n slirp.c has a buffer over-read because it tries to read a certain\n amount of header data even if that exceeds the total packet\n length.\n\nCVE-2020-29443\n\n ide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds\n read access because a buffer index is not validated.\n\nCVE-2021-20181\n\n 9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege\n escalation vulnerability.\n\nCVE-2021-20221\n\n aarch64: GIC: out-of-bound heap buffer access via an interrupt ID\n field.\n\nFor Debian 9 stretch, these problems have been fixed in version\n1:2.8+dfsg-6+deb9u13.\n\nWe recommend that you upgrade your qemu packages.\n\nFor the detailed security status of qemu please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/qemu\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 1, "modified": "2021-02-18T16:57:52", "published": "2021-02-18T16:57:52", "id": "DEBIAN:DLA-2560-1:73BB2", "href": "https://lists.debian.org/debian-lts-announce/2021/debian-lts-announce-202102/msg00024.html", "title": "[SECURITY] [DLA 2560-1] qemu security update", "type": "debian", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}], "oraclelinux": [{"lastseen": "2021-02-09T02:44:07", "bulletinFamily": "unix", "cvelist": ["CVE-2017-16845", "CVE-2017-15124", "CVE-2020-15863", "CVE-2017-15268", "CVE-2018-5683", "CVE-2018-15746", "CVE-2020-14364", "CVE-2020-25625", "CVE-2017-9503", "CVE-2018-19489", "CVE-2017-5753", "CVE-2017-5754", "CVE-2017-8112", "CVE-2017-7493", "CVE-2020-16092", "CVE-2020-13791", "CVE-2018-11806", "CVE-2018-12126", "CVE-2017-11334", "CVE-2018-12617", "CVE-2017-15119", "CVE-2018-10839", "CVE-2020-13754", "CVE-2020-13659", "CVE-2017-8379", "CVE-2018-16867", "CVE-2017-15038", "CVE-2018-20123", "CVE-2018-20125", "CVE-2018-16847", "CVE-2018-20126", "CVE-2017-14167", "CVE-2020-11102", "CVE-2020-29130", "CVE-2020-1711", "CVE-2017-13673", "CVE-2019-15034", "CVE-2020-25084", "CVE-2020-12829", "CVE-2020-8608", "CVE-2017-15289", "CVE-2019-8934", "CVE-2020-10761", "CVE-2018-12127", "CVE-2017-8380", "CVE-2017-8309", "CVE-2017-12809", "CVE-2017-13711", "CVE-2017-5715", "CVE-2017-2630", "CVE-2020-13361", "CVE-2019-12068", "CVE-2017-18030", "CVE-2018-17963", "CVE-2020-10702", "CVE-2018-20216", "CVE-2019-6778", "CVE-2017-17381", "CVE-2019-20382", "CVE-2020-11869", "CVE-2017-7471", "CVE-2017-2633", "CVE-2019-9824", "CVE-2019-15890", "CVE-2020-29129", "CVE-2018-18849", "CVE-2018-20815", "CVE-2020-25723", "CVE-2017-10806", "CVE-2020-13765", "CVE-2020-10756", "CVE-2019-5008", "CVE-2017-13672", "CVE-2018-19364", "CVE-2018-17962", "CVE-2018-16872", "CVE-2018-20191", "CVE-2017-6058", "CVE-2020-1983", "CVE-2019-14378", "CVE-2019-3812", "CVE-2020-27616", "CVE-2020-28916", "CVE-2017-5931", "CVE-2018-7550", "CVE-2020-25624", "CVE-2019-12155", "CVE-2020-14415", "CVE-2017-18043", "CVE-2018-17958", "CVE-2019-6501", "CVE-2018-3639", "CVE-2019-11091", "CVE-2020-13253", "CVE-2018-7858", "CVE-2018-20124", "CVE-2017-9524", "CVE-2020-13800", "CVE-2020-13362", "CVE-2018-12130"], "description": "[15:4.2.1-4.el7]\n- Document CVE-2020-25723 as fixed (Mark Kanda) [Orabug: 32222397] {CVE-2020-25084} {CVE-2020-25723}\n- hw/net/e1000e: advance desc_offset in case of null descriptor (Prasad J Pandit) [Orabug: 32217517] {CVE-2020-28916}\n- i386: Add 2nd Generation AMD EPYC processors (Moger, Babu) [Orabug: 32217570]\n- libslirp: Update version to include CVE fixes (Mark Kanda) [Orabug: 32208456] [Orabug: 32208462] {CVE-2020-29129} {CVE-2020-29130}\n- Document CVE-2020-25624 as fixed (Mark Kanda) [Orabug: 32212527] {CVE-2020-25624} {CVE-2020-25625}\n- pvpanic: Advertise the PVPANIC_CRASHLOADED event support (Paolo Bonzini) [Orabug: 32102853]\n- ati: check x y display parameter values (Prasad J Pandit) [Orabug: 32108251] {CVE-2020-27616}\n- Add AArch64 support for QMP regdump tool and sosreport plugin (Mark Kanda) [Orabug: 32080658]\n- Add qemu_regdump sosreport plugin support for '-mon' QMP sockets (Mark Kanda) \n- migration/dirtyrate: present dirty rate only when querying the rate has completed (Chuan Zheng) \n- migration/dirtyrate: record start_time and calc_time while at the measuring state (Chuan Zheng) \n- migration/dirtyrate: Add trace_calls to make it easier to debug (Chuan Zheng) \n- migration/dirtyrate: Implement qmp_cal_dirty_rate()/qmp_get_dirty_rate() function (Chuan Zheng) \n- migration/dirtyrate: Implement calculate_dirtyrate() function (Chuan Zheng) \n- migration/dirtyrate: Implement set_sample_page_period() and is_sample_period_valid() (Chuan Zheng) \n- migration/dirtyrate: skip sampling ramblock with size below MIN_RAMBLOCK_SIZE (Chuan Zheng) \n- migration/dirtyrate: Compare page hash results for recorded sampled page (Chuan Zheng) \n- migration/dirtyrate: Record hash results for each sampled page (Chuan Zheng) \n- migration/dirtyrate: move RAMBLOCK_FOREACH_MIGRATABLE into ram.h (Chuan Zheng) \n- migration/dirtyrate: Add dirtyrate statistics series functions (Chuan Zheng) \n- migration/dirtyrate: Add RamblockDirtyInfo to store sampled page info (Chuan Zheng) \n- migration/dirtyrate: add DirtyRateStatus to denote calculation status (Chuan Zheng) \n- migration/dirtyrate: setup up query-dirtyrate framwork (Chuan Zheng) \n- ram_addr: Split RAMBlock definition (Juan Quintela)\n[15:4.2.1-3.el7]\n- qemu-kvm.spec: Install block storage module RPMs by default (Karl Heubaum) [Orabug: 31943789]\n- qemu-kvm.spec: Enable block-ssh module RPM (Karl Heubaum) [Orabug: 31943763]\n- hw: usb: hcd-ohci: check for processed TD before retire (Prasad J Pandit) [Orabug: 31901690] {CVE-2020-25625}\n- hw: usb: hcd-ohci: check len and frame_number variables (Prasad J Pandit) [Orabug: 31901690] {CVE-2020-25625}\n- hw: ehci: check return value of 'usb_packet_map' (Li Qiang) [Orabug: 31901649] {CVE-2020-25084}\n- hw: xhci: check return value of 'usb_packet_map' (Li Qiang) [Orabug: 31901649] {CVE-2020-25084}\n- qemu.spec: Enable '-Werror' for OL7 builds (Mark Kanda) [Orabug: 31922718]\n- usb: fix setup_len init (CVE-2020-14364) (Gerd Hoffmann) [Orabug: 31848849] {CVE-2020-14364}\n- Document CVE-2020-12829 and CVE-2020-14415 as fixed (Mark Kanda) [Orabug: 31855502] [Orabug: 31855427] {CVE-2020-12829} {CVE-2020-14415}\n[15:4.2.1-2.el7]\n- hw/net/xgmac: Fix buffer overflow in xgmac_enet_send() (Mauro Matteo Cascella) [Orabug: 31667649] {CVE-2020-15863}\n- hw/net/net_tx_pkt: fix assertion failure in net_tx_pkt_add_raw_fragment() (Mauro Matteo Cascella) [Orabug: 31737809] {CVE-2020-16092}\n- migration: fix memory leak in qmp_migrate_set_parameters (Zheng Chuan) [Orabug: 31806256]\n- virtio-net: fix removal of failover device (Juan Quintela) [Orabug: 31806255]\n- pvpanic: implement crashloaded event handling (Zhenwei Pi) [Orabug: 31677154]\n- pvpanic: introduce crashloaded for pvpanic (Zhenwei Pi) [Orabug: 31677154]\n[15:4.2.1-1.el7]\n- hw/sd/sdcard: Do not switch to ReceivingData if address is invalid (Philippe Mathieu-Daude) [Orabug: 31414336] {CVE-2020-13253}\n- hw/sd/sdcard: Update coding style to make checkpatch.pl happy (Philippe Mathieu-Daude) [Orabug: 31414336]\n- hw/sd/sdcard: Do not allow invalid SD card sizes (Philippe Mathieu-Daude) [Orabug: 31414336] {CVE-2020-13253}\n- hw/sd/sdcard: Simplify realize() a bit (Philippe Mathieu-Daude) [Orabug: 31414336]\n- hw/sd/sdcard: Restrict Class 6 commands to SCSD cards (Philippe Mathieu-Daude) [Orabug: 31414336]\n- libslirp: Update to v4.3.1 to fix CVE-2020-10756 (Karl Heubaum) [Orabug: 31604999] {CVE-2020-10756}\n- Document CVEs as fixed 2/2 (Karl Heubaum) [Orabug: 30618035] {CVE-2017-18043} {CVE-2018-10839} {CVE-2018-11806} {CVE-2018-12617} {CVE-2018-15746} {CVE-2018-16847} {CVE-2018-16867} {CVE-2018-17958} {CVE-2018-17962} {CVE-2018-17963} {CVE-2018-18849} {CVE-2018-19364} {CVE-2018-19489} {CVE-2018-3639} {CVE-2018-5683} {CVE-2018-7550} {CVE-2018-7858} {CVE-2019-12068} {CVE-2019-15034} {CVE-2019-15890} {CVE-2019-20382} {CVE-2020-10702} {CVE-2020-10761} {CVE-2020-11102} {CVE-2020-11869} {CVE-2020-13361} {CVE-2020-13765} {CVE-2020-13800} {CVE-2020-1711} {CVE-2020-1983} {CVE-2020-8608}\n- Document CVEs as fixed 1/2 (Karl Heubaum) [Orabug: 30618035] {CVE-2017-10806} {CVE-2017-11334} {CVE-2017-12809} {CVE-2017-13672} {CVE-2017-13673} {CVE-2017-13711} {CVE-2017-14167} {CVE-2017-15038} {CVE-2017-15119} {CVE-2017-15124} {CVE-2017-15268} {CVE-2017-15289} {CVE-2017-16845} {CVE-2017-17381} {CVE-2017-18030} {CVE-2017-2630} {CVE-2017-2633} {CVE-2017-5715} {CVE-2017-5753} {CVE-2017-5754} {CVE-2017-5931} {CVE-2017-6058} {CVE-2017-7471} {CVE-2017-7493} {CVE-2017-8112} {CVE-2017-8309} {CVE-2017-8379} {CVE-2017-8380} {CVE-2017-9503} {CVE-2017-9524} {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2018-16872} {CVE-2018-20123} {CVE-2018-20124} {CVE-2018-20125} {CVE-2018-20126} {CVE-2018-20191} {CVE-2018-20216} {CVE-2018-20815} {CVE-2019-11091} {CVE-2019-12155} {CVE-2019-14378} {CVE-2019-3812} {CVE-2019-5008} {CVE-2019-6501} {CVE-2019-6778} {CVE-2019-8934} {CVE-2019-9824}\n- qemu-kvm.spec: Add .spec file for OL8 (Karl Heubaum) [Orabug: 30618035]\n- qemu.spec: Add .spec file for OL7 (Karl Heubaum) [Orabug: 30618035]\n- qemu-submodule-init: Add Git submodule init script (Karl Heubaum) [Orabug: 30618035]\n- vhost.conf: Initial vhost.conf (Karl Heubaum) [Orabug: 30618035]\n- parfait: Add buildrpm/parfait-qemu.conf (Karl Heubaum) [Orabug: 30618035]\n- virtio: Set PCI subsystem vendor ID to Oracle (Karl Heubaum) [Orabug: 30618035]\n- qemu_regdump.py: Initial qemu_regdump.py (Karl Heubaum) [Orabug: 30618035]\n- qmp-regdump: Initial qmp-regdump (Karl Heubaum) [Orabug: 30618035]\n- bridge.conf: Initial bridge.conf (Karl Heubaum) [Orabug: 30618035]\n- kvm.conf: Initial kvm.conf (Karl Heubaum) [Orabug: 30618035]\n- 80-kvm.rules: Initial 80-kvm.rules (Karl Heubaum) [Orabug: 30618035]\n- exec: set map length to zero when returning NULL (Prasad J Pandit) [Orabug: 31439733] {CVE-2020-13659}\n- megasas: use unsigned type for reply_queue_head and check index (Prasad J Pandit) [Orabug: 31414338] {CVE-2020-13362}\n- memory: Revert 'memory: accept mismatching sizes in memory_region_access_valid' (Michael S. Tsirkin) [Orabug: 31439736] [Orabug: 31452202] {CVE-2020-13754} {CVE-2020-13791}\n[15:4.1.1-3.el7]\n- buildrpm/spec files: Dont package elf2dmp (Karl Heubaum) [Orabug: 31657424]\n- qemu-kvm.spec: Enable the block-curl package (Karl Heubaum) [Orabug: 31657424]\n- qemu.spec: enable have_curl in spec (Dongli Zhang) [Orabug: 31657424]\n[15:4.1.1-2.el7]\n- Document CVE-2020-13765 as fixed (Karl Heubaum) [Orabug: 31463250] {CVE-2020-13765}\n- kvm: Reallocate dirty_bmap when we change a slot (Dr. David Alan Gilbert) [Orabug: 31076399]\n- kvm: split too big memory section on several memslots (Igor Mammedov) [Orabug: 31076399]\n- target/i386: do not set unsupported VMX secondary execution controls (Vitaly Kuznetsov) [Orabug: 31463710]\n- target/i386: add VMX definitions (Paolo Bonzini) [Orabug: 31463710]\n- ati-vga: check mm_index before recursive call (CVE-2020-13800) (Prasad J Pandit) [Orabug: 31452206] {CVE-2020-13800}\n- es1370: check total frame count against current frame (Prasad J Pandit) [Orabug: 31463235] {CVE-2020-13361}\n- ati-vga: Fix checks in ati_2d_blt() to avoid crash (BALATON Zoltan) [Orabug: 31238432] {CVE-2020-11869}\n- libslirp: Update to stable-4.2 to fix CVE-2020-1983 (Karl Heubaum) [Orabug: 31241227] {CVE-2020-1983}\n- Document CVEs as fixed (Karl Heubaum) {CVE-2019-12068} {CVE-2019-15034}\n- libslirp: Update to version 4.2.0 to fix CVEs (Karl Heubaum) [Orabug: 30274592] [Orabug: 30869830] {CVE-2019-15890} {CVE-2020-8608}\n- target/i386: add support for MSR_IA32_TSX_CTRL (Paolo Bonzini) [Orabug: 31124041]\n- qemu-img: Add --target-is-zero to convert (David Edmondson) \n- vnc: fix memory leak when vnc disconnect (Li Qiang) [Orabug: 30996427] {CVE-2019-20382}\n- iscsi: Cap block count from GET LBA STATUS (CVE-2020-1711) (Felipe Franciosi) [Orabug: 31124035] {CVE-2020-1711}\n- qemu.spec: Remove 'BuildRequires: kernel' (Karl Heubaum) [Orabug: 31124047]\n[15:4.1.1-1.el7]\n- qemu-submodule-init: Add Git submodule init script", "edition": 2, "modified": "2021-02-08T00:00:00", "published": "2021-02-08T00:00:00", "id": "ELSA-2021-9034", "href": "http://linux.oracle.com/errata/ELSA-2021-9034.html", "title": "qemu security update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}]}