Lucene search
K

QEMU 7.2.x < 7.2.15, 8.0.x < 8.0.6, 8.1.x < 8.1.6, 8.2.x < 8.2.8, 9.0.x < 9.0.4, 9.1.x < 9.1.1 Information Leak

🗓️ 27 Sep 2024 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 23 Views

QEMU versions prior to 8.2.1 are vulnerable to an information leak in virtio-scsi, virtio-blk, and virtio-crypto device

Related
Refs
Code
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(207835);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/11/15");

  script_cve_id("CVE-2024-8612");
  script_xref(name:"IAVB", value:"2024-B-0141-S");

  script_name(english:"QEMU 7.2.x < 7.2.15, 8.0.x < 8.0.6, 8.1.x < 8.1.6, 8.2.x <  8.2.8, 9.0.x < 9.0.4, 9.1.x < 9.1.1 Information Leak");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has virtualization software installed that is affected by an information leak.");
  script_set_attribute(attribute:"description", value:
"The version of QEMU installed on the remote Windows host is prior to 8.2.1 and therefore vulnerable to the following:
A flaw was found in QEMU, in the virtio-scsi, virtio-blk, and virtio-crypto devices. The size for virtqueue_push 
as set in virtio_scsi_complete_req / virtio_blk_req_complete / virito_crypto_req_complete could be larger than the 
true size of the data which has been sent to guest. Once virtqueue_push() finally calls dma_memory_unmap to ummap 
the in_iov, it may call the address_space_write function to write back the data. Some uninitialized data may exist 
in the bounce.buffer, leading to an information leak. 

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version 
number.");
  script_set_attribute(attribute:"see_also", value:"https://www.qemu.org/download/#source");
  # https://gitlab.com/qemu-project/qemu/-/commit/637b0aa139565cb82a7b9269e62214f87082635c
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4dddf459");
  script_set_attribute(attribute:"solution", value:
"Upgrade to QEMU 7.2.15, 8.0.6, 8.1.6, 8.2.8, 9.0.4, 9.1.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:P/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-8612");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/09/19");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/09/19");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/09/27");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:qemu:qemu");
  script_set_attribute(attribute:"stig_severity", value:"III");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("qemu_installed_windows.nbin");
  script_require_keys("installed_sw/QEMU");

  exit(0);
}

include('vcf.inc');

var app = 'QEMU';

var app_info = vcf::get_app_info(app:app, win_local:TRUE);

var constraints = [
  { 'fixed_version': '7.2.15' },
  { 'min_version': '8.0.0', 'fixed_version': '8.0.6' },
  { 'min_version' : '8.1.0', 'fixed_version' : '8.1.6'},
  { 'min_version': '8.2.0', 'fixed_version': '8.2.8' },
  { 'min_version': '9.0.0', 'fixed_version': '9.0.4' },
  { 'min_version': '9.1', 'fixed_version': '9.1.1' }
];

vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_NOTE);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

15 Nov 2024 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS 3.13.8
EPSS0.00203
SSVC
23