The remote SUSE Linux SLES11 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2020:14396-1 advisory.
In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances ‘s->dsp’ index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
(CVE-2019-12068)
libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. (CVE-2019-15890)
In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. (CVE-2019-6778)
A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service. (CVE-2020-1983)
tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code. (CVE-2020-7039)
In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code. (CVE-2020-8608)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
#
# The package checks in this plugin were extracted from
# SUSE update advisory SUSE-SU-2020:14396-1. The text itself
# is copyright (C) SUSE.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(150615);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/26");
script_cve_id(
"CVE-2019-6778",
"CVE-2019-12068",
"CVE-2019-15890",
"CVE-2020-1983",
"CVE-2020-7039",
"CVE-2020-8608"
);
script_xref(name:"SuSE", value:"SUSE-SU-2020:14396-1");
script_name(english:"SUSE SLES11 Security Update : kvm (SUSE-SU-2020:14396-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote SUSE host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote SUSE Linux SLES11 host has a package installed that is affected by multiple vulnerabilities as referenced in
the SUSE-SU-2020:14396-1 advisory.
- In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2,
and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter
emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode
is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
(CVE-2019-12068)
- libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. (CVE-2019-15890)
- In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. (CVE-2019-6778)
- A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows
crafted packets to cause a denial of service. (CVE-2020-1983)
- tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC
DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which
can lead to a DoS or potential execute arbitrary code. (CVE-2020-7039)
- In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer
overflow in later code. (CVE-2020-8608)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1123156");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1146873");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1149811");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1161066");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1163018");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.suse.com/1170940");
# https://lists.suse.com/pipermail/sle-security-updates/2020-June/006934.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8719bd2a");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-12068");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-15890");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-6778");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-1983");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-7039");
script_set_attribute(attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2020-8608");
script_set_attribute(attribute:"solution", value:
"Update the affected kvm package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-8608");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2019-6778");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/01/24");
script_set_attribute(attribute:"patch_publication_date", value:"2020/06/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/06/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kvm");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"SuSE Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
exit(0);
}
include('audit.inc');
include('global_settings.inc');
include('misc_func.inc');
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');
os_ver = os_ver[1];
if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES11', 'SUSE ' + os_ver);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE ' + os_ver, cpu);
sp = get_kb_item("Host/SuSE/patchlevel");
if (isnull(sp)) sp = "0";
if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);
pkgs = [
{'reference':'kvm-1.4.2-60.31', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'SLES_SAP-release-11.4'},
{'reference':'kvm-1.4.2-60.31', 'sp':'4', 'release':'SLES11', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'sles-release-11.4'}
];
flag = 0;
foreach package_array ( pkgs ) {
reference = NULL;
release = NULL;
sp = NULL;
cpu = NULL;
exists_check = NULL;
rpm_spec_vers_cmp = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (reference && release && exists_check) {
if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
else if (reference && release) {
if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;
}
}
if (flag)
{
ltss_plugin_caveat = '\n' +
'NOTE: This vulnerability check contains fixes that apply to\n' +
'packages only available in SUSE Enterprise Linux Server LTSS\n' +
'repositories. Access to these package security updates require\n' +
'a paid SUSE LTSS subscription.\n';
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get() + ltss_plugin_caveat
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'kvm');
}
Vendor | Product | Version | CPE |
---|---|---|---|
novell | suse_linux | kvm | p-cpe:/a:novell:suse_linux:kvm |
novell | suse_linux | 11 | cpe:/o:novell:suse_linux:11 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12068
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15890
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6778
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1983
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7039
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8608
www.nessus.org/u?8719bd2a
bugzilla.suse.com/1123156
bugzilla.suse.com/1146873
bugzilla.suse.com/1149811
bugzilla.suse.com/1161066
bugzilla.suse.com/1163018
bugzilla.suse.com/1170940
www.suse.com/security/cve/CVE-2019-12068
www.suse.com/security/cve/CVE-2019-15890
www.suse.com/security/cve/CVE-2019-6778
www.suse.com/security/cve/CVE-2020-1983
www.suse.com/security/cve/CVE-2020-7039
www.suse.com/security/cve/CVE-2020-8608