DATABASE RESOURCES PRICING ABOUT US

{"id": "OSV:DLA-3099-1", "vendorId": null, "type": "osv", "bulletinFamily": "software", "title": "qemu - security update", "description": "\nBrief introduction\n\n\n* [CVE-2020-13253](https://security-tracker.debian.org/tracker/CVE-2020-13253)\nDescription\n* [CVE-2020-15469](https://security-tracker.debian.org/tracker/CVE-2020-15469)\nDescription\n* [CVE-2020-15859](https://security-tracker.debian.org/tracker/CVE-2020-15859)\nDescription\n* [CVE-2020-25084](https://security-tracker.debian.org/tracker/CVE-2020-25084)\nDescription\n* [CVE-2020-25085](https://security-tracker.debian.org/tracker/CVE-2020-25085)\nDescription\n* [CVE-2020-25624](https://security-tracker.debian.org/tracker/CVE-2020-25624)\nDescription\n* [CVE-2020-25625](https://security-tracker.debian.org/tracker/CVE-2020-25625)\nDescription\n* [CVE-2020-25723](https://security-tracker.debian.org/tracker/CVE-2020-25723)\nDescription\n* [CVE-2020-27617](https://security-tracker.debian.org/tracker/CVE-2020-27617)\nDescription\n* [CVE-2020-27821](https://security-tracker.debian.org/tracker/CVE-2020-27821)\nDescription\n* [CVE-2020-28916](https://security-tracker.debian.org/tracker/CVE-2020-28916)\nDescription\n* [CVE-2020-29129](https://security-tracker.debian.org/tracker/CVE-2020-29129)\nDescription\n* [CVE-2020-29443](https://security-tracker.debian.org/tracker/CVE-2020-29443)\nDescription\n* [CVE-2020-35504](https://security-tracker.debian.org/tracker/CVE-2020-35504)\nDescription\n* [CVE-2020-35505](https://security-tracker.debian.org/tracker/CVE-2020-35505)\nDescription\n* [CVE-2021-3392](https://security-tracker.debian.org/tracker/CVE-2021-3392)\nDescription\n* [CVE-2021-3416](https://security-tracker.debian.org/tracker/CVE-2021-3416)\nDescription\n* [CVE-2021-3507](https://security-tracker.debian.org/tracker/CVE-2021-3507)\nDescription\n* [CVE-2021-3527](https://security-tracker.debian.org/tracker/CVE-2021-3527)\nDescription\n* [CVE-2021-3582](https://security-tracker.debian.org/tracker/CVE-2021-3582)\nDescription\n* [CVE-2021-3607](https://security-tracker.debian.org/tracker/CVE-2021-3607)\nDescription\n* [CVE-2021-3608](https://security-tracker.debian.org/tracker/CVE-2021-3608)\nDescription\n* [CVE-2021-3682](https://security-tracker.debian.org/tracker/CVE-2021-3682)\nDescription\n* [CVE-2021-3713](https://security-tracker.debian.org/tracker/CVE-2021-3713)\nDescription\n* [CVE-2021-3748](https://security-tracker.debian.org/tracker/CVE-2021-3748)\nDescription\n* [CVE-2021-3930](https://security-tracker.debian.org/tracker/CVE-2021-3930)\nDescription\n* [CVE-2021-4206](https://security-tracker.debian.org/tracker/CVE-2021-4206)\nDescription\n* [CVE-2021-4207](https://security-tracker.debian.org/tracker/CVE-2021-4207)\nDescription\n* [CVE-2021-20181](https://security-tracker.debian.org/tracker/CVE-2021-20181)\nDescription\n* [CVE-2021-20196](https://security-tracker.debian.org/tracker/CVE-2021-20196)\nDescription\n* [CVE-2021-20203](https://security-tracker.debian.org/tracker/CVE-2021-20203)\nDescription\n* [CVE-2021-20221](https://security-tracker.debian.org/tracker/CVE-2021-20221)\nDescription\n* [CVE-2021-20257](https://security-tracker.debian.org/tracker/CVE-2021-20257)\nDescription\n* [CVE-2022-26354](https://security-tracker.debian.org/tracker/CVE-2022-26354)\nDescription\n* [CVE-2022-35414](https://security-tracker.debian.org/tracker/CVE-2022-35414)\nDescription\n\n\nFor Debian 10 buster, these problems have been fixed in version\n1:3.1+dfsg-8+deb10u9.\n\n\nWe recommend that you upgrade your qemu packages.\n\n\nFor the detailed security status of qemu please refer to\nits security tracker page at:\n<https://security-tracker.debian.org/tracker/qemu>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "published": "2022-09-05T00:00:00", "modified": "2023-06-28T06:37:09", "epss": [{"cve": "CVE-2020-13253", "epss": 0.00045, "percentile": 0.12142, "modified": "2023-06-06"}, {"cve": "CVE-2020-15469", "epss": 0.00045, "percentile": 0.12008, "modified": "2023-06-06"}, {"cve": "CVE-2020-15859", "epss": 0.00053, "percentile": 0.19185, "modified": "2023-06-06"}, {"cve": "CVE-2020-25084", "epss": 0.00047, "percentile": 0.14425, "modified": "2023-06-06"}, {"cve": "CVE-2020-25085", "epss": 0.00059, "percentile": 0.23137, "modified": "2023-06-06"}, {"cve": "CVE-2020-25624", "epss": 0.00047, "percentile": 0.14381, "modified": "2023-06-06"}, {"cve": "CVE-2020-25625", "epss": 0.00045, "percentile": 0.12142, "modified": "2023-06-06"}, {"cve": "CVE-2020-25723", "epss": 0.00045, "percentile": 0.12008, "modified": "2023-06-06"}, {"cve": "CVE-2020-27617", "epss": 0.00139, "percentile": 0.48154, "modified": "2023-06-06"}, {"cve": "CVE-2020-27821", "epss": 0.00042, "percentile": 0.05671, "modified": "2023-06-06"}, {"cve": "CVE-2020-28916", "epss": 0.00054, "percentile": 0.19438, "modified": "2023-06-06"}, {"cve": "CVE-2020-29129", "epss": 0.00244, "percentile": 0.60932, "modified": "2023-06-06"}, {"cve": "CVE-2020-29443", "epss": 0.00047, "percentile": 0.14425, "modified": "2023-06-06"}, {"cve": "CVE-2020-35504", "epss": 0.00045, "percentile": 0.12142, "modified": "2023-06-06"}, {"cve": "CVE-2020-35505", "epss": 0.00045, "percentile": 0.12142, "modified": "2023-06-06"}, {"cve": "CVE-2021-20181", "epss": 0.00048, "percentile": 0.14986, "modified": "2023-05-27"}, {"cve": "CVE-2021-20196", "epss": 0.00056, "percentile": 0.21446, "modified": "2023-05-27"}, {"cve": "CVE-2021-20203", "epss": 0.00055, "percentile": 0.20572, "modified": "2023-05-27"}, {"cve": "CVE-2021-20221", "epss": 0.00045, "percentile": 0.12171, "modified": "2023-05-27"}, {"cve": "CVE-2021-20257", "epss": 0.00042, "percentile": 0.05679, "modified": "2023-05-27"}, {"cve": "CVE-2021-3392", "epss": 0.00054, "percentile": 0.19842, "modified": "2023-05-23"}, {"cve": "CVE-2021-3416", "epss": 0.0005, "percentile": 0.16449, "modified": "2023-05-23"}, {"cve": "CVE-2021-3507", "epss": 0.00051, "percentile": 0.1754, "modified": "2023-05-23"}, {"cve": "CVE-2021-3527", "epss": 0.00045, "percentile": 0.12212, "modified": "2023-05-23"}, {"cve": "CVE-2021-3582", "epss": 0.00042, "percentile": 0.05691, "modified": "2023-05-23"}, {"cve": "CVE-2021-3607", "epss": 0.00042, "percentile": 0.05691, "modified": "2023-05-23"}, {"cve": "CVE-2021-3608", "epss": 0.00042, "percentile": 0.05691, "modified": "2023-05-23"}, {"cve": "CVE-2021-3682", "epss": 0.00118, "percentile": 0.44491, "modified": "2023-05-23"}, {"cve": "CVE-2021-3713", "epss": 0.00045, "percentile": 0.12212, "modified": "2023-05-23"}, {"cve": "CVE-2021-3748", "epss": 0.00042, "percentile": 0.05691, "modified": "2023-05-23"}, {"cve": "CVE-2021-3930", "epss": 0.00042, "percentile": 0.05691, "modified": "2023-05-23"}, {"cve": "CVE-2021-4206", "epss": 0.00042, "percentile": 0.05691, "modified": "2023-05-23"}, {"cve": "CVE-2021-4207", "epss": 0.00042, "percentile": 0.05691, "modified": "2023-05-23"}, {"cve": "CVE-2022-26354", "epss": 0.00043, "percentile": 0.07955, "modified": "2023-06-14"}, {"cve": "CVE-2022-35414", "epss": 0.00042, "percentile": 0.05664, "modified": "2023-06-03"}], "cvss": {"score": 6.9, "vector": "AV:L/AC:M/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "accessVector": "LOCAL", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 6.9}, "severity": "MEDIUM", "exploitabilityScore": 3.4, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 6.0}, "href": "https://osv.dev/vulnerability/DLA-3099-1", "reporter": "Google", "references": ["https://www.debian.org/lts/security/2022/dla-3099"], "cvelist": ["CVE-2020-13253", "CVE-2020-15469", "CVE-2020-15859", "CVE-2020-25084", "CVE-2020-25085", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-27617", "CVE-2020-27821", "CVE-2020-28916", "CVE-2020-29129", "CVE-2020-29443", "CVE-2020-35504", "CVE-2020-35505", "CVE-2021-20181", "CVE-2021-20196", "CVE-2021-20203", "CVE-2021-20221", "CVE-2021-20257", "CVE-2021-3392", "CVE-2021-3416", "CVE-2021-3507", "CVE-2021-3527", "CVE-2021-3582", "CVE-2021-3607", "CVE-2021-3608", "CVE-2021-3682", "CVE-2021-3713", "CVE-2021-3748", "CVE-2021-3930", "CVE-2021-4206", "CVE-2021-4207", "CVE-2022-26354", "CVE-2022-35414"], "immutableFields": [], "lastseen": "2023-06-28T06:38:10", "viewCount": 14, "enchantments": {"dependencies": {"references": [{"type": "almalinux", "idList": ["ALSA-2021:1762", "ALSA-2021:3061", "ALSA-2021:4191", "ALSA-2021:5238", "ALSA-2022:1759", "ALSA-2022:5263", "ALSA-2022:5821", "ALSA-2022:7967"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2020-15469", "ALPINE:CVE-2020-15859", "ALPINE:CVE-2020-25084", "ALPINE:CVE-2020-25085", "ALPINE:CVE-2020-25624", "ALPINE:CVE-2020-25625", "ALPINE:CVE-2020-25723", "ALPINE:CVE-2020-27617", "ALPINE:CVE-2020-27821", "ALPINE:CVE-2020-28916", "ALPINE:CVE-2020-29129", "ALPINE:CVE-2020-29443", "ALPINE:CVE-2020-35504", "ALPINE:CVE-2020-35505", "ALPINE:CVE-2021-20181", "ALPINE:CVE-2021-20196", "ALPINE:CVE-2021-20203", "ALPINE:CVE-2021-20221", "ALPINE:CVE-2021-20257", "ALPINE:CVE-2021-3392", "ALPINE:CVE-2021-3409", "ALPINE:CVE-2021-3416", "ALPINE:CVE-2021-3507", "ALPINE:CVE-2021-3527", "ALPINE:CVE-2021-3682", "ALPINE:CVE-2021-3713", "ALPINE:CVE-2021-3748", "ALPINE:CVE-2021-3930", "ALPINE:CVE-2021-4206", "ALPINE:CVE-2021-4207", "ALPINE:CVE-2022-26354", "ALPINE:CVE-2022-35414"]}, {"type": "altlinux", "idList": ["8CEC6870E2D532C9430F78F1882695F2"]}, {"type": "amazon", "idList": ["ALAS2-2021-1671", "ALAS2-2023-2060", "ALAS2-2023-2061"]}, {"type": "archlinux", "idList": ["ASA-202012-26", "ASA-202012-7"]}, {"type": "attackerkb", "idList": ["AKB:BDD3015F-0CC0-428F-AC2B-3D914C0EA584"]}, {"type": "centos", "idList": ["CESA-2021:2322"]}, {"type": "citrix", "idList": ["CTX316325"]}, {"type": "cnvd", "idList": ["CNVD-2022-84159", "CNVD-2022-84161"]}, {"type": "cve", "idList": ["CVE-2020-13253", "CVE-2020-15469", "CVE-2020-15859", "CVE-2020-25084", "CVE-2020-25085", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25707", "CVE-2020-25723", "CVE-2020-27617", "CVE-2020-27821", "CVE-2020-28916", "CVE-2020-29129", "CVE-2020-29443", "CVE-2020-35504", "CVE-2020-35505", "CVE-2021-20181", "CVE-2021-20196", "CVE-2021-20203", "CVE-2021-20221", "CVE-2021-20257", "CVE-2021-3392", "CVE-2021-3409", "CVE-2021-3416", "CVE-2021-3507", "CVE-2021-3527", "CVE-2021-3582", "CVE-2021-3607", "CVE-2021-3608", "CVE-2021-3682", "CVE-2021-3713", "CVE-2021-3748", "CVE-2021-3930", "CVE-2021-4206", "CVE-2021-4207", "CVE-2022-26353", "CVE-2022-26354", "CVE-2022-35414"]}, {"type": "debian", "idList": ["DEBIAN:DLA-2373-1:7A388", "DEBIAN:DLA-2373-1:EF721", "DEBIAN:DLA-2469-1:526EB", "DEBIAN:DLA-2560-1:2B2EA", "DEBIAN:DLA-2560-1:73BB2", "DEBIAN:DLA-2623-1:40F55", "DEBIAN:DLA-2753-1:5803D", "DEBIAN:DLA-2970-1:D0AE2", "DEBIAN:DLA-3099-1:490BC", "DEBIAN:DSA-4980-1:E965D", "DEBIAN:DSA-5133-1:E791B"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2020-13253", "DEBIANCVE:CVE-2020-15469", "DEBIANCVE:CVE-2020-15859", "DEBIANCVE:CVE-2020-25084", "DEBIANCVE:CVE-2020-25085", "DEBIANCVE:CVE-2020-25624", "DEBIANCVE:CVE-2020-25625", "DEBIANCVE:CVE-2020-25723", "DEBIANCVE:CVE-2020-27617", "DEBIANCVE:CVE-2020-27821", "DEBIANCVE:CVE-2020-28916", "DEBIANCVE:CVE-2020-29129", "DEBIANCVE:CVE-2020-29443", "DEBIANCVE:CVE-2020-35504", "DEBIANCVE:CVE-2020-35505", "DEBIANCVE:CVE-2021-20181", "DEBIANCVE:CVE-2021-20196", "DEBIANCVE:CVE-2021-20203", "DEBIANCVE:CVE-2021-20221", "DEBIANCVE:CVE-2021-20257", "DEBIANCVE:CVE-2021-3392", "DEBIANCVE:CVE-2021-3409", "DEBIANCVE:CVE-2021-3416", "DEBIANCVE:CVE-2021-3507", "DEBIANCVE:CVE-2021-3527", "DEBIANCVE:CVE-2021-3582", "DEBIANCVE:CVE-2021-3607", "DEBIANCVE:CVE-2021-3608", "DEBIANCVE:CVE-2021-3682", "DEBIANCVE:CVE-2021-3713", "DEBIANCVE:CVE-2021-3748", "DEBIANCVE:CVE-2021-3930", "DEBIANCVE:CVE-2021-4206", "DEBIANCVE:CVE-2021-4207", "DEBIANCVE:CVE-2022-26353", "DEBIANCVE:CVE-2022-26354", "DEBIANCVE:CVE-2022-35414", "DEBIANCVE:CVE-2023-1601"]}, {"type": "f5", "idList": ["F5:K41142448", "F5:K41301038", "F5:K50401227", "F5:K63714476", "F5:K69488451", "F5:K82008830"]}, {"type": "fedora", "idList": ["FEDORA:7D1E1304C47A", "FEDORA:C61D830A6040"]}, {"type": "gentoo", "idList": ["GLSA-202011-09", "GLSA-202208-27"]}, {"type": "nessus", "idList": ["AL2_ALAS-2021-1671.NASL", "AL2_ALAS-2023-2060.NASL", "AL2_ALAS-2023-2061.NASL", "ALMA_LINUX_ALSA-2021-1762.NASL", "ALMA_LINUX_ALSA-2021-4191.NASL", "ALMA_LINUX_ALSA-2021-5238.NASL", "ALMA_LINUX_ALSA-2022-1759.NASL", "ALMA_LINUX_ALSA-2022-5263.NASL", "ALMA_LINUX_ALSA-2022-5821.NASL", "ALMA_LINUX_ALSA-2022-7472.NASL", "ALMA_LINUX_ALSA-2022-7967.NASL", "CENTOS8_RHSA-2021-1762.NASL", "CENTOS8_RHSA-2021-3061.NASL", "CENTOS8_RHSA-2021-4191.NASL", "CENTOS8_RHSA-2021-5238.NASL", "CENTOS8_RHSA-2022-1759.NASL", "CENTOS8_RHSA-2022-5821.NASL", "CENTOS8_RHSA-2022-7472.NASL", "CENTOS_RHSA-2021-2322.NASL", "DEBIAN_DLA-2373.NASL", "DEBIAN_DLA-2469.NASL", "DEBIAN_DLA-2560.NASL", "DEBIAN_DLA-2623.NASL", "DEBIAN_DLA-2753.NASL", "DEBIAN_DLA-2970.NASL", "DEBIAN_DLA-3099.NASL", "DEBIAN_DLA-3362.NASL", "DEBIAN_DSA-4980.NASL", "DEBIAN_DSA-5133.NASL", "EULEROS_SA-2020-1914.NASL", "EULEROS_SA-2020-1947.NASL", "EULEROS_SA-2020-2320.NASL", "EULEROS_SA-2021-1046.NASL", "EULEROS_SA-2021-1169.NASL", "EULEROS_SA-2021-1256.NASL", "EULEROS_SA-2021-1275.NASL", "EULEROS_SA-2021-1455.NASL", "EULEROS_SA-2021-1527.NASL", "EULEROS_SA-2021-1632.NASL", "EULEROS_SA-2021-1667.NASL", "EULEROS_SA-2021-1735.NASL", "EULEROS_SA-2021-1763.NASL", "EULEROS_SA-2021-1994.NASL", "EULEROS_SA-2021-2011.NASL", "EULEROS_SA-2021-2046.NASL", "EULEROS_SA-2021-2125.NASL", "EULEROS_SA-2021-2166.NASL", "EULEROS_SA-2021-2192.NASL", "EULEROS_SA-2021-2211.NASL", "EULEROS_SA-2021-2730.NASL", "EULEROS_SA-2021-2763.NASL", "EULEROS_SA-2021-2844.NASL", "EULEROS_SA-2021-2855.NASL", "EULEROS_SA-2022-1014.NASL", "EULEROS_SA-2022-1034.NASL", "EULEROS_SA-2022-1392.NASL", "EULEROS_SA-2022-1418.NASL", "EULEROS_SA-2022-1595.NASL", "EULEROS_SA-2022-1598.NASL", "EULEROS_SA-2022-1600.NASL", "EULEROS_SA-2022-1601.NASL", "EULEROS_SA-2022-1618.NASL", "EULEROS_SA-2022-1621.NASL", "EULEROS_SA-2022-1623.NASL", "EULEROS_SA-2022-1624.NASL", "EULEROS_SA-2022-2043.NASL", "EULEROS_SA-2022-2071.NASL", "EULEROS_SA-2022-2194.NASL", "EULEROS_SA-2022-2213.NASL", "EULEROS_SA-2022-2374.NASL", "EULEROS_SA-2022-2410.NASL", "EULEROS_SA-2022-2533.NASL", "EULEROS_SA-2022-2880.NASL", "EULEROS_SA-2022-2898.NASL", "EULEROS_SA-2023-1051.NASL", "EULEROS_SA-2023-1212.NASL", "EULEROS_SA-2023-1242.NASL", "EULEROS_SA-2023-1289.NASL", "EULEROS_SA-2023-1688.NASL", "EULEROS_SA-2023-2082.NASL", "EULEROS_SA-2023-2134.NASL", "FEDORA_2020-331E1318DD.NASL", "FEDORA_2020-77F93F41BE.NASL", "GENTOO_GLSA-202011-09.NASL", "GENTOO_GLSA-202208-27.NASL", "NEWSTART_CGSL_NS-SA-2022-0067_QEMU.NASL", "OPENSUSE-2021-1043.NASL", "OPENSUSE-2021-1202.NASL", "OPENSUSE-2021-1461.NASL", "OPENSUSE-2021-1942.NASL", "OPENSUSE-2021-2442.NASL", "OPENSUSE-2021-2474.NASL", "OPENSUSE-2021-2591.NASL", "OPENSUSE-2021-2789.NASL", "OPENSUSE-2021-2858.NASL", "OPENSUSE-2021-3604.NASL", "OPENSUSE-2021-3605.NASL", "OPENSUSE-2021-363.NASL", "OPENSUSE-2021-600.NASL", "OPENSUSE-2022-0177-1.NASL", "OPENSUSE-2022-0210-1.NASL", "OPENSUSE-2022-0930-1.NASL", "ORACLELINUX_ELSA-2021-1762.NASL", "ORACLELINUX_ELSA-2021-2322.NASL", "ORACLELINUX_ELSA-2021-3061.NASL", "ORACLELINUX_ELSA-2021-4191.NASL", "ORACLELINUX_ELSA-2021-5238.NASL", "ORACLELINUX_ELSA-2021-9034.NASL", "ORACLELINUX_ELSA-2021-9104.NASL", "ORACLELINUX_ELSA-2021-9109.NASL", "ORACLELINUX_ELSA-2021-9285.NASL", "ORACLELINUX_ELSA-2021-9335.NASL", "ORACLELINUX_ELSA-2021-9425.NASL", "ORACLELINUX_ELSA-2021-9568.NASL", "ORACLELINUX_ELSA-2022-1759.NASL", "ORACLELINUX_ELSA-2022-5263.NASL", "ORACLELINUX_ELSA-2022-5821.NASL", "ORACLELINUX_ELSA-2022-7472.NASL", "ORACLELINUX_ELSA-2022-7967.NASL", "ORACLELINUX_ELSA-2022-9123.NASL", "ORACLELINUX_ELSA-2022-9172.NASL", "ORACLELINUX_ELSA-2022-9432.NASL", "ORACLELINUX_ELSA-2022-9460.NASL", "ORACLELINUX_ELSA-2022-9491.NASL", "ORACLELINUX_ELSA-2022-9492.NASL", "ORACLELINUX_ELSA-2022-9493.NASL", "ORACLELINUX_ELSA-2022-9494.NASL", "ORACLELINUX_ELSA-2022-9669.NASL", "ORACLELINUX_ELSA-2022-9700.NASL", "ORACLELINUX_ELSA-2022-9862.NASL", "ORACLELINUX_ELSA-2022-9869.NASL", "QEMU_WIN_5_1_RC0.NASL", "QEMU_WIN_5_2_RC3.NASL", "REDHAT-RHSA-2021-0648.NASL", "REDHAT-RHSA-2021-0771.NASL", "REDHAT-RHSA-2021-1125.NASL", "REDHAT-RHSA-2021-1762.NASL", "REDHAT-RHSA-2021-2322.NASL", "REDHAT-RHSA-2021-2521.NASL", "REDHAT-RHSA-2021-2529.NASL", "REDHAT-RHSA-2021-3061.NASL", "REDHAT-RHSA-2021-3703.NASL", "REDHAT-RHSA-2021-3704.NASL", "REDHAT-RHSA-2021-4112.NASL", "REDHAT-RHSA-2021-4191.NASL", "REDHAT-RHSA-2021-5036.NASL", "REDHAT-RHSA-2021-5065.NASL", "REDHAT-RHSA-2021-5238.NASL", "REDHAT-RHSA-2022-0081.NASL", "REDHAT-RHSA-2022-0325.NASL", "REDHAT-RHSA-2022-0397.NASL", "REDHAT-RHSA-2022-1759.NASL", "REDHAT-RHSA-2022-5002.NASL", "REDHAT-RHSA-2022-5263.NASL", "REDHAT-RHSA-2022-5821.NASL", "REDHAT-RHSA-2022-7472.NASL", "REDHAT-RHSA-2022-7967.NASL", "ROCKY_LINUX_RLSA-2021-3061.NASL", "SL_20210609_QEMU_KVM_ON_SL7_X.NASL", "SUSE_SU-2020-14557-1.NASL", "SUSE_SU-2021-0521-1.NASL", "SUSE_SU-2021-1023-1.NASL", "SUSE_SU-2021-1240-1.NASL", "SUSE_SU-2021-1241-1.NASL", "SUSE_SU-2021-1242-1.NASL", "SUSE_SU-2021-1243-1.NASL", "SUSE_SU-2021-1244-1.NASL", "SUSE_SU-2021-1245-1.NASL", "SUSE_SU-2021-1251-1.NASL", "SUSE_SU-2021-1252-1.NASL", "SUSE_SU-2021-1305-1.NASL", "SUSE_SU-2021-14702-1.NASL", "SUSE_SU-2021-14704-1.NASL", "SUSE_SU-2021-14772-1.NASL", "SUSE_SU-2021-14848-1.NASL", "SUSE_SU-2021-1829-1.NASL", "SUSE_SU-2021-1837-1.NASL", "SUSE_SU-2021-1893-1.NASL", "SUSE_SU-2021-1894-1.NASL", "SUSE_SU-2021-1895-1.NASL", "SUSE_SU-2021-1918-1.NASL", "SUSE_SU-2021-1942-1.NASL", "SUSE_SU-2021-1947-1.NASL", "SUSE_SU-2021-2442-1.NASL", "SUSE_SU-2021-2448-1.NASL", "SUSE_SU-2021-2474-1.NASL", "SUSE_SU-2021-2591-1.NASL", "SUSE_SU-2021-2789-1.NASL", "SUSE_SU-2021-2813-1.NASL", "SUSE_SU-2021-2858-1.NASL", "SUSE_SU-2021-3519-1.NASL", "SUSE_SU-2021-3575-1.NASL", "SUSE_SU-2021-3604-1.NASL", "SUSE_SU-2021-3605-1.NASL", "SUSE_SU-2021-3613-1.NASL", "SUSE_SU-2021-3614-1.NASL", "SUSE_SU-2021-3635-1.NASL", "SUSE_SU-2021-3653-1.NASL", "SUSE_SU-2022-0177-1.NASL", "SUSE_SU-2022-0210-2.NASL", "SUSE_SU-2022-0930-1.NASL", "SUSE_SU-2022-1151-1.NASL", "SUSE_SU-2022-1375-1.NASL", "SUSE_SU-2022-2254-1.NASL", "SUSE_SU-2022-2260-1.NASL", "SUSE_SU-2022-3594-1.NASL", "SUSE_SU-2022-3660-1.NASL", "SUSE_SU-2022-3768-1.NASL", "SUSE_SU-2022-3795-1.NASL", "SUSE_SU-2023-0761-1.NASL", "SUSE_SU-2023-0840-1.NASL", "SUSE_SU-2023-0878-1.NASL", "SUSE_SU-2023-0879-1.NASL", "SUSE_SU-2023-2358-1.NASL", "UBUNTU_USN-4467-1.NASL", "UBUNTU_USN-4650-1.NASL", "UBUNTU_USN-4725-1.NASL", "UBUNTU_USN-5009-1.NASL", "UBUNTU_USN-5010-1.NASL", "UBUNTU_USN-5307-1.NASL", "UBUNTU_USN-5489-1.NASL", "UBUNTU_USN-5772-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310113725"]}, {"type": "oraclelinux", "idList": ["ELSA-2021-1762", "ELSA-2021-2322", "ELSA-2021-3061", "ELSA-2021-4191", "ELSA-2021-5238", "ELSA-2021-9034", "ELSA-2021-9104", "ELSA-2021-9109", "ELSA-2021-9285", "ELSA-2021-9335", "ELSA-2021-9425", "ELSA-2021-9568", "ELSA-2021-9638", "ELSA-2022-1759", "ELSA-2022-5263", "ELSA-2022-5821", "ELSA-2022-7472", "ELSA-2022-7967", "ELSA-2022-9123", "ELSA-2022-9172", "ELSA-2022-9432", "ELSA-2022-9460", "ELSA-2022-9491", "ELSA-2022-9492", "ELSA-2022-9493", "ELSA-2022-9494", "ELSA-2022-9669", "ELSA-2022-9700", "ELSA-2022-9862", "ELSA-2022-9869"]}, {"type": "osv", "idList": ["OSV:DLA-2373-1", "OSV:DLA-2469-1", "OSV:DLA-2560-1", "OSV:DLA-2623-1", "OSV:DLA-2753-1", "OSV:DLA-2753-2", "OSV:DLA-2970-1", "OSV:DSA-4980-1"]}, {"type": "redhat", "idList": ["RHSA-2021:0648", "RHSA-2021:0771", "RHSA-2021:1125", "RHSA-2021:1762", "RHSA-2021:2322", "RHSA-2021:2521", "RHSA-2021:2529", "RHSA-2021:3061", "RHSA-2021:3703", "RHSA-2021:3704", "RHSA-2021:4112", "RHSA-2021:4191", "RHSA-2021:5036", "RHSA-2021:5065", "RHSA-2021:5238", "RHSA-2022:0081", "RHSA-2022:0325", "RHSA-2022:0397", "RHSA-2022:1759", "RHSA-2022:5002", "RHSA-2022:5263", "RHSA-2022:5821", "RHSA-2022:7472", "RHSA-2022:7967"]}, {"type": "redhatcve", "idList": ["RH:CVE-2020-13253", "RH:CVE-2020-15469", "RH:CVE-2020-15859", "RH:CVE-2020-25084", "RH:CVE-2020-25085", "RH:CVE-2020-25624", "RH:CVE-2020-25625", "RH:CVE-2020-25707", "RH:CVE-2020-25723", "RH:CVE-2020-27617", "RH:CVE-2020-27821", "RH:CVE-2020-28916", "RH:CVE-2020-29129", "RH:CVE-2020-29130", "RH:CVE-2020-29443", "RH:CVE-2020-35504", "RH:CVE-2020-35505", "RH:CVE-2021-20181", "RH:CVE-2021-20196", "RH:CVE-2021-20203", "RH:CVE-2021-20221", "RH:CVE-2021-20257", "RH:CVE-2021-3392", "RH:CVE-2021-3409", "RH:CVE-2021-3416", "RH:CVE-2021-3507", "RH:CVE-2021-3527", "RH:CVE-2021-3582", "RH:CVE-2021-3607", "RH:CVE-2021-3608", "RH:CVE-2021-3682", "RH:CVE-2021-3713", "RH:CVE-2021-3748", "RH:CVE-2021-3930", "RH:CVE-2021-4206", "RH:CVE-2021-4207", "RH:CVE-2022-26353", "RH:CVE-2022-26354", "RH:CVE-2022-35414", "RH:CVE-2023-1601"]}, {"type": "redos", "idList": ["ROS-20220125-17"]}, {"type": "rocky", "idList": ["RLSA-2021:1762", "RLSA-2021:3061", "RLSA-2021:4191", "RLSA-2021:5238", "RLSA-2022:1759", "RLSA-2022:5821", "RLSA-2022:7472", "RLSA-2022:7967"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2021:0363-1", "OPENSUSE-SU-2021:0600-1", "OPENSUSE-SU-2021:1043-1", "OPENSUSE-SU-2021:1202-1", "OPENSUSE-SU-2021:1461-1", "OPENSUSE-SU-2021:1942-1", "OPENSUSE-SU-2021:2442-1", "OPENSUSE-SU-2021:2474-1", "OPENSUSE-SU-2021:2591-1", "OPENSUSE-SU-2021:2789-1", "OPENSUSE-SU-2021:2858-1", "OPENSUSE-SU-2021:3604-1", "OPENSUSE-SU-2021:3605-1", "OPENSUSE-SU-2021:3614-1", "OPENSUSE-SU-2022:0177-1", "OPENSUSE-SU-2022:0210-1", "OPENSUSE-SU-2022:0210-2", "OPENSUSE-SU-2022:0930-1", "SUSE-SU-2022:2254-1", "SUSE-SU-2022:2260-1", "SUSE-SU-2022:3594-1", "SUSE-SU-2022:3660-1", "SUSE-SU-2022:3768-1", "SUSE-SU-2022:3795-1"]}, {"type": "ubuntu", "idList": ["USN-4467-1", "USN-4467-2", "USN-4650-1", "USN-4725-1", "USN-5009-1", "USN-5009-2", "USN-5010-1", "USN-5307-1", "USN-5489-1", "USN-5772-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2020-13253", "UB:CVE-2020-15469", "UB:CVE-2020-15859", "UB:CVE-2020-25084", "UB:CVE-2020-25085", "UB:CVE-2020-25624", "UB:CVE-2020-25625", "UB:CVE-2020-25723", "UB:CVE-2020-27617", "UB:CVE-2020-27821", "UB:CVE-2020-28916", "UB:CVE-2020-29129", "UB:CVE-2020-29443", "UB:CVE-2020-35504", "UB:CVE-2020-35505", "UB:CVE-2020-35506", "UB:CVE-2021-20181", "UB:CVE-2021-20196", "UB:CVE-2021-20203", "UB:CVE-2021-20221", "UB:CVE-2021-20257", "UB:CVE-2021-3392", "UB:CVE-2021-3409", "UB:CVE-2021-3416", "UB:CVE-2021-3507", "UB:CVE-2021-3527", "UB:CVE-2021-3582", "UB:CVE-2021-3607", "UB:CVE-2021-3608", "UB:CVE-2021-3682", "UB:CVE-2021-3713", "UB:CVE-2021-3748", "UB:CVE-2021-3930", "UB:CVE-2021-4206", "UB:CVE-2021-4207", "UB:CVE-2022-26353", "UB:CVE-2022-26354", "UB:CVE-2022-35414", "UB:CVE-2023-1601"]}, {"type": "veracode", "idList": ["VERACODE:27135", "VERACODE:28073", "VERACODE:28078", "VERACODE:28086", "VERACODE:28087", "VERACODE:28089", "VERACODE:28091", "VERACODE:28534", "VERACODE:28536", "VERACODE:28537", "VERACODE:29316", "VERACODE:29317", "VERACODE:29380", "VERACODE:29439", "VERACODE:29749", "VERACODE:29750", "VERACODE:29957", "VERACODE:29959", "VERACODE:30218", "VERACODE:30374", "VERACODE:31259", "VERACODE:31260", "VERACODE:31261", "VERACODE:31580", "VERACODE:31581", "VERACODE:31760", "VERACODE:31885", "VERACODE:32336", "VERACODE:33371", "VERACODE:33704", "VERACODE:33707", "VERACODE:35021", "VERACODE:35273", "VERACODE:35274"]}, {"type": "zdi", "idList": ["ZDI-21-159"]}]}, "score": {"value": -0.2, "vector": "NONE"}, "epss": [{"cve": "CVE-2020-25625", "epss": "0.000450000", "percentile": "0.120000000", "modified": "2023-03-20"}, {"cve": "CVE-2021-3608", "epss": "0.000420000", "percentile": "0.056330000", "modified": "2023-03-20"}, {"cve": "CVE-2020-15859", "epss": "0.000530000", "percentile": "0.191840000", "modified": "2023-03-20"}, {"cve": "CVE-2020-15469", "epss": "0.000450000", "percentile": "0.118720000", "modified": "2023-03-20"}, {"cve": "CVE-2021-3527", "epss": "0.000450000", "percentile": "0.120000000", "modified": "2023-03-20"}, {"cve": "CVE-2020-35505", "epss": "0.000450000", "percentile": "0.120000000", "modified": "2023-03-20"}, {"cve": "CVE-2020-25085", "epss": "0.000590000", "percentile": "0.230060000", "modified": "2023-03-20"}, {"cve": "CVE-2020-27821", "epss": "0.000420000", "percentile": "0.056330000", "modified": "2023-03-20"}, {"cve": "CVE-2021-3930", "epss": "0.000420000", "percentile": "0.056330000", "modified": "2023-03-20"}, {"cve": "CVE-2021-3607", "epss": "0.000420000", "percentile": "0.056330000", "modified": "2023-03-20"}, {"cve": "CVE-2021-3416", "epss": "0.000500000", "percentile": "0.163540000", "modified": "2023-03-20"}, {"cve": "CVE-2020-25084", "epss": "0.000470000", "percentile": "0.143100000", "modified": "2023-03-20"}, {"cve": "CVE-2021-20181", "epss": "0.000480000", "percentile": "0.148450000", "modified": "2023-03-20"}, {"cve": "CVE-2021-3392", "epss": "0.000540000", "percentile": "0.198220000", "modified": "2023-03-20"}, {"cve": "CVE-2022-35414", "epss": "0.000420000", "percentile": "0.056330000", "modified": "2023-03-20"}, {"cve": "CVE-2021-3682", "epss": "0.001300000", "percentile": "0.461580000", "modified": "2023-03-20"}, {"cve": "CVE-2021-20196", "epss": "0.000560000", "percentile": "0.213990000", "modified": "2023-03-20"}, {"cve": "CVE-2020-35504", "epss": "0.000450000", "percentile": "0.120000000", "modified": "2023-03-20"}, {"cve": "CVE-2021-20221", "epss": "0.000450000", "percentile": "0.120000000", "modified": "2023-03-20"}, {"cve": "CVE-2021-4207", "epss": "0.000420000", "percentile": "0.056330000", "modified": "2023-03-20"}, {"cve": "CVE-2020-27617", "epss": "0.001390000", "percentile": "0.477110000", "modified": "2023-03-20"}, {"cve": "CVE-2020-29443", "epss": "0.000470000", "percentile": "0.143100000", "modified": "2023-03-20"}, {"cve": "CVE-2020-29129", "epss": "0.002440000", "percentile": "0.605660000", "modified": "2023-03-20"}, {"cve": "CVE-2020-25723", "epss": "0.000450000", "percentile": "0.118720000", "modified": "2023-03-20"}, {"cve": "CVE-2021-3713", "epss": "0.000450000", "percentile": "0.120000000", "modified": "2023-03-20"}, {"cve": "CVE-2021-3507", "epss": "0.000510000", "percentile": "0.175690000", "modified": "2023-03-20"}, {"cve": "CVE-2021-20257", "epss": "0.000420000", "percentile": "0.056330000", "modified": "2023-03-20"}, {"cve": "CVE-2021-4206", "epss": "0.000420000", "percentile": "0.056330000", "modified": "2023-03-20"}, {"cve": "CVE-2020-28916", "epss": "0.000540000", "percentile": "0.194580000", "modified": "2023-03-20"}, {"cve": "CVE-2021-3582", "epss": "0.000420000", "percentile": "0.056330000", "modified": "2023-03-20"}, {"cve": "CVE-2021-3748", "epss": "0.000420000", "percentile": "0.056330000", "modified": "2023-03-20"}, {"cve": "CVE-2020-25624", "epss": "0.000470000", "percentile": "0.142710000", "modified": "2023-03-20"}, {"cve": "CVE-2020-13253", "epss": "0.000450000", "percentile": "0.120000000", "modified": "2023-03-20"}, {"cve": "CVE-2021-20203", "epss": "0.000550000", "percentile": "0.206030000", "modified": "2023-03-20"}, {"cve": "CVE-2022-26354", "epss": "0.000430000", "percentile": "0.078790000", "modified": "2023-03-20"}], "vulnersScore": -0.2}, "_state": {"score": 1687935417, "dependencies": 1687934438, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "1fdae5e52a3e3bb7be0be3ecfde0e391"}, "affectedSoftware": [{"version": "1:3.1+dfsg-8", "operator": "eq", "name": "qemu"}, {"version": "1:3.1+dfsg-8+deb10u2", "operator": "eq", "name": "qemu"}, {"version": "1:3.1+dfsg-8+deb10u3", "operator": "eq", "name": "qemu"}, {"version": "1:3.1+dfsg-8+deb10u4", "operator": "eq", "name": "qemu"}, {"version": "1:3.1+dfsg-8+deb10u5", "operator": "eq", "name": "qemu"}, {"version": "1:3.1+dfsg-8+deb10u6", "operator": "eq", "name": "qemu"}, {"version": "1:3.1+dfsg-8+deb10u7", "operator": "eq", "name": "qemu"}, {"version": "1:3.1+dfsg-8+deb10u8", "operator": "eq", "name": "qemu"}, {"version": "1:3.1+dfsg-8~deb10u1", "operator": "eq", "name": "qemu"}]}

{"nessus": [{"lastseen": "2023-05-17T16:34:13", "description": "The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3099 advisory.\n\n - sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process. (CVE-2020-13253)\n\n - In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. (CVE-2020-15469)\n\n - QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address. (CVE-2020-15859)\n\n - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. (CVE-2020-25084)\n\n - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver. (CVE-2020-25624)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. (CVE-2020-25625)\n\n - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service. (CVE-2020-25723)\n\n - eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. (CVE-2020-27617)\n\n - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.\n This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.\n (CVE-2020-28916)\n\n - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. (CVE-2020-29129)\n\n - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. (CVE-2020-29443)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. (CVE-2021-20181)\n\n - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)\n\n - An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.\n (CVE-2021-20203)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20257)\n\n - A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.\n (CVE-2021-3392)\n\n - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-3416)\n\n - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)\n\n - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a PVRDMA_CMD_CREATE_MR command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability. (CVE-2021-3582)\n\n - An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a PVRDMA_REG_DSRHIGH write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-3607)\n\n - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a PVRDMA_REG_DSRHIGH write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability. (CVE-2021-3608)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)\n\n - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of- bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. (CVE-2021-3713)\n\n - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. (CVE-2021-3748)\n\n - An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.\n (CVE-2021-3930)\n\n - A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4206)\n\n - A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4207)\n\n - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.\n Affected QEMU versions <= 6.2.0. (CVE-2022-26354)\n\n - softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. (CVE-2022-35414)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-05T00:00:00", "type": "nessus", "title": "Debian DLA-3099-1 : qemu - LTS security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-13253", "CVE-2020-15469", "CVE-2020-15859", "CVE-2020-25084", "CVE-2020-25085", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-27617", "CVE-2020-27821", "CVE-2020-28916", "CVE-2020-29129", "CVE-2020-29443", "CVE-2020-35504", "CVE-2020-35505", "CVE-2021-20181", "CVE-2021-20196", "CVE-2021-20203", "CVE-2021-20221", "CVE-2021-20257", "CVE-2021-3392", "CVE-2021-3416", "CVE-2021-3507", "CVE-2021-3527", "CVE-2021-3582", "CVE-2021-3607", "CVE-2021-3608", "CVE-2021-3682", "CVE-2021-3713", "CVE-2021-3748", "CVE-2021-3930", "CVE-2021-4206", "CVE-2021-4207", "CVE-2022-26354", "CVE-2022-35414"], "modified": "2023-01-04T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:qemu", "p-cpe:/a:debian:debian_linux:qemu-block-extra", "p-cpe:/a:debian:debian_linux:qemu-guest-agent", "p-cpe:/a:debian:debian_linux:qemu-kvm", "p-cpe:/a:debian:debian_linux:qemu-system", "p-cpe:/a:debian:debian_linux:qemu-system-arm", "p-cpe:/a:debian:debian_linux:qemu-system-common", "p-cpe:/a:debian:debian_linux:qemu-system-data", "p-cpe:/a:debian:debian_linux:qemu-system-gui", "p-cpe:/a:debian:debian_linux:qemu-system-mips", "p-cpe:/a:debian:debian_linux:qemu-system-misc", "p-cpe:/a:debian:debian_linux:qemu-system-ppc", "p-cpe:/a:debian:debian_linux:qemu-system-sparc", "p-cpe:/a:debian:debian_linux:qemu-system-x86", "p-cpe:/a:debian:debian_linux:qemu-user", "p-cpe:/a:debian:debian_linux:qemu-user-binfmt", "p-cpe:/a:debian:debian_linux:qemu-user-static", "p-cpe:/a:debian:debian_linux:qemu-utils", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DLA-3099.NASL", "href": "https://www.tenable.com/plugins/nessus/164678", "sourceData": "#%NASL_MIN_LEVEL 80900\n#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dla-3099. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164678);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/04\");\n\n script_cve_id(\n \"CVE-2020-13253\",\n \"CVE-2020-15469\",\n \"CVE-2020-15859\",\n \"CVE-2020-25084\",\n \"CVE-2020-25085\",\n \"CVE-2020-25624\",\n \"CVE-2020-25625\",\n \"CVE-2020-25723\",\n \"CVE-2020-27617\",\n \"CVE-2020-27821\",\n \"CVE-2020-28916\",\n \"CVE-2020-29129\",\n \"CVE-2020-29443\",\n \"CVE-2020-35504\",\n \"CVE-2020-35505\",\n \"CVE-2021-3392\",\n \"CVE-2021-3416\",\n \"CVE-2021-3507\",\n \"CVE-2021-3527\",\n \"CVE-2021-3582\",\n \"CVE-2021-3607\",\n \"CVE-2021-3608\",\n \"CVE-2021-3682\",\n \"CVE-2021-3713\",\n \"CVE-2021-3748\",\n \"CVE-2021-3930\",\n \"CVE-2021-4206\",\n \"CVE-2021-4207\",\n \"CVE-2021-20181\",\n \"CVE-2021-20196\",\n \"CVE-2021-20203\",\n \"CVE-2021-20221\",\n \"CVE-2021-20257\",\n \"CVE-2022-26354\",\n \"CVE-2022-35414\"\n );\n script_xref(name:\"IAVB\", value:\"2020-B-0041-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0063-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0026-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0075-S\");\n\n script_name(english:\"Debian DLA-3099-1 : qemu - LTS security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the\ndla-3099 advisory.\n\n - sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read\n during sdhci_write() operations. A guest OS user can crash the QEMU process. (CVE-2020-13253)\n\n - In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer\n dereference. (CVE-2020-15469)\n\n - QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e\n packet with the data's address set to the e1000e's MMIO address. (CVE-2020-15859)\n\n - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not\n checked. (CVE-2020-25084)\n\n - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c\n mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host\n controller driver. (CVE-2020-25624)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. (CVE-2020-25625)\n\n - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while\n processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user\n within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host,\n resulting in a denial of service. (CVE-2020-25723)\n\n - eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest\n can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. (CVE-2020-27617)\n\n - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.\n This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO\n operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial\n of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.\n (CVE-2020-28916)\n\n - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of\n header data even if that exceeds the total packet length. (CVE-2020-29129)\n\n - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer\n index is not validated. (CVE-2020-29443)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw\n allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This\n flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges\n on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as\n system availability. (CVE-2021-20181)\n\n - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while\n processing read/write ioport commands if the selected floppy drive is not initialized with a block device.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)\n\n - An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It\n may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A\n privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.\n (CVE-2021-20203)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of\n QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an\n interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said\n issue while updating controller state fields and their subsequent processing. A privileged guest user may\n use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing\n transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid\n values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The\n highest threat from this vulnerability is to system availability. (CVE-2021-20257)\n\n - A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI\n I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req'\n from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the\n host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.\n (CVE-2021-3392)\n\n - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions\n up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get\n bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the\n host resulting in DoS scenario. (CVE-2021-3416)\n\n - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could\n occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the\n floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on\n the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a\n single, large transfer request, to reduce the overhead and improve performance. The combined size of the\n bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper\n validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the\n array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a\n denial of service. (CVE-2021-3527)\n\n - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while\n handling a PVRDMA_CMD_CREATE_MR command due to improper memory remapping (mremap). This flaw allows a\n malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to\n system availability. (CVE-2021-3582)\n\n - An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions\n prior to 6.1.0. The issue occurs while handling a PVRDMA_REG_DSRHIGH write from the guest due to\n improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount\n of memory, resulting in a denial of service. The highest threat from this vulnerability is to system\n availability. (CVE-2021-3607)\n\n - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to\n 6.1.0. The issue occurs while handling a PVRDMA_REG_DSRHIGH write from the guest and may result in a\n crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest\n threat from this vulnerability is to system availability. (CVE-2021-3608)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs\n when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A\n malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,\n resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3682)\n\n - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions\n prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-\n bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this\n flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3713)\n\n - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the\n descriptor's address belongs to the non direct access region, due to num_buffers being set after the\n virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a\n denial of service condition, or potentially execute code on the host with the privileges of the QEMU\n process. (CVE-2021-3748)\n\n - An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE\n SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious\n guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.\n (CVE-2021-3930)\n\n - A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc()\n function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer\n overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or\n potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4206)\n\n - A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values\n `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object\n followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw\n to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU\n process. (CVE-2021-4207)\n\n - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached\n from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.\n Affected QEMU versions <= 6.2.0. (CVE-2022-26354)\n\n - softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path,\n leading to an io_readx or io_writex crash. (CVE-2022-35414)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/qemu\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/lts/security/2022/dla-3099\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-13253\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-15469\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-15859\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-25084\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-25085\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-25624\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-25625\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-25723\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-27617\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-27821\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-28916\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-29129\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-29443\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-35504\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2020-35505\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-20181\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-20196\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-20203\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-20221\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-20257\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3392\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3416\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3507\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3527\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3582\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3607\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3608\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3713\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3748\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3930\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-4206\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-4207\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-26354\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-35414\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/buster/qemu\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the qemu packages.\n\nFor Debian 10 buster, these problems have been fixed in version 1\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3748\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2022-35414\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-block-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-mips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-sparc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user-binfmt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(10)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '10.0', 'prefix': 'qemu', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-block-extra', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-guest-agent', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-kvm', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-system', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-system-arm', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-system-common', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-system-data', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-system-gui', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-system-mips', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-system-misc', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-system-ppc', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-system-sparc', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-system-x86', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-user', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-user-binfmt', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-user-static', 'reference': '1:3.1+dfsg-8+deb10u9'},\n {'release': '10.0', 'prefix': 'qemu-utils', 'reference': '1:3.1+dfsg-8+deb10u9'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-block-extra / qemu-guest-agent / qemu-kvm / qemu-system / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:27:34", "description": "This update for qemu fixes the following issues :\n\nCVE-2020-12829: Fix OOB access in sm501 device emulation (bsc#1172385)\n\nCVE-2020-25723: Fix use-after-free in usb xhci packet handling (bsc#1178934)\n\nCVE-2020-25084: Fix use-after-free in usb ehci packet handling (bsc#1176673)\n\nCVE-2020-25625: Fix infinite loop (DoS) in usb hcd-ohci emulation (bsc#1176684)\n\nCVE-2020-25624: Fix OOB access in usb hcd-ohci emulation (bsc#1176682)\n\nCVE-2020-27617: Fix guest triggerable assert in shared network handling code (bsc#1178174)\n\nCVE-2020-28916: Fix infinite loop (DoS) in e1000e device emulation (bsc#1179468)\n\nCVE-2020-29443: Fix OOB access in atapi emulation (bsc#1181108)\n\nCVE-2020-27821: Fix heap overflow in MSIx emulation (bsc#1179686)\n\nCVE-2020-15469: Fix NULL pointer deref. (DoS) in mmio ops (bsc#1173612)\n\nCVE-2021-20257: Fix infinite loop (DoS) in e1000 device emulation (bsc#1182577)\n\nCVE-2021-3416: Fix OOB access (stack overflow) in rtl8139 NIC emulation (bsc#1182968)\n\nCVE-2021-3416: Fix OOB access (stack overflow) in other NIC emulations (bsc#1182968)\n\nCVE-2020-27616: Fix OOB access in ati-vga emulation (bsc#1178400)\n\nCVE-2020-29129: Fix OOB access in SLIRP ARP/NCSI packet processing (bsc#1179466, CVE-2020-29130, bsc#1179467)\n\nFix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)\n\nAdd split-provides through forsplits/13 to cover updates of SLE15-SP2 to SLE15-SP3, and openSUSE equivalents (bsc#1184064)\n\nAdded a few more usability improvements for our git packaging workflow\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-04-19T00:00:00", "type": "nessus", "title": "SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2021:1243-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-12829", "CVE-2020-15469", "CVE-2020-25084", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-27616", "CVE-2020-27617", "CVE-2020-27821", "CVE-2020-28916", "CVE-2020-29129", "CVE-2020-29130", "CVE-2020-29443", "CVE-2021-20257", "CVE-2021-3416"], "modified": "2021-04-21T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:qemu", "p-cpe:/a:novell:suse_linux:qemu-audio-alsa", "p-cpe:/a:novell:suse_linux:qemu-audio-alsa-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-audio-pa", "p-cpe:/a:novell:suse_linux:qemu-audio-pa-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-curl", "p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-rbd", "p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-ssh", "p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-debugsource", "p-cpe:/a:novell:suse_linux:qemu-guest-agent", "p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-kvm", "p-cpe:/a:novell:suse_linux:qemu-lang", "p-cpe:/a:novell:suse_linux:qemu-s390", "p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-tools", "p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-ui-curses", "p-cpe:/a:novell:suse_linux:qemu-ui-curses-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-ui-gtk", "p-cpe:/a:novell:suse_linux:qemu-ui-gtk-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-ui-spice-app", "p-cpe:/a:novell:suse_linux:qemu-ui-spice-app-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-x86", "p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-1243-1.NASL", "href": "https://www.tenable.com/plugins/nessus/148755", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1243-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148755);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/21\");\n\n script_cve_id(\"CVE-2020-12829\", \"CVE-2020-15469\", \"CVE-2020-25084\", \"CVE-2020-25624\", \"CVE-2020-25625\", \"CVE-2020-25723\", \"CVE-2020-27616\", \"CVE-2020-27617\", \"CVE-2020-27821\", \"CVE-2020-28916\", \"CVE-2020-29129\", \"CVE-2020-29130\", \"CVE-2020-29443\", \"CVE-2021-20257\", \"CVE-2021-3416\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2021:1243-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for qemu fixes the following issues :\n\nCVE-2020-12829: Fix OOB access in sm501 device emulation (bsc#1172385)\n\nCVE-2020-25723: Fix use-after-free in usb xhci packet handling\n(bsc#1178934)\n\nCVE-2020-25084: Fix use-after-free in usb ehci packet handling\n(bsc#1176673)\n\nCVE-2020-25625: Fix infinite loop (DoS) in usb hcd-ohci emulation\n(bsc#1176684)\n\nCVE-2020-25624: Fix OOB access in usb hcd-ohci emulation (bsc#1176682)\n\nCVE-2020-27617: Fix guest triggerable assert in shared network\nhandling code (bsc#1178174)\n\nCVE-2020-28916: Fix infinite loop (DoS) in e1000e device emulation\n(bsc#1179468)\n\nCVE-2020-29443: Fix OOB access in atapi emulation (bsc#1181108)\n\nCVE-2020-27821: Fix heap overflow in MSIx emulation (bsc#1179686)\n\nCVE-2020-15469: Fix NULL pointer deref. (DoS) in mmio ops\n(bsc#1173612)\n\nCVE-2021-20257: Fix infinite loop (DoS) in e1000 device emulation\n(bsc#1182577)\n\nCVE-2021-3416: Fix OOB access (stack overflow) in rtl8139 NIC\nemulation (bsc#1182968)\n\nCVE-2021-3416: Fix OOB access (stack overflow) in other NIC emulations\n(bsc#1182968)\n\nCVE-2020-27616: Fix OOB access in ati-vga emulation (bsc#1178400)\n\nCVE-2020-29129: Fix OOB access in SLIRP ARP/NCSI packet processing\n(bsc#1179466, CVE-2020-29130, bsc#1179467)\n\nFix package scripts to not use hard-coded paths for temporary working\ndirectories and log files (bsc#1182425)\n\nAdd split-provides through forsplits/13 to cover updates of SLE15-SP2\nto SLE15-SP3, and openSUSE equivalents (bsc#1184064)\n\nAdded a few more usability improvements for our git packaging workflow\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172385\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173612\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176673\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176682\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176684\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178400\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179467\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179468\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179686\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181108\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182425\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1184064\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-12829/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15469/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25084/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25624/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25625/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25723/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-27616/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-27617/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-27821/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-28916/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29129/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29130/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29443/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20257/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-3416/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211243-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?afef34d2\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE MicroOS 5.0 :\n\nzypper in -t patch SUSE-SUSE-MicroOS-5.0-2021-1243=1\n\nSUSE Linux Enterprise Module for Server Applications 15-SP2 :\n\nzypper in -t patch\nSUSE-SLE-Module-Server-Applications-15-SP2-2021-1243=1\n\nSUSE Linux Enterprise Module for Basesystem 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Basesystem-15-SP2-2021-1243=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25624\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-alsa-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-pa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-pa-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-gtk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-gtk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-spice-app\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-spice-app-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-audio-alsa-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-audio-alsa-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-audio-pa-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-audio-pa-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-ui-curses-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-ui-curses-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-ui-gtk-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-ui-gtk-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-x86-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-x86-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"s390x\", reference:\"qemu-s390-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", cpu:\"s390x\", reference:\"qemu-s390-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-block-curl-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-block-curl-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-block-iscsi-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-block-iscsi-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-block-rbd-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-block-rbd-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-block-ssh-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-block-ssh-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-debugsource-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-guest-agent-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-guest-agent-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-kvm-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-lang-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-tools-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-tools-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-ui-spice-app-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"qemu-ui-spice-app-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"qemu-debuginfo-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"qemu-debugsource-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"qemu-tools-4.2.1-11.16.3\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"2\", reference:\"qemu-tools-debuginfo-4.2.1-11.16.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:28:10", "description": "This update for qemu fixes the following issues :\n\n - CVE-2020-12829: Fix OOB access in sm501 device emulation (bsc#1172385)\n\n - CVE-2020-25723: Fix use-after-free in usb xhci packet handling (bsc#1178934)\n\n - CVE-2020-25084: Fix use-after-free in usb ehci packet handling (bsc#1176673)\n\n - CVE-2020-25625: Fix infinite loop (DoS) in usb hcd-ohci emulation (bsc#1176684)\n\n - CVE-2020-25624: Fix OOB access in usb hcd-ohci emulation (bsc#1176682)\n\n - CVE-2020-27617: Fix guest triggerable assert in shared network handling code (bsc#1178174)\n\n - CVE-2020-28916: Fix infinite loop (DoS) in e1000e device emulation (bsc#1179468)\n\n - CVE-2020-29443: Fix OOB access in atapi emulation (bsc#1181108)\n\n - CVE-2020-27821: Fix heap overflow in MSIx emulation (bsc#1179686)\n\n - CVE-2020-15469: Fix NULL pointer deref. (DoS) in mmio ops (bsc#1173612)\n\n - CVE-2021-20257: Fix infinite loop (DoS) in e1000 device emulation (bsc#1182577)\n\n - CVE-2021-3416: Fix OOB access (stack overflow) in rtl8139 NIC emulation (bsc#1182968)\n\n - CVE-2021-3416: Fix OOB access (stack overflow) in other NIC emulations (bsc#1182968)\n\n - CVE-2020-27616: Fix OOB access in ati-vga emulation (bsc#1178400)\n\n - CVE-2020-29129: Fix OOB access in SLIRP ARP/NCSI packet processing (bsc#1179466, CVE-2020-29130, bsc#1179467)\n\n - Fix package scripts to not use hard coded paths for temporary working directories and log files (bsc#1182425)\n\n - Add split-provides through forsplits/13 to cover updates of SLE15-SP2 to SLE15-SP3, and openSUSE equivalents (bsc#1184064)\n\n - Added a few more usability improvements for our git packaging workflow\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update project.", "cvss3": {}, "published": "2021-05-18T00:00:00", "type": "nessus", "title": "openSUSE Security Update : qemu (openSUSE-2021-600)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-12829", "CVE-2020-15469", "CVE-2020-25084", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-27616", "CVE-2020-27617", "CVE-2020-27821", "CVE-2020-28916", "CVE-2020-29129", "CVE-2020-29130", "CVE-2020-29443", "CVE-2021-20257", "CVE-2021-3416"], "modified": "2021-05-20T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:qemu", "p-cpe:/a:novell:opensuse:qemu-arm", "p-cpe:/a:novell:opensuse:qemu-arm-debuginfo", "p-cpe:/a:novell:opensuse:qemu-audio-alsa", "p-cpe:/a:novell:opensuse:qemu-audio-alsa-debuginfo", "p-cpe:/a:novell:opensuse:qemu-audio-pa", "p-cpe:/a:novell:opensuse:qemu-audio-pa-debuginfo", "p-cpe:/a:novell:opensuse:qemu-audio-sdl", "p-cpe:/a:novell:opensuse:qemu-audio-sdl-debuginfo", "p-cpe:/a:novell:opensuse:qemu-block-curl", "p-cpe:/a:novell:opensuse:qemu-block-curl-debuginfo", "p-cpe:/a:novell:opensuse:qemu-block-dmg", "p-cpe:/a:novell:opensuse:qemu-block-dmg-debuginfo", "p-cpe:/a:novell:opensuse:qemu-block-gluster", "p-cpe:/a:novell:opensuse:qemu-block-gluster-debuginfo", "p-cpe:/a:novell:opensuse:qemu-block-iscsi", "p-cpe:/a:novell:opensuse:qemu-block-iscsi-debuginfo", "p-cpe:/a:novell:opensuse:qemu-block-nfs", "p-cpe:/a:novell:opensuse:qemu-block-nfs-debuginfo", "p-cpe:/a:novell:opensuse:qemu-block-rbd", "p-cpe:/a:novell:opensuse:qemu-block-rbd-debuginfo", "p-cpe:/a:novell:opensuse:qemu-block-ssh", "p-cpe:/a:novell:opensuse:qemu-block-ssh-debuginfo", "p-cpe:/a:novell:opensuse:qemu-debuginfo", "p-cpe:/a:novell:opensuse:qemu-debugsource", "p-cpe:/a:novell:opensuse:qemu-extra", "p-cpe:/a:novell:opensuse:qemu-extra-debuginfo", "p-cpe:/a:novell:opensuse:qemu-guest-agent", "p-cpe:/a:novell:opensuse:qemu-guest-agent-debuginfo", "p-cpe:/a:novell:opensuse:qemu-ipxe", "p-cpe:/a:novell:opensuse:qemu-ksm", "p-cpe:/a:novell:opensuse:qemu-kvm", "p-cpe:/a:novell:opensuse:qemu-lang", "p-cpe:/a:novell:opensuse:qemu-linux-user", "p-cpe:/a:novell:opensuse:qemu-linux-user-debuginfo", "p-cpe:/a:novell:opensuse:qemu-linux-user-debugsource", "p-cpe:/a:novell:opensuse:qemu-microvm", "p-cpe:/a:novell:opensuse:qemu-ppc", "p-cpe:/a:novell:opensuse:qemu-ppc-debuginfo", "p-cpe:/a:novell:opensuse:qemu-s390", "p-cpe:/a:novell:opensuse:qemu-s390-debuginfo", "p-cpe:/a:novell:opensuse:qemu-seabios", "p-cpe:/a:novell:opensuse:qemu-sgabios", "p-cpe:/a:novell:opensuse:qemu-testsuite", "p-cpe:/a:novell:opensuse:qemu-tools", "p-cpe:/a:novell:opensuse:qemu-tools-debuginfo", "p-cpe:/a:novell:opensuse:qemu-ui-curses", "p-cpe:/a:novell:opensuse:qemu-ui-curses-debuginfo", "p-cpe:/a:novell:opensuse:qemu-ui-gtk", "p-cpe:/a:novell:opensuse:qemu-ui-gtk-debuginfo", "p-cpe:/a:novell:opensuse:qemu-ui-sdl", "p-cpe:/a:novell:opensuse:qemu-ui-sdl-debuginfo", "p-cpe:/a:novell:opensuse:qemu-ui-spice-app", "p-cpe:/a:novell:opensuse:qemu-ui-spice-app-debuginfo", "p-cpe:/a:novell:opensuse:qemu-vgabios", "p-cpe:/a:novell:opensuse:qemu-vhost-user-gpu", "p-cpe:/a:novell:opensuse:qemu-vhost-user-gpu-debuginfo", "p-cpe:/a:novell:opensuse:qemu-x86", "p-cpe:/a:novell:opensuse:qemu-x86-debuginfo", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2021-600.NASL", "href": "https://www.tenable.com/plugins/nessus/149640", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2021-600.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(149640);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/05/20\");\n\n script_cve_id(\"CVE-2020-12829\", \"CVE-2020-15469\", \"CVE-2020-25084\", \"CVE-2020-25624\", \"CVE-2020-25625\", \"CVE-2020-25723\", \"CVE-2020-27616\", \"CVE-2020-27617\", \"CVE-2020-27821\", \"CVE-2020-28916\", \"CVE-2020-29129\", \"CVE-2020-29130\", \"CVE-2020-29443\", \"CVE-2021-20257\", \"CVE-2021-3416\");\n\n script_name(english:\"openSUSE Security Update : qemu (openSUSE-2021-600)\");\n script_summary(english:\"Check for the openSUSE-2021-600 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for qemu fixes the following issues :\n\n - CVE-2020-12829: Fix OOB access in sm501 device emulation\n (bsc#1172385)\n\n - CVE-2020-25723: Fix use-after-free in usb xhci packet\n handling (bsc#1178934)\n\n - CVE-2020-25084: Fix use-after-free in usb ehci packet\n handling (bsc#1176673)\n\n - CVE-2020-25625: Fix infinite loop (DoS) in usb hcd-ohci\n emulation (bsc#1176684)\n\n - CVE-2020-25624: Fix OOB access in usb hcd-ohci emulation\n (bsc#1176682)\n\n - CVE-2020-27617: Fix guest triggerable assert in shared\n network handling code (bsc#1178174)\n\n - CVE-2020-28916: Fix infinite loop (DoS) in e1000e device\n emulation (bsc#1179468)\n\n - CVE-2020-29443: Fix OOB access in atapi emulation\n (bsc#1181108)\n\n - CVE-2020-27821: Fix heap overflow in MSIx emulation\n (bsc#1179686)\n\n - CVE-2020-15469: Fix NULL pointer deref. (DoS) in mmio\n ops (bsc#1173612)\n\n - CVE-2021-20257: Fix infinite loop (DoS) in e1000 device\n emulation (bsc#1182577)\n\n - CVE-2021-3416: Fix OOB access (stack overflow) in\n rtl8139 NIC emulation (bsc#1182968)\n\n - CVE-2021-3416: Fix OOB access (stack overflow) in other\n NIC emulations (bsc#1182968)\n\n - CVE-2020-27616: Fix OOB access in ati-vga emulation\n (bsc#1178400)\n\n - CVE-2020-29129: Fix OOB access in SLIRP ARP/NCSI packet\n processing (bsc#1179466, CVE-2020-29130, bsc#1179467)\n\n - Fix package scripts to not use hard coded paths for\n temporary working directories and log files\n (bsc#1182425)\n\n - Add split-provides through forsplits/13 to cover updates\n of SLE15-SP2 to SLE15-SP3, and openSUSE equivalents\n (bsc#1184064)\n\n - Added a few more usability improvements for our git\n packaging workflow\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172385\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1173612\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1176673\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1176682\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1176684\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1178174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1178400\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1178934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179467\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179468\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1179686\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1181108\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182425\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1182968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1184064\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected qemu packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25624\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-arm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-audio-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-audio-alsa-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-audio-pa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-audio-pa-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-audio-sdl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-audio-sdl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-dmg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-dmg-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-gluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-gluster-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-iscsi-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-nfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-nfs-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-block-ssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-extra-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ipxe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ksm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-linux-user\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-linux-user-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-linux-user-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-microvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ppc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-s390-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-seabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-sgabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ui-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ui-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ui-gtk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ui-gtk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ui-sdl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ui-sdl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ui-spice-app\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-ui-spice-app-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-vgabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-vhost-user-gpu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-vhost-user-gpu-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:qemu-x86-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/05/18\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-arm-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-arm-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-audio-alsa-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-audio-alsa-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-audio-pa-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-audio-pa-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-audio-sdl-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-audio-sdl-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-block-curl-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-block-curl-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-block-dmg-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-block-dmg-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-block-gluster-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-block-gluster-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-block-iscsi-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-block-iscsi-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-block-nfs-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-block-nfs-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-block-rbd-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-block-rbd-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-block-ssh-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-block-ssh-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-debugsource-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-extra-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-extra-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-guest-agent-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-guest-agent-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-ipxe-1.0.0+-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-ksm-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-kvm-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-lang-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-linux-user-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-linux-user-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-linux-user-debugsource-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-microvm-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-ppc-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-ppc-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-s390-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-s390-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-seabios-1.12.1+-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-sgabios-8-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-testsuite-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-tools-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-tools-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-ui-curses-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-ui-curses-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-ui-gtk-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-ui-gtk-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-ui-sdl-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-ui-sdl-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-ui-spice-app-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-ui-spice-app-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-vgabios-1.12.1+-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-vhost-user-gpu-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-vhost-user-gpu-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-x86-4.2.1-lp152.9.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"qemu-x86-debuginfo-4.2.1-lp152.9.12.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu / qemu-arm / qemu-arm-debuginfo / qemu-audio-alsa / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:27:34", "description": "This update for qemu fixes the following issues :\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nFix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)\n\nFix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)\n\nFix use-after-free in usb iehci packet handling (CVE-2020-25084, bsc#1176673)\n\nFix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)\n\nFix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)\n\nFix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)\n\nFix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)\n\nFix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)\n\nFix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686)\n\nFix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)\n\nFix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)\n\nFix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)\n\nFix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)\n\nFix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467)\n\nFix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386)\n\nFix issue where s390 guest fails to find zipl boot menu index (bsc#1183979)\n\nFix OOB access in iscsi (CVE-2020-11947 bsc#1180523)\n\nFix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)\n\nFix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)\n\nFix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)\n\nApply fixes to qemu scsi passthrough with respect to timeout and error conditions, including using more correct status codes. (bsc#1178049)\n\nFix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)\n\nMake note that this patch previously included addresses (CVE-2020-13765 bsc#1172478)\n\nTweaks to spec file for better formatting, and remove not needed BuildRequires for e2fsprogs-devel and libpcap-devel\n\nFix vfio-pci device on s390 enters error state (bsc#1179725)\n\nFix PCI devices are unavailable after a subsystem reset. (bsc#1179726)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-04-19T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : qemu (SUSE-SU-2021:1242-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11947", "CVE-2020-12829", "CVE-2020-13362", "CVE-2020-13659", "CVE-2020-13765", "CVE-2020-15469", "CVE-2020-25084", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-27617", "CVE-2020-27821", "CVE-2020-28916", "CVE-2020-29129", "CVE-2020-29130", "CVE-2020-29443", "CVE-2021-20181", "CVE-2021-20203", "CVE-2021-20221", "CVE-2021-20257", "CVE-2021-3416"], "modified": "2021-06-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:qemu", "p-cpe:/a:novell:suse_linux:qemu-audio-alsa", "p-cpe:/a:novell:suse_linux:qemu-audio-alsa-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-audio-oss", "p-cpe:/a:novell:suse_linux:qemu-audio-oss-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-audio-pa", "p-cpe:/a:novell:suse_linux:qemu-audio-pa-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-audio-sdl", "p-cpe:/a:novell:suse_linux:qemu-audio-sdl-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-curl", "p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-rbd", "p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-ssh", "p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-debugsource", "p-cpe:/a:novell:suse_linux:qemu-guest-agent", "p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-kvm", "p-cpe:/a:novell:suse_linux:qemu-lang", "p-cpe:/a:novell:suse_linux:qemu-s390", "p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-tools", "p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-ui-curses", "p-cpe:/a:novell:suse_linux:qemu-ui-curses-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-ui-gtk", "p-cpe:/a:novell:suse_linux:qemu-ui-gtk-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-ui-sdl", "p-cpe:/a:novell:suse_linux:qemu-ui-sdl-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-x86", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-1242-1.NASL", "href": "https://www.tenable.com/plugins/nessus/148751", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1242-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148751);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/08\");\n\n script_cve_id(\"CVE-2020-11947\", \"CVE-2020-12829\", \"CVE-2020-13362\", \"CVE-2020-13659\", \"CVE-2020-13765\", \"CVE-2020-15469\", \"CVE-2020-25084\", \"CVE-2020-25624\", \"CVE-2020-25625\", \"CVE-2020-25723\", \"CVE-2020-27617\", \"CVE-2020-27821\", \"CVE-2020-28916\", \"CVE-2020-29129\", \"CVE-2020-29130\", \"CVE-2020-29443\", \"CVE-2021-20181\", \"CVE-2021-20203\", \"CVE-2021-20221\", \"CVE-2021-20257\", \"CVE-2021-3416\");\n\n script_name(english:\"SUSE SLES12 Security Update : qemu (SUSE-SU-2021:1242-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for qemu fixes the following issues :\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nFix OOB access possibility in MegaRAID SAS 8708EM2 emulation\n(CVE-2020-13362 bsc#1172383)\n\nFix use-after-free in usb xhci packet handling (CVE-2020-25723,\nbsc#1178934)\n\nFix use-after-free in usb iehci packet handling (CVE-2020-25084,\nbsc#1176673)\n\nFix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625,\nbsc#1176684)\n\nFix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)\n\nFix guest triggerable assert in shared network handling code\n(CVE-2020-27617, bsc#1178174)\n\nFix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916,\nbsc#1179468)\n\nFix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)\n\nFix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686)\n\nFix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469,\nbsc#1173612)\n\nFix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257,\nbsc#1182577)\n\nFix OOB access (stack overflow) in rtl8139 NIC emulation\n(CVE-2021-3416, bsc#1182968)\n\nFix OOB access (stack overflow) in other NIC emulations\n(CVE-2021-3416)\n\nFix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129,\nbsc#1179466, CVE-2020-29130, bsc#1179467)\n\nFix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2\nemulation (CVE-2020-13659 bsc#1172386)\n\nFix issue where s390 guest fails to find zipl boot menu index\n(bsc#1183979)\n\nFix OOB access in iscsi (CVE-2020-11947 bsc#1180523)\n\nFix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)\n\nFix package scripts to not use hard-coded paths for temporary working\ndirectories and log files (bsc#1182425)\n\nFix potential privilege escalation in virtfs (CVE-2021-20181\nbsc#1182137)\n\nApply fixes to qemu scsi passthrough with respect to timeout and error\nconditions, including using more correct status codes. (bsc#1178049)\n\nFix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)\n\nMake note that this patch previously included addresses\n(CVE-2020-13765 bsc#1172478)\n\nTweaks to spec file for better formatting, and remove not needed\nBuildRequires for e2fsprogs-devel and libpcap-devel\n\nFix vfio-pci device on s390 enters error state (bsc#1179725)\n\nFix PCI devices are unavailable after a subsystem reset. (bsc#1179726)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172383\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172385\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172478\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173612\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176673\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176682\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176684\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178049\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179467\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179468\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179686\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179725\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179726\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1180523\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181108\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181639\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181933\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182137\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182425\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183979\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11947/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-12829/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13362/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13659/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13765/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15469/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25084/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25624/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25625/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25723/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-27617/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-27821/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-28916/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29129/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29130/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29443/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20181/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20203/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20221/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20257/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-3416/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211242-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b5135757\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP5 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP5-2021-1242=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20181\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-alsa-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-oss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-oss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-pa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-pa-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-sdl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-sdl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-gtk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-gtk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-sdl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-sdl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(5)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP5\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"qemu-block-rbd-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"qemu-block-rbd-debuginfo-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"x86_64\", reference:\"qemu-x86-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"s390x\", reference:\"qemu-s390-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", cpu:\"s390x\", reference:\"qemu-s390-debuginfo-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-audio-alsa-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-audio-alsa-debuginfo-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-audio-oss-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-audio-oss-debuginfo-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-audio-pa-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-audio-pa-debuginfo-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-audio-sdl-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-audio-sdl-debuginfo-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-block-curl-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-block-curl-debuginfo-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-block-iscsi-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-block-iscsi-debuginfo-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-block-ssh-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-block-ssh-debuginfo-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-debugsource-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-guest-agent-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-guest-agent-debuginfo-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-kvm-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-lang-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-tools-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-tools-debuginfo-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-ui-curses-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-ui-curses-debuginfo-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-ui-gtk-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-ui-gtk-debuginfo-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-ui-sdl-3.1.1.1-48.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"5\", reference:\"qemu-ui-sdl-debuginfo-3.1.1.1-48.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:36:29", "description": "According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. (CVE-2021-20181)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-12-29T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.2.0 : qemu (EulerOS-SA-2021-2844)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-35504", "CVE-2020-35505", "CVE-2021-20181", "CVE-2021-20221", "CVE-2021-3527", "CVE-2021-3682"], "modified": "2022-05-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu-img", "p-cpe:/a:huawei:euleros:qemu-kvm", "p-cpe:/a:huawei:euleros:qemu-kvm-common", "p-cpe:/a:huawei:euleros:qemu-kvm-tools", "cpe:/o:huawei:euleros:uvp:3.0.2.0"], "id": "EULEROS_SA-2021-2844.NASL", "href": "https://www.tenable.com/plugins/nessus/156382", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(156382);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/06\");\n\n script_cve_id(\n \"CVE-2020-35504\",\n \"CVE-2020-35505\",\n \"CVE-2021-3527\",\n \"CVE-2021-3682\",\n \"CVE-2021-20181\",\n \"CVE-2021-20221\"\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.2.0 : qemu (EulerOS-SA-2021-2844)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is\naffected by the following vulnerabilities :\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw\n allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This\n flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges\n on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as\n system availability. (CVE-2021-20181)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of\n QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an\n interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said\n issue while updating controller state fields and their subsequent processing. A privileged guest user may\n use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a\n single, large transfer request, to reduce the overhead and improve performance. The combined size of the\n bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper\n validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the\n array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a\n denial of service. (CVE-2021-3527)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs\n when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A\n malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,\n resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3682)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2844\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cdb939c2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20181\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-3682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-kvm-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"qemu-img-2.8.1-30.139\",\n \"qemu-kvm-2.8.1-30.139\",\n \"qemu-kvm-common-2.8.1-30.139\",\n \"qemu-kvm-tools-2.8.1-30.139\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:29", "description": "Some issues have been found in qemu, a fast processor emulator.\n\nAll issues are related to assertion failures, out-of-bounds access failures or bad handling of return codes.\n\nFor Debian 9 stretch, these problems have been fixed in version 1:2.8+dfsg-6+deb9u12.\n\nWe recommend that you upgrade your qemu packages.\n\nFor the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-11-30T00:00:00", "type": "nessus", "title": "Debian DLA-2469-1 : qemu security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25085", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-27617"], "modified": "2022-11-22T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:qemu", "p-cpe:/a:debian:debian_linux:qemu-block-extra", "p-cpe:/a:debian:debian_linux:qemu-guest-agent", "p-cpe:/a:debian:debian_linux:qemu-kvm", "p-cpe:/a:debian:debian_linux:qemu-system", "p-cpe:/a:debian:debian_linux:qemu-system-arm", "p-cpe:/a:debian:debian_linux:qemu-system-common", "p-cpe:/a:debian:debian_linux:qemu-system-mips", "p-cpe:/a:debian:debian_linux:qemu-system-misc", "p-cpe:/a:debian:debian_linux:qemu-system-ppc", "p-cpe:/a:debian:debian_linux:qemu-system-sparc", "p-cpe:/a:debian:debian_linux:qemu-system-x86", "p-cpe:/a:debian:debian_linux:qemu-user", "p-cpe:/a:debian:debian_linux:qemu-user-binfmt", "p-cpe:/a:debian:debian_linux:qemu-user-static", "p-cpe:/a:debian:debian_linux:qemu-utils", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2469.NASL", "href": "https://www.tenable.com/plugins/nessus/143305", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2469-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143305);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/22\");\n\n script_cve_id(\"CVE-2020-25085\", \"CVE-2020-25624\", \"CVE-2020-25625\", \"CVE-2020-25723\", \"CVE-2020-27617\");\n script_xref(name:\"IAVB\", value:\"2020-B-0063-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0075-S\");\n\n script_name(english:\"Debian DLA-2469-1 : qemu security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Some issues have been found in qemu, a fast processor emulator.\n\nAll issues are related to assertion failures, out-of-bounds access\nfailures or bad handling of return codes.\n\nFor Debian 9 stretch, these problems have been fixed in version\n1:2.8+dfsg-6+deb9u12.\n\nWe recommend that you upgrade your qemu packages.\n\nFor the detailed security status of qemu please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/qemu\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/11/msg00047.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/qemu\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/qemu\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25624\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-block-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-mips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-sparc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user-binfmt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"qemu\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-block-extra\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-guest-agent\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-kvm\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-arm\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-common\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-mips\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-misc\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-ppc\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-sparc\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-x86\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-user\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-user-binfmt\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-user-static\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-utils\", reference:\"1:2.8+dfsg-6+deb9u12\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:27", "description": "Several vulnerabilities were discovered in QEMU, a fast processor emulator (notably used in KVM and Xen HVM virtualization). An attacker could trigger a denial of service (DoS), information leak, and possibly execute arbitrary code with the privileges of the QEMU process on the host.\n\nCVE-2020-15469\n\nA MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference.\n\nCVE-2020-15859\n\nQEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address.\n\nCVE-2020-25084\n\nQEMU has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.\n\nCVE-2020-28916\n\nhw/net/e1000e_core.c has an infinite loop via an RX descriptor with a NULL buffer address.\n\nCVE-2020-29130\n\nslirp.c has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length.\n\nCVE-2020-29443\n\nide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read access because a buffer index is not validated.\n\nCVE-2021-20181\n\n9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege escalation vulnerability.\n\nCVE-2021-20221\n\naarch64: GIC: out-of-bound heap buffer access via an interrupt ID field.\n\nFor Debian 9 stretch, these problems have been fixed in version 1:2.8+dfsg-6+deb9u13.\n\nWe recommend that you upgrade your qemu packages.\n\nFor the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-02-19T00:00:00", "type": "nessus", "title": "Debian DLA-2560-1 : qemu security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-15469", "CVE-2020-15859", "CVE-2020-25084", "CVE-2020-28916", "CVE-2020-29130", "CVE-2020-29443", "CVE-2021-20181", "CVE-2021-20221"], "modified": "2021-06-08T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:qemu", "p-cpe:/a:debian:debian_linux:qemu-block-extra", "p-cpe:/a:debian:debian_linux:qemu-guest-agent", "p-cpe:/a:debian:debian_linux:qemu-kvm", "p-cpe:/a:debian:debian_linux:qemu-system", "p-cpe:/a:debian:debian_linux:qemu-system-arm", "p-cpe:/a:debian:debian_linux:qemu-system-common", "p-cpe:/a:debian:debian_linux:qemu-system-mips", "p-cpe:/a:debian:debian_linux:qemu-system-misc", "p-cpe:/a:debian:debian_linux:qemu-system-ppc", "p-cpe:/a:debian:debian_linux:qemu-system-sparc", "p-cpe:/a:debian:debian_linux:qemu-system-x86", "p-cpe:/a:debian:debian_linux:qemu-user", "p-cpe:/a:debian:debian_linux:qemu-user-binfmt", "p-cpe:/a:debian:debian_linux:qemu-user-static", "p-cpe:/a:debian:debian_linux:qemu-utils", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2560.NASL", "href": "https://www.tenable.com/plugins/nessus/146609", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2560-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(146609);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/08\");\n\n script_cve_id(\"CVE-2020-15469\", \"CVE-2020-15859\", \"CVE-2020-25084\", \"CVE-2020-28916\", \"CVE-2020-29130\", \"CVE-2020-29443\", \"CVE-2021-20181\", \"CVE-2021-20221\");\n\n script_name(english:\"Debian DLA-2560-1 : qemu security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities were discovered in QEMU, a fast processor\nemulator (notably used in KVM and Xen HVM virtualization). An attacker\ncould trigger a denial of service (DoS), information leak, and\npossibly execute arbitrary code with the privileges of the QEMU\nprocess on the host.\n\nCVE-2020-15469\n\nA MemoryRegionOps object may lack read/write callback methods, leading\nto a NULL pointer dereference.\n\nCVE-2020-15859\n\nQEMU has a use-after-free in hw/net/e1000e_core.c because a guest OS\nuser can trigger an e1000e packet with the data's address set to the\ne1000e's MMIO address.\n\nCVE-2020-25084\n\nQEMU has a use-after-free in hw/usb/hcd-xhci.c because the\nusb_packet_map return value is not checked.\n\nCVE-2020-28916\n\nhw/net/e1000e_core.c has an infinite loop via an RX descriptor with a\nNULL buffer address.\n\nCVE-2020-29130\n\nslirp.c has a buffer over-read because it tries to read a certain\namount of header data even if that exceeds the total packet length.\n\nCVE-2020-29443\n\nide_atapi_cmd_reply_end in hw/ide/atapi.c allows out-of-bounds read\naccess because a buffer index is not validated.\n\nCVE-2021-20181\n\n9pfs: ZDI-CAN-10904: QEMU Plan 9 file system TOCTOU privilege\nescalation vulnerability.\n\nCVE-2021-20221\n\naarch64: GIC: out-of-bound heap buffer access via an interrupt ID\nfield.\n\nFor Debian 9 stretch, these problems have been fixed in version\n1:2.8+dfsg-6+deb9u13.\n\nWe recommend that you upgrade your qemu packages.\n\nFor the detailed security status of qemu please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/qemu\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2021/02/msg00024.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/qemu\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/qemu\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20181\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-block-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-mips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-sparc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user-binfmt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"qemu\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-block-extra\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-guest-agent\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-kvm\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-arm\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-common\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-mips\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-misc\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-ppc\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-sparc\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-system-x86\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-user\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-user-binfmt\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-user-static\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"qemu-utils\", reference:\"1:2.8+dfsg-6+deb9u13\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-11T17:48:46", "description": "According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. (CVE-2021-20181)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)\n\n - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of- bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. (CVE-2021-3713)\n\n - A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0. (CVE-2021-3750)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2023-01-06T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.2.6 : qemu-kvm (EulerOS-SA-2023-1051)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-35504", "CVE-2020-35505", "CVE-2021-20181", "CVE-2021-20221", "CVE-2021-3527", "CVE-2021-3682", "CVE-2021-3713", "CVE-2021-3750"], "modified": "2023-09-11T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu-gpu-specs", "p-cpe:/a:huawei:euleros:qemu-guest-agent", "p-cpe:/a:huawei:euleros:qemu-img", "p-cpe:/a:huawei:euleros:qemu-kvm", "p-cpe:/a:huawei:euleros:qemu-kvm-common", "p-cpe:/a:huawei:euleros:qemu-kvm-tools", "p-cpe:/a:huawei:euleros:qemu-seabios", "cpe:/o:huawei:euleros:uvp:3.0.2.6"], "id": "EULEROS_SA-2023-1051.NASL", "href": "https://www.tenable.com/plugins/nessus/169626", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(169626);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/11\");\n\n script_cve_id(\n \"CVE-2020-35504\",\n \"CVE-2020-35505\",\n \"CVE-2021-3527\",\n \"CVE-2021-3682\",\n \"CVE-2021-3713\",\n \"CVE-2021-3750\",\n \"CVE-2021-20181\",\n \"CVE-2021-20221\"\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.2.6 : qemu-kvm (EulerOS-SA-2023-1051)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw\n allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This\n flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges\n on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as\n system availability. (CVE-2021-20181)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of\n QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an\n interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said\n issue while updating controller state fields and their subsequent processing. A privileged guest user may\n use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a\n single, large transfer request, to reduce the overhead and improve performance. The combined size of the\n bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper\n validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the\n array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a\n denial of service. (CVE-2021-3527)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs\n when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A\n malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,\n resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3682)\n\n - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions\n prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-\n bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this\n flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3713)\n\n - A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the\n Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be\n written to the controller's registers and trigger undesirable actions (such as reset) while the device is\n still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could\n use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or\n potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects\n QEMU versions before 7.0.0. (CVE-2021-3750)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2023-1051\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?adc8767c\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu-kvm packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20181\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-3682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/01/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-gpu-specs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-kvm-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-seabios\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.6\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar _release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(_release) || _release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.6\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.6\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu && \"x86\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"x86\" >!< cpu) audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"qemu-gpu-specs-2.8.1-30.095\",\n \"qemu-guest-agent-2.8.1-30.095\",\n \"qemu-img-2.8.1-30.095\",\n \"qemu-kvm-2.8.1-30.095\",\n \"qemu-kvm-common-2.8.1-30.095\",\n \"qemu-kvm-tools-2.8.1-30.095\",\n \"qemu-seabios-2.8.1-30.095\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-kvm\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T15:07:15", "description": "This update for qemu fixes the following issues :\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nFix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)\n\nFix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)\n\nFix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)\n\nFix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)\n\nFix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)\n\nFix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)\n\nFix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)\n\nFix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)\n\nFix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686)\n\nFix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)\n\nFix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)\n\nFix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)\n\nFix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)\n\nFix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467)\n\nFix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386)\n\nFix issue where s390 guest fails to find zipl boot menu index (bsc#1183979)\n\nFix OOB access in iscsi (CVE-2020-11947 bsc#1180523)\n\nFix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)\n\nFix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)\n\nFix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)\n\nApply fixes to qemu scsi passthrough with respect to timeout and error conditions, including using more correct status codes. (bsc#1178049)\n\nFix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)\n\nTweaks to spec file for better formatting, and remove not needed BuildRequires for e2fsprogs-devel and libpcap-devel\n\nFix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)\n\nFix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)\n\nFix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)\n\nFix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)\n\nFix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386)\n\nUse '%service_del_postun_without_restart' instead of '%service_del_postun' to avoid 'Failed to try-restart qemu-ga@.service' error while updating the qemu-guest-agent.\n(bsc#1178565)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-04-19T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : qemu (SUSE-SU-2021:1245-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11947", "CVE-2020-12829", "CVE-2020-13361", "CVE-2020-13362", "CVE-2020-13659", "CVE-2020-13765", "CVE-2020-14364", "CVE-2020-15469", "CVE-2020-15863", "CVE-2020-16092", "CVE-2020-25084", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-27617", "CVE-2020-27821", "CVE-2020-28916", "CVE-2020-29129", "CVE-2020-29130", "CVE-2020-29443", "CVE-2021-20181", "CVE-2021-20203", "CVE-2021-20221", "CVE-2021-20257", "CVE-2021-3416"], "modified": "2021-06-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:qemu", "p-cpe:/a:novell:suse_linux:qemu-audio-alsa", "p-cpe:/a:novell:suse_linux:qemu-ui-gtk-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-audio-alsa-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-x86", "p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-audio-oss", "p-cpe:/a:novell:suse_linux:qemu-audio-oss-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-audio-pa", "p-cpe:/a:novell:suse_linux:qemu-audio-pa-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-curl", "p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-rbd", "p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-ssh", "p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-debugsource", "p-cpe:/a:novell:suse_linux:qemu-guest-agent", "p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-kvm", "p-cpe:/a:novell:suse_linux:qemu-lang", "p-cpe:/a:novell:suse_linux:qemu-s390", "p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-tools", "p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-ui-curses", "p-cpe:/a:novell:suse_linux:qemu-ui-curses-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-ui-gtk", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-1245-1.NASL", "href": "https://www.tenable.com/plugins/nessus/148752", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1245-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148752);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/08\");\n\n script_cve_id(\"CVE-2020-11947\", \"CVE-2020-12829\", \"CVE-2020-13361\", \"CVE-2020-13362\", \"CVE-2020-13659\", \"CVE-2020-13765\", \"CVE-2020-14364\", \"CVE-2020-15469\", \"CVE-2020-15863\", \"CVE-2020-16092\", \"CVE-2020-25084\", \"CVE-2020-25624\", \"CVE-2020-25625\", \"CVE-2020-25723\", \"CVE-2020-27617\", \"CVE-2020-27821\", \"CVE-2020-28916\", \"CVE-2020-29129\", \"CVE-2020-29130\", \"CVE-2020-29443\", \"CVE-2021-20181\", \"CVE-2021-20203\", \"CVE-2021-20221\", \"CVE-2021-20257\", \"CVE-2021-3416\");\n\n script_name(english:\"SUSE SLES15 Security Update : qemu (SUSE-SU-2021:1245-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for qemu fixes the following issues :\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nFix OOB access possibility in MegaRAID SAS 8708EM2 emulation\n(CVE-2020-13362 bsc#1172383)\n\nFix use-after-free in usb xhci packet handling (CVE-2020-25723,\nbsc#1178934)\n\nFix use-after-free in usb ehci packet handling (CVE-2020-25084,\nbsc#1176673)\n\nFix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)\n\nFix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625,\nbsc#1176684)\n\nFix guest triggerable assert in shared network handling code\n(CVE-2020-27617, bsc#1178174)\n\nFix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916,\nbsc#1179468)\n\nFix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)\n\nFix heap overflow in MSIx emulation (CVE-2020-27821, bsc#1179686)\n\nFix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469,\nbsc#1173612)\n\nFix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257,\nbsc#1182577)\n\nFix OOB access (stack overflow) in rtl8139 NIC emulation\n(CVE-2021-3416, bsc#1182968)\n\nFix OOB access (stack overflow) in other NIC emulations\n(CVE-2021-3416)\n\nFix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129,\nbsc#1179466, CVE-2020-29130, bsc#1179467)\n\nFix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2\nemulation (CVE-2020-13659 bsc#1172386)\n\nFix issue where s390 guest fails to find zipl boot menu index\n(bsc#1183979)\n\nFix OOB access in iscsi (CVE-2020-11947 bsc#1180523)\n\nFix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)\n\nFix package scripts to not use hard-coded paths for temporary working\ndirectories and log files (bsc#1182425)\n\nFix potential privilege escalation in virtfs (CVE-2021-20181\nbsc#1182137)\n\nApply fixes to qemu scsi passthrough with respect to timeout and error\nconditions, including using more correct status codes. (bsc#1178049)\n\nFix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)\n\nTweaks to spec file for better formatting, and remove not needed\nBuildRequires for e2fsprogs-devel and libpcap-devel\n\nFix OOB access possibility in ES1370 audio device emulation\n(CVE-2020-13361 bsc#1172384)\n\nFix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)\n\nFix OOB access while processing USB packets (CVE-2020-14364\nbsc#1175441)\n\nFix DoS in packet processing of various emulated NICs (CVE-2020-16092\nbsc#1174641)\n\nFix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386)\n\nUse '%service_del_postun_without_restart' instead of\n'%service_del_postun' to avoid 'Failed to try-restart\nqemu-ga@.service' error while updating the qemu-guest-agent.\n(bsc#1178565)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172383\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172384\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172385\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172478\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173612\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174641\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1175441\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176673\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176682\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176684\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178049\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178565\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179467\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179468\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179686\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1180523\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181108\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181639\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181933\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182137\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182425\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1183979\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11947/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-12829/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13361/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13362/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13659/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13765/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-14364/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15469/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15863/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-16092/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25084/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25624/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25625/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25723/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-27617/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-27821/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-28916/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29129/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29130/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29443/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20181/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20203/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20221/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20257/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-3416/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211245-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7ccd8e8b\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Manager Server 4.0 :\n\nzypper in -t patch\nSUSE-SLE-Product-SUSE-Manager-Server-4.0-2021-1245=1\n\nSUSE Manager Retail Branch Server 4.0 :\n\nzypper in -t patch\nSUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.0-2021-1245=1\n\nSUSE Manager Proxy 4.0 :\n\nzypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.0-2021-1245=1\n\nSUSE Linux Enterprise Server for SAP 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP1-2021-1245=1\n\nSUSE Linux Enterprise Server 15-SP1-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-SP1-LTSS-2021-1245=1\n\nSUSE Linux Enterprise Server 15-SP1-BCL :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-SP1-BCL-2021-1245=1\n\nSUSE Linux Enterprise High Performance Computing 15-SP1-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-SP1-LTSS-2021-1245=1\n\nSUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-SP1-ESPOS-2021-1245=1\n\nSUSE Enterprise Storage 6 :\n\nzypper in -t patch SUSE-Storage-6-2021-1245=1\n\nSUSE CaaS Platform 4.0 :\n\nTo install this update, use the SUSE CaaS Platform 'skuba' tool. I\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20181\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-alsa-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-oss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-oss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-pa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-pa-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-curses-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-gtk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-gtk-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-audio-alsa-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-audio-alsa-debuginfo-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-audio-oss-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-audio-oss-debuginfo-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-audio-pa-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-audio-pa-debuginfo-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-ui-curses-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-ui-curses-debuginfo-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-ui-gtk-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-ui-gtk-debuginfo-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-x86-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"x86_64\", reference:\"qemu-x86-debuginfo-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"s390x\", reference:\"qemu-s390-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", cpu:\"s390x\", reference:\"qemu-s390-debuginfo-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-block-curl-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-block-curl-debuginfo-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-block-iscsi-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-block-iscsi-debuginfo-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-block-rbd-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-block-rbd-debuginfo-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-block-ssh-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-block-ssh-debuginfo-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-debuginfo-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-debugsource-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-guest-agent-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-guest-agent-debuginfo-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-kvm-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-lang-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-tools-3.1.1.1-9.24.3\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"qemu-tools-debuginfo-3.1.1.1-9.24.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:39:48", "description": "According to the versions of the qemu package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null. (CVE-2019-12067)\n\n - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. (CVE-2020-13754)\n\n - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)\n\n - pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer. (CVE-2020-25742)\n\n - hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call. (CVE-2020-25743)\n\n - eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. (CVE-2020-27617)\n\n - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.\n This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)\n\n - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. (CVE-2020-29129)\n\n - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. (CVE-2020-29443)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. (CVE-2021-20181)\n\n - An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.\n (CVE-2021-20203)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.\n (CVE-2021-3392)\n\n - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-3416)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)\n\n - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user- gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)\n\n - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost- user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host. (CVE-2021-3545)\n\n - An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process. (CVE-2021-3546)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3592)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3593)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3595)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)\n\n - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of- bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. (CVE-2021-3713)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-01-28T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : qemu (EulerOS-SA-2022-1034)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-12067", "CVE-2020-13754", "CVE-2020-25085", "CVE-2020-25742", "CVE-2020-25743", "CVE-2020-27617", "CVE-2020-27821", "CVE-2020-29129", "CVE-2020-29443", "CVE-2020-35504", "CVE-2020-35505", "CVE-2021-20181", "CVE-2021-20203", "CVE-2021-20221", "CVE-2021-3392", "CVE-2021-3416", "CVE-2021-3527", "CVE-2021-3544", "CVE-2021-3545", "CVE-2021-3546", "CVE-2021-3592", "CVE-2021-3593", "CVE-2021-3595", "CVE-2021-3682", "CVE-2021-3713", "CVE-2021-3748"], "modified": "2023-01-09T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu-img", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2022-1034.NASL", "href": "https://www.tenable.com/plugins/nessus/157200", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157200);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/09\");\n\n script_cve_id(\n \"CVE-2019-12067\",\n \"CVE-2020-13754\",\n \"CVE-2020-25085\",\n \"CVE-2020-25742\",\n \"CVE-2020-25743\",\n \"CVE-2020-27617\",\n \"CVE-2020-27821\",\n \"CVE-2020-29129\",\n \"CVE-2020-29443\",\n \"CVE-2020-35504\",\n \"CVE-2020-35505\",\n \"CVE-2021-3392\",\n \"CVE-2021-3416\",\n \"CVE-2021-3527\",\n \"CVE-2021-3544\",\n \"CVE-2021-3545\",\n \"CVE-2021-3546\",\n \"CVE-2021-3592\",\n \"CVE-2021-3593\",\n \"CVE-2021-3595\",\n \"CVE-2021-3682\",\n \"CVE-2021-3713\",\n \"CVE-2021-3748\",\n \"CVE-2021-20181\",\n \"CVE-2021-20203\",\n \"CVE-2021-20221\"\n );\n script_xref(name:\"IAVB\", value:\"2020-B-0041-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0063-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0075-S\");\n\n script_name(english:\"EulerOS 2.0 SP9 : qemu (EulerOS-SA-2022-1034)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu package installed, the EulerOS installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL\n dereference) when the command header 'ad->cur_cmd' is null. (CVE-2019-12067)\n\n - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address\n in an msi-x mmio operation. (CVE-2020-13754)\n\n - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c\n mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)\n\n - pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because\n pci_get_bus() might not return a valid pointer. (CVE-2020-25742)\n\n - hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check\n before an ide_cancel_dma_sync call. (CVE-2020-25743)\n\n - eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest\n can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. (CVE-2020-27617)\n\n - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.\n This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO\n operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial\n of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)\n\n - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of\n header data even if that exceeds the total packet length. (CVE-2020-29129)\n\n - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer\n index is not validated. (CVE-2020-29443)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw\n allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This\n flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges\n on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as\n system availability. (CVE-2021-20181)\n\n - An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It\n may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A\n privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.\n (CVE-2021-20203)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of\n QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an\n interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said\n issue while updating controller state fields and their subsequent processing. A privileged guest user may\n use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI\n I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req'\n from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the\n host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.\n (CVE-2021-3392)\n\n - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions\n up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get\n bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the\n host resulting in DoS scenario. (CVE-2021-3416)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a\n single, large transfer request, to reduce the overhead and improve performance. The combined size of the\n bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper\n validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the\n array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a\n denial of service. (CVE-2021-3527)\n\n - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions\n up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-\n gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)\n\n - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of\n QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-\n user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit\n this issue to leak memory from the host. (CVE-2021-3545)\n\n - An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of\n QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET'\n command from the guest. It could allow a privileged guest user to crash the QEMU process on the host,\n resulting in a denial of service condition, or potential code execution with the privileges of the QEMU\n process. (CVE-2021-3546)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw\n exists in the bootp_input() function and could occur while processing a udp packet that is smaller than\n the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of\n uninitialized heap memory from the host. The highest threat from this vulnerability is to data\n confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3592)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw\n exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the\n size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory\n disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw\n affects libslirp versions prior to 4.6.0. (CVE-2021-3593)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw\n exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the\n size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory\n disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw\n affects libslirp versions prior to 4.6.0. (CVE-2021-3595)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs\n when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A\n malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,\n resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3682)\n\n - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions\n prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-\n bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this\n flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3713)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1034\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?47e746c0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3748\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-3682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"qemu-img-4.1.0-16.h10.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:26:02", "description": "The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4650-1 advisory.\n\n - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. (CVE-2020-25084)\n\n - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver. (CVE-2020-25624)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. (CVE-2020-25625)\n\n - ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process. (CVE-2020-27616)\n\n - eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. (CVE-2020-27617)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-12-01T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : QEMU vulnerabilities (USN-4650-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17380", "CVE-2020-25084", "CVE-2020-25085", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-27616", "CVE-2020-27617"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.10", "p-cpe:/a:canonical:ubuntu_linux:qemu", "p-cpe:/a:canonical:ubuntu_linux:qemu-block-extra", "p-cpe:/a:canonical:ubuntu_linux:qemu-guest-agent", "p-cpe:/a:canonical:ubuntu_linux:qemu-kvm", "p-cpe:/a:canonical:ubuntu_linux:qemu-system", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-common", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-data", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-gui", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-microvm", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-xen", "p-cpe:/a:canonical:ubuntu_linux:qemu-user", "p-cpe:/a:canonical:ubuntu_linux:qemu-user-binfmt", "p-cpe:/a:canonical:ubuntu_linux:qemu-user-static", "p-cpe:/a:canonical:ubuntu_linux:qemu-utils"], "id": "UBUNTU_USN-4650-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143376", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4650-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143376);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2020-17380\",\n \"CVE-2020-25084\",\n \"CVE-2020-25085\",\n \"CVE-2020-25624\",\n \"CVE-2020-25625\",\n \"CVE-2020-25723\",\n \"CVE-2020-27616\",\n \"CVE-2020-27617\"\n );\n script_xref(name:\"USN\", value:\"4650-1\");\n script_xref(name:\"IAVB\", value:\"2020-B-0063-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0075-S\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : QEMU vulnerabilities (USN-4650-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by multiple\nvulnerabilities as referenced in the USN-4650-1 advisory.\n\n - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not\n checked. (CVE-2020-25084)\n\n - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c\n mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host\n controller driver. (CVE-2020-25624)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. (CVE-2020-25625)\n\n - ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a\n calculation. A guest can crash the QEMU process. (CVE-2020-27616)\n\n - eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest\n can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. (CVE-2020-27617)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4650-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-17380\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-block-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-microvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-user\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-user-binfmt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-user-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-utils\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2020-2023 Canonical, Inc. / NASL script (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|20\\.04|20\\.10)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04 / 20.04 / 20.10', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '16.04', 'pkgname': 'qemu', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-block-extra', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-kvm', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-system', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-system-aarch64', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-system-arm', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-system-common', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-system-mips', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-system-misc', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-system-x86', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-user', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-user-static', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '16.04', 'pkgname': 'qemu-utils', 'pkgver': '1:2.5+dfsg-5ubuntu10.48'},\n {'osver': '18.04', 'pkgname': 'qemu', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-block-extra', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-kvm', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-system', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-system-arm', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-system-common', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-system-mips', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-system-misc', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-system-x86', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-user', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-user-static', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '18.04', 'pkgname': 'qemu-utils', 'pkgver': '1:2.11+dfsg-1ubuntu7.34'},\n {'osver': '20.04', 'pkgname': 'qemu', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-block-extra', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-kvm', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-system', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-system-arm', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-system-common', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-system-data', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-system-gui', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-system-mips', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-system-misc', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-system-x86', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-system-x86-microvm', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-system-x86-xen', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-user', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-user-static', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.04', 'pkgname': 'qemu-utils', 'pkgver': '1:4.2-3ubuntu6.10'},\n {'osver': '20.10', 'pkgname': 'qemu', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-block-extra', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-kvm', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-system', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-system-arm', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-system-common', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-system-data', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-system-gui', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-system-mips', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-system-misc', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-system-x86', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-system-x86-microvm', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-system-x86-xen', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-user', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-user-static', 'pkgver': '1:5.0-5ubuntu9.2'},\n {'osver': '20.10', 'pkgname': 'qemu-utils', 'pkgver': '1:5.0-5ubuntu9.2'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-block-extra / qemu-guest-agent / qemu-kvm / qemu-system / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:51", "description": "The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4725-1 advisory.\n\n - iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker. (CVE-2020-11947)\n\n - QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address. (CVE-2020-15859)\n\n - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.\n This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.\n (CVE-2020-28916)\n\n - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. (CVE-2020-29443)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-02-08T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : QEMU vulnerabilities (USN-4725-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11947", "CVE-2020-15859", "CVE-2020-27821", "CVE-2020-28916", "CVE-2020-29443", "CVE-2021-20181"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.10", "p-cpe:/a:canonical:ubuntu_linux:qemu", "p-cpe:/a:canonical:ubuntu_linux:qemu-block-extra", "p-cpe:/a:canonical:ubuntu_linux:qemu-guest-agent", "p-cpe:/a:canonical:ubuntu_linux:qemu-kvm", "p-cpe:/a:canonical:ubuntu_linux:qemu-system", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-common", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-data", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-gui", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-microvm", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-xen", "p-cpe:/a:canonical:ubuntu_linux:qemu-user", "p-cpe:/a:canonical:ubuntu_linux:qemu-user-binfmt", "p-cpe:/a:canonical:ubuntu_linux:qemu-user-static", "p-cpe:/a:canonical:ubuntu_linux:qemu-utils"], "id": "UBUNTU_USN-4725-1.NASL", "href": "https://www.tenable.com/plugins/nessus/146303", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4725-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146303);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2020-11947\",\n \"CVE-2020-15859\",\n \"CVE-2020-27821\",\n \"CVE-2020-28916\",\n \"CVE-2020-29443\",\n \"CVE-2021-20181\"\n );\n script_xref(name:\"USN\", value:\"4725-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : QEMU vulnerabilities (USN-4725-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by multiple\nvulnerabilities as referenced in the USN-4725-1 advisory.\n\n - iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose\n unrelated information from process memory to an attacker. (CVE-2020-11947)\n\n - QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e\n packet with the data's address set to the e1000e's MMIO address. (CVE-2020-15859)\n\n - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.\n This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO\n operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial\n of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.\n (CVE-2020-28916)\n\n - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer\n index is not validated. (CVE-2020-29443)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4725-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20181\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-block-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-microvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-user\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-user-binfmt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-user-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-utils\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|20\\.04|20\\.10)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04 / 20.04 / 20.10', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '16.04', 'pkgname': 'qemu', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-block-extra', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-kvm', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-aarch64', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-arm', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-common', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-mips', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-misc', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-system-x86', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-user', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-user-static', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '16.04', 'pkgname': 'qemu-utils', 'pkgver': '1:2.5+dfsg-5ubuntu10.49'},\n {'osver': '18.04', 'pkgname': 'qemu', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-block-extra', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-kvm', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-arm', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-common', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-mips', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-misc', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-system-x86', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-user', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-user-static', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '18.04', 'pkgname': 'qemu-utils', 'pkgver': '1:2.11+dfsg-1ubuntu7.35'},\n {'osver': '20.04', 'pkgname': 'qemu', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-block-extra', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-kvm', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-arm', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-common', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-data', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-gui', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-mips', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-misc', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-x86', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-x86-microvm', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-system-x86-xen', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-user', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-user-static', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.04', 'pkgname': 'qemu-utils', 'pkgver': '1:4.2-3ubuntu6.12'},\n {'osver': '20.10', 'pkgname': 'qemu', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-block-extra', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-kvm', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-arm', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-common', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-data', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-gui', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-mips', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-misc', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-x86', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-x86-microvm', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-system-x86-xen', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-user', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-user-static', 'pkgver': '1:5.0-5ubuntu9.4'},\n {'osver': '20.10', 'pkgname': 'qemu-utils', 'pkgver': '1:5.0-5ubuntu9.4'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-block-extra / qemu-guest-agent / qemu-kvm / qemu-system / etc');\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:40:18", "description": "According to the versions of the qemu package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null. (CVE-2019-12067)\n\n - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. (CVE-2020-13754)\n\n - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)\n\n - pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer. (CVE-2020-25742)\n\n - hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call. (CVE-2020-25743)\n\n - eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. (CVE-2020-27617)\n\n - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.\n This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)\n\n - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. (CVE-2020-29129)\n\n - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. (CVE-2020-29443)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. (CVE-2021-20181)\n\n - An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.\n (CVE-2021-20203)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.\n (CVE-2021-3392)\n\n - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-3416)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)\n\n - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user- gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)\n\n - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost- user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host. (CVE-2021-3545)\n\n - An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process. (CVE-2021-3546)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3592)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3593)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3595)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)\n\n - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of- bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. (CVE-2021-3713)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-01-28T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : qemu (EulerOS-SA-2022-1014)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-12067", "CVE-2020-13754", "CVE-2020-25085", "CVE-2020-25742", "CVE-2020-25743", "CVE-2020-27617", "CVE-2020-27821", "CVE-2020-29129", "CVE-2020-29443", "CVE-2020-35504", "CVE-2020-35505", "CVE-2021-20181", "CVE-2021-20203", "CVE-2021-20221", "CVE-2021-3392", "CVE-2021-3416", "CVE-2021-3527", "CVE-2021-3544", "CVE-2021-3545", "CVE-2021-3546", "CVE-2021-3592", "CVE-2021-3593", "CVE-2021-3595", "CVE-2021-3682", "CVE-2021-3713", "CVE-2021-3748"], "modified": "2023-01-09T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu-img", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2022-1014.NASL", "href": "https://www.tenable.com/plugins/nessus/157171", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(157171);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/09\");\n\n script_cve_id(\n \"CVE-2019-12067\",\n \"CVE-2020-13754\",\n \"CVE-2020-25085\",\n \"CVE-2020-25742\",\n \"CVE-2020-25743\",\n \"CVE-2020-27617\",\n \"CVE-2020-27821\",\n \"CVE-2020-29129\",\n \"CVE-2020-29443\",\n \"CVE-2020-35504\",\n \"CVE-2020-35505\",\n \"CVE-2021-3392\",\n \"CVE-2021-3416\",\n \"CVE-2021-3527\",\n \"CVE-2021-3544\",\n \"CVE-2021-3545\",\n \"CVE-2021-3546\",\n \"CVE-2021-3592\",\n \"CVE-2021-3593\",\n \"CVE-2021-3595\",\n \"CVE-2021-3682\",\n \"CVE-2021-3713\",\n \"CVE-2021-3748\",\n \"CVE-2021-20181\",\n \"CVE-2021-20203\",\n \"CVE-2021-20221\"\n );\n script_xref(name:\"IAVB\", value:\"2020-B-0041-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0063-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0075-S\");\n\n script_name(english:\"EulerOS 2.0 SP9 : qemu (EulerOS-SA-2022-1014)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu package installed, the EulerOS installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL\n dereference) when the command header 'ad->cur_cmd' is null. (CVE-2019-12067)\n\n - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address\n in an msi-x mmio operation. (CVE-2020-13754)\n\n - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c\n mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)\n\n - pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because\n pci_get_bus() might not return a valid pointer. (CVE-2020-25742)\n\n - hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check\n before an ide_cancel_dma_sync call. (CVE-2020-25743)\n\n - eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest\n can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. (CVE-2020-27617)\n\n - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.\n This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO\n operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial\n of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)\n\n - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of\n header data even if that exceeds the total packet length. (CVE-2020-29129)\n\n - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer\n index is not validated. (CVE-2020-29443)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw\n allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This\n flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges\n on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as\n system availability. (CVE-2021-20181)\n\n - An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It\n may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A\n privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.\n (CVE-2021-20203)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of\n QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an\n interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said\n issue while updating controller state fields and their subsequent processing. A privileged guest user may\n use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI\n I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req'\n from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the\n host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.\n (CVE-2021-3392)\n\n - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions\n up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get\n bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the\n host resulting in DoS scenario. (CVE-2021-3416)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a\n single, large transfer request, to reduce the overhead and improve performance. The combined size of the\n bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper\n validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the\n array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a\n denial of service. (CVE-2021-3527)\n\n - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions\n up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-\n gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)\n\n - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of\n QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-\n user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit\n this issue to leak memory from the host. (CVE-2021-3545)\n\n - An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of\n QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET'\n command from the guest. It could allow a privileged guest user to crash the QEMU process on the host,\n resulting in a denial of service condition, or potential code execution with the privileges of the QEMU\n process. (CVE-2021-3546)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw\n exists in the bootp_input() function and could occur while processing a udp packet that is smaller than\n the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of\n uninitialized heap memory from the host. The highest threat from this vulnerability is to data\n confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3592)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw\n exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the\n size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory\n disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw\n affects libslirp versions prior to 4.6.0. (CVE-2021-3593)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw\n exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the\n size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory\n disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw\n affects libslirp versions prior to 4.6.0. (CVE-2021-3595)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs\n when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A\n malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,\n resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3682)\n\n - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions\n prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-\n bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this\n flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3713)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1014\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4ea5cba8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3748\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-3682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/01/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/01/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nvar sp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"qemu-img-4.1.0-16.h10.eulerosv2r9\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-07T14:42:28", "description": "According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :\n\n - A flaw was found in QEMU. A heap-based buffer overflow vulnerability was found in the SDHCI device emulation support allowing a guest user or process to crash the QEMU process on the host resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.\n The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-17380)\n\n - A flaw was found in QEMU. An out-of-bounds read/write access issue was found in the SDHCI Controller emulator of QEMU. It may occur while doing multi block SDMA, if transfer block size exceeds the 's->fifo_buffer[s->buf_maxsz]' size which would leave the current element pointer 's->data_count' pointing out of bounds. This would lead the subsequent DMA r/w operation to an OOB access issue where a guest user/process may use this flaw to crash the QEMU process resulting in DoS scenario. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2020-25085)\n\n - The patch for CVE-2020-17380 and CVE-2020-25085, both involving a heap buffer overflow in the SDHCI controller emulation code of QEMU, was found to be incomplete. A malicious privileged guest could reproduce the same issues with specially crafted input, inducing a bogus transfer and subsequent out-of-bounds read/write access in sdhci_do_adma() or sdhci_sdma_transfer_multi_blocks(). CVE-2021-3409 was assigned to facilitate the tracking and backporting of the new patch.(CVE-2021-3409)\n\n - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario.(CVE-2021-3416)\n\n - An infinite loop flaw was found in the USB OHCI controller emulator of QEMU. This flaw occurs while servicing OHCI isochronous transfer descriptors (TD) in the ohci_service_iso_td routine, as it retires a TD if it has passed its time frame. It does not check if the TD was already processed and holds an error code in TD_CC. This issue may happen if the TD list has a loop.\n This flaw allows a guest user or process to consume CPU cycles on the host, resulting in a denial of service.(CVE-2020-25625)\n\n - An infinite loop flaw was found in the e1000e device emulator in QEMU. This issue could occur while receiving packets via the e1000e_write_packet_to_guest() routine, if the receive(RX) descriptor has a NULL buffer address. This flaw allows a privileged guest user to cause a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-28916)\n\n - An assert(3) failure flaw was found in the networking helper functions of QEMU. This vulnerability can occur in the eth_get_gso_type() routine if a packet does not have a valid networking L3 protocol (ex. IPv4, IPv6) value. This flaw allows a guest user to crash the QEMU process on the host, resulting in a denial of service.(CVE-2020-27617)\n\n - A use-after-free flaw was found in the USB(xHCI/eHCI) controller emulators of QEMU. This flaw occurs while setting up the USB packet as a usb_packet_map() routine and returns an error that was not checked. This flaw allows a guest user or process to crash the QEMU process, resulting in a denial of service.(CVE-2020-25084)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-07-02T00:00:00", "type": "nessus", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : qemu-kvm (EulerOS-SA-2021-2125)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-17380", "CVE-2020-25084", "CVE-2020-25085", "CVE-2020-25625", "CVE-2020-27617", "CVE-2020-28916", "CVE-2021-3409", "CVE-2021-3416"], "modified": "2022-05-09T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu-img", "p-cpe:/a:huawei:euleros:qemu-kvm", "p-cpe:/a:huawei:euleros:qemu-kvm-common", "p-cpe:/a:huawei:euleros:qemu-kvm-tools", "cpe:/o:huawei:euleros:uvp:3.0.2.0"], "id": "EULEROS_SA-2021-2125.NASL", "href": "https://www.tenable.com/plugins/nessus/151333", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151333);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2020-17380\",\n \"CVE-2020-25084\",\n \"CVE-2020-25085\",\n \"CVE-2020-25625\",\n \"CVE-2020-27617\",\n \"CVE-2020-28916\",\n \"CVE-2021-3409\",\n \"CVE-2021-3416\"\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : qemu-kvm (EulerOS-SA-2021-2125)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu-kvm packages installed, the\nEulerOS Virtualization for ARM 64 installation on the remote host is\naffected by the following vulnerabilities :\n\n - A flaw was found in QEMU. A heap-based buffer overflow\n vulnerability was found in the SDHCI device emulation\n support allowing a guest user or process to crash the\n QEMU process on the host resulting in a denial of\n service condition, or potentially execute arbitrary\n code with privileges of the QEMU process on the host.\n The highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2020-17380)\n\n - A flaw was found in QEMU. An out-of-bounds read/write\n access issue was found in the SDHCI Controller emulator\n of QEMU. It may occur while doing multi block SDMA, if\n transfer block size exceeds the\n 's->fifo_buffer[s->buf_maxsz]' size which would leave\n the current element pointer 's->data_count' pointing\n out of bounds. This would lead the subsequent DMA r/w\n operation to an OOB access issue where a guest\n user/process may use this flaw to crash the QEMU\n process resulting in DoS scenario. The highest threat\n from this vulnerability is to data confidentiality and\n integrity as well as system\n availability.(CVE-2020-25085)\n\n - The patch for CVE-2020-17380 and CVE-2020-25085, both\n involving a heap buffer overflow in the SDHCI\n controller emulation code of QEMU, was found to be\n incomplete. A malicious privileged guest could\n reproduce the same issues with specially crafted input,\n inducing a bogus transfer and subsequent out-of-bounds\n read/write access in sdhci_do_adma() or\n sdhci_sdma_transfer_multi_blocks(). CVE-2021-3409 was\n assigned to facilitate the tracking and backporting of\n the new patch.(CVE-2021-3409)\n\n - A potential stack overflow via infinite loop issue was\n found in various NIC emulators of QEMU. The issue\n occurs in loopback mode of a NIC wherein reentrant DMA\n checks get bypassed. A guest user/process may use this\n flaw to consume CPU cycles or crash the QEMU process on\n the host resulting in DoS scenario.(CVE-2021-3416)\n\n - An infinite loop flaw was found in the USB OHCI\n controller emulator of QEMU. This flaw occurs while\n servicing OHCI isochronous transfer descriptors (TD) in\n the ohci_service_iso_td routine, as it retires a TD if\n it has passed its time frame. It does not check if the\n TD was already processed and holds an error code in\n TD_CC. This issue may happen if the TD list has a loop.\n This flaw allows a guest user or process to consume CPU\n cycles on the host, resulting in a denial of\n service.(CVE-2020-25625)\n\n - An infinite loop flaw was found in the e1000e device\n emulator in QEMU. This issue could occur while\n receiving packets via the\n e1000e_write_packet_to_guest() routine, if the\n receive(RX) descriptor has a NULL buffer address. This\n flaw allows a privileged guest user to cause a denial\n of service. The highest threat from this vulnerability\n is to system availability.(CVE-2020-28916)\n\n - An assert(3) failure flaw was found in the networking\n helper functions of QEMU. This vulnerability can occur\n in the eth_get_gso_type() routine if a packet does not\n have a valid networking L3 protocol (ex. IPv4, IPv6)\n value. This flaw allows a guest user to crash the QEMU\n process on the host, resulting in a denial of\n service.(CVE-2020-27617)\n\n - A use-after-free flaw was found in the USB(xHCI/eHCI)\n controller emulators of QEMU. This flaw occurs while\n setting up the USB packet as a usb_packet_map() routine\n and returns an error that was not checked. This flaw\n allows a guest user or process to crash the QEMU\n process, resulting in a denial of\n service.(CVE-2020-25084)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2125\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b2eed6d5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu-kvm packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3409\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-17380\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-kvm-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"qemu-img-2.8.1-30.137\",\n \"qemu-kvm-2.8.1-30.137\",\n \"qemu-kvm-common-2.8.1-30.137\",\n \"qemu-kvm-tools-2.8.1-30.137\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-kvm\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:27:09", "description": "This update for qemu fixes the following issues :\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nFix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)\n\nFix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)\n\nFix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)\n\nFix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)\n\nFix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)\n\nFix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)\n\nFix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)\n\nFix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)\n\nFix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)\n\nFix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)\n\nFix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)\n\nFix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)\n\nFix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467)\n\nFix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386\n\nFix OOB access in iscsi (CVE-2020-11947 bsc#1180523)\n\nFix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)\n\nFix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386)\n\nFix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)\n\nFix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)\n\nFix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)\n\nFix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)\n\nDrop the 'ampersand 0x25 shift altgr' line in pt-br keymap file (bsc#1129962)\n\nFix migration failure with error message: 'error while loading state section id 3(ram) (bsc#1154790)\n\nFix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)\n\nFix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)\n\nFix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)\n\nTweaks to spec file for better formatting, and remove not needed BuildRequires for e2fsprogs-devel and libpcap-devel\n\nUse '%service_del_postun_without_restart' instead of '%service_del_postun' to avoid 'Failed to try-restart qemu-ga@.service' error while updating the qemu-guest-agent.\n(bsc#1178565)\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-04-19T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : qemu (SUSE-SU-2021:1244-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11947", "CVE-2020-12829", "CVE-2020-13361", "CVE-2020-13362", "CVE-2020-13659", "CVE-2020-13765", "CVE-2020-14364", "CVE-2020-15469", "CVE-2020-15863", "CVE-2020-16092", "CVE-2020-25084", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-27617", "CVE-2020-28916", "CVE-2020-29129", "CVE-2020-29130", "CVE-2020-29443", "CVE-2021-20181", "CVE-2021-20203", "CVE-2021-20221", "CVE-2021-20257", "CVE-2021-3416"], "modified": "2021-06-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:qemu", "p-cpe:/a:novell:suse_linux:qemu-block-curl", "p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-rbd", "p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-ssh", "p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-debugsource", "p-cpe:/a:novell:suse_linux:qemu-guest-agent", "p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-kvm", "p-cpe:/a:novell:suse_linux:qemu-lang", "p-cpe:/a:novell:suse_linux:qemu-s390", "p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-tools", "p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-1244-1.NASL", "href": "https://www.tenable.com/plugins/nessus/148757", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1244-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148757);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/08\");\n\n script_cve_id(\"CVE-2020-11947\", \"CVE-2020-12829\", \"CVE-2020-13361\", \"CVE-2020-13362\", \"CVE-2020-13659\", \"CVE-2020-13765\", \"CVE-2020-14364\", \"CVE-2020-15469\", \"CVE-2020-15863\", \"CVE-2020-16092\", \"CVE-2020-25084\", \"CVE-2020-25624\", \"CVE-2020-25625\", \"CVE-2020-25723\", \"CVE-2020-27617\", \"CVE-2020-28916\", \"CVE-2020-29129\", \"CVE-2020-29130\", \"CVE-2020-29443\", \"CVE-2021-20181\", \"CVE-2021-20203\", \"CVE-2021-20221\", \"CVE-2021-20257\", \"CVE-2021-3416\");\n\n script_name(english:\"SUSE SLES15 Security Update : qemu (SUSE-SU-2021:1244-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for qemu fixes the following issues :\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nFix OOB access possibility in MegaRAID SAS 8708EM2 emulation\n(CVE-2020-13362 bsc#1172383)\n\nFix use-after-free in usb xhci packet handling (CVE-2020-25723,\nbsc#1178934)\n\nFix use-after-free in usb ehci packet handling (CVE-2020-25084,\nbsc#1176673)\n\nFix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)\n\nFix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625,\nbsc#1176684)\n\nFix guest triggerable assert in shared network handling code\n(CVE-2020-27617, bsc#1178174)\n\nFix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916,\nbsc#1179468)\n\nFix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)\n\nFix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469,\nbsc#1173612)\n\nFix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257,\nbsc#1182577)\n\nFix OOB access (stack overflow) in rtl8139 NIC emulation\n(CVE-2021-3416, bsc#1182968)\n\nFix OOB access (stack overflow) in other NIC emulations\n(CVE-2021-3416)\n\nFix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129,\nbsc#1179466, CVE-2020-29130, bsc#1179467)\n\nFix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2\nemulation (CVE-2020-13659 bsc#1172386\n\nFix OOB access in iscsi (CVE-2020-11947 bsc#1180523)\n\nFix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)\n\nFix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386)\n\nFix DoS in packet processing of various emulated NICs (CVE-2020-16092\nbsc#1174641)\n\nFix OOB access while processing USB packets (CVE-2020-14364\nbsc#1175441)\n\nFix package scripts to not use hard-coded paths for temporary working\ndirectories and log files (bsc#1182425)\n\nFix potential privilege escalation in virtfs (CVE-2021-20181\nbsc#1182137)\n\nDrop the 'ampersand 0x25 shift altgr' line in pt-br keymap file\n(bsc#1129962)\n\nFix migration failure with error message: 'error while loading state\nsection id 3(ram) (bsc#1154790)\n\nFix OOB access possibility in ES1370 audio device emulation\n(CVE-2020-13361 bsc#1172384)\n\nFix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)\n\nFix OOB access in ARM interrupt handling (CVE-2021-20221 bsc#1181933)\n\nTweaks to spec file for better formatting, and remove not needed\nBuildRequires for e2fsprogs-devel and libpcap-devel\n\nUse '%service_del_postun_without_restart' instead of\n'%service_del_postun' to avoid 'Failed to try-restart\nqemu-ga@.service' error while updating the qemu-guest-agent.\n(bsc#1178565)\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1129962\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1154790\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172383\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172384\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172385\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172478\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173612\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174641\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1175441\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176673\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176682\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176684\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178565\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179467\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179468\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1180523\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181108\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181639\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181933\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182137\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182425\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11947/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-12829/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13361/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13362/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13659/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13765/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-14364/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15469/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15863/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-16092/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25084/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25624/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25625/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25723/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-27617/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-28916/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29129/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29130/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29443/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20181/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20203/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20221/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20257/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-3416/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211244-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0dd14e75\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 15 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2021-1244=1\n\nSUSE Linux Enterprise Server 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-2021-1244=1\n\nSUSE Linux Enterprise High Performance Computing 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2021-1244=1\n\nSUSE Linux Enterprise High Performance Computing 15-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2021-1244=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20181\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"s390x\") audit(AUDIT_ARCH_NOT, \"s390x\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-block-curl-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-block-curl-debuginfo-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-block-iscsi-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-block-iscsi-debuginfo-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-block-rbd-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-block-rbd-debuginfo-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-block-ssh-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-block-ssh-debuginfo-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-debuginfo-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-debugsource-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-guest-agent-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-guest-agent-debuginfo-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-kvm-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-lang-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-s390-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-s390-debuginfo-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-tools-2.11.2-9.43.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"qemu-tools-debuginfo-2.11.2-9.43.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:27:37", "description": "This update for qemu fixes the following issues :\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nFix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362, bsc#1172383)\n\nFix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)\n\nFix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)\n\nFix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)\n\nFix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)\n\nFix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)\n\nFix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)\n\nFix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)\n\nFix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)\n\nFix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)\n\nFix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)\n\nFix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)\n\nFix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467)\n\nFix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659, bsc#1172386)\n\nFix OOB access in iscsi (CVE-2020-11947, bsc#1180523)\n\nFix OOB access in vmxnet3 emulation (CVE-2021-20203, bsc#1181639)\n\nFix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)\n\nFix DoS in packet processing of various emulated NICs (CVE-2020-16092, bsc#1174641)\n\nFix OOB access while processing USB packets (CVE-2020-14364, bsc#1175441)\n\nFix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)\n\nFix potential privilege escalation in virtfs (CVE-2021-20181, bsc#1182137)\n\nFix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361, bsc#1172384)\n\nFix OOB access in ROM loading (CVE-2020-13765, bsc#1172478)\n\nFix qemu-testsuite failure\n\nFix vm migration is failing with input/output error when nfs server is disconnected (bsc#1119115)\n\nFix OOB access in ARM interrupt handling (CVE-2021-20221, bsc#1181933)\n\nFix slowness in arm32 emulation (bsc#1112499)\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nFix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362, bsc#1172383)\n\nFix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)\n\nFix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)\n\nFix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)\n\nFix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)\n\nFix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)\n\nFix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)\n\nFix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)\n\nFix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)\n\nFix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)\n\nFix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)\n\nFix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)\n\nFix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129, bsc#1179466, CVE-2020-29130, bsc#1179467)\n\nFix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659, bsc#1172386)\n\nFix OOB access in iscsi (CVE-2020-11947, bsc#1180523)\n\nFix OOB access in vmxnet3 emulation (CVE-2021-20203, bsc#1181639)\n\nFix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)\n\nFix DoS in packet processing of various emulated NICs (CVE-2020-16092, bsc#1174641)\n\nFix OOB access while processing USB packets (CVE-2020-14364, bsc#1175441)\n\nFix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)\n\nFix potential privilege escalation in virtfs (CVE-2021-20181, bsc#1182137)\n\nFix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361, bsc#1172384)\n\nFix OOB access in ROM loading (CVE-2020-13765, bsc#1172478)\n\nFix qemu-testsuite failure\n\nFix vm migration is failing with input/output error when nfs server is disconnected (bsc#1119115)\n\nFix OOB access in ARM interrupt handling (CVE-2021-20221, bsc#1181933)\n\nFix slowness in arm32 emulation (bsc#1112499)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-04-19T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : qemu (SUSE-SU-2021:1241-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11947", "CVE-2020-12829", "CVE-2020-13361", "CVE-2020-13362", "CVE-2020-13659", "CVE-2020-13765", "CVE-2020-14364", "CVE-2020-15469", "CVE-2020-15863", "CVE-2020-16092", "CVE-2020-25084", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-27617", "CVE-2020-28916", "CVE-2020-29129", "CVE-2020-29130", "CVE-2020-29443", "CVE-2021-20181", "CVE-2021-20203", "CVE-2021-20221", "CVE-2021-20257", "CVE-2021-3416"], "modified": "2021-06-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:qemu", "p-cpe:/a:novell:suse_linux:qemu-block-curl", "p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-rbd", "p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-ssh", "p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-debugsource", "p-cpe:/a:novell:suse_linux:qemu-guest-agent", "p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-kvm", "p-cpe:/a:novell:suse_linux:qemu-lang", "p-cpe:/a:novell:suse_linux:qemu-s390", "p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-tools", "p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-x86", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-1241-1.NASL", "href": "https://www.tenable.com/plugins/nessus/148761", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1241-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148761);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/08\");\n\n script_cve_id(\"CVE-2020-11947\", \"CVE-2020-12829\", \"CVE-2020-13361\", \"CVE-2020-13362\", \"CVE-2020-13659\", \"CVE-2020-13765\", \"CVE-2020-14364\", \"CVE-2020-15469\", \"CVE-2020-15863\", \"CVE-2020-16092\", \"CVE-2020-25084\", \"CVE-2020-25624\", \"CVE-2020-25625\", \"CVE-2020-25723\", \"CVE-2020-27617\", \"CVE-2020-28916\", \"CVE-2020-29129\", \"CVE-2020-29130\", \"CVE-2020-29443\", \"CVE-2021-20181\", \"CVE-2021-20203\", \"CVE-2021-20221\", \"CVE-2021-20257\", \"CVE-2021-3416\");\n\n script_name(english:\"SUSE SLES12 Security Update : qemu (SUSE-SU-2021:1241-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for qemu fixes the following issues :\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nFix OOB access possibility in MegaRAID SAS 8708EM2 emulation\n(CVE-2020-13362, bsc#1172383)\n\nFix use-after-free in usb xhci packet handling (CVE-2020-25723,\nbsc#1178934)\n\nFix use-after-free in usb ehci packet handling (CVE-2020-25084,\nbsc#1176673)\n\nFix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)\n\nFix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625,\nbsc#1176684)\n\nFix guest triggerable assert in shared network handling code\n(CVE-2020-27617, bsc#1178174)\n\nFix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916,\nbsc#1179468)\n\nFix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)\n\nFix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469,\nbsc#1173612)\n\nFix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257,\nbsc#1182577)\n\nFix OOB access (stack overflow) in rtl8139 NIC emulation\n(CVE-2021-3416, bsc#1182968)\n\nFix OOB access (stack overflow) in other NIC emulations\n(CVE-2021-3416)\n\nFix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129,\nbsc#1179466, CVE-2020-29130, bsc#1179467)\n\nFix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2\nemulation (CVE-2020-13659, bsc#1172386)\n\nFix OOB access in iscsi (CVE-2020-11947, bsc#1180523)\n\nFix OOB access in vmxnet3 emulation (CVE-2021-20203, bsc#1181639)\n\nFix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)\n\nFix DoS in packet processing of various emulated NICs (CVE-2020-16092,\nbsc#1174641)\n\nFix OOB access while processing USB packets (CVE-2020-14364,\nbsc#1175441)\n\nFix package scripts to not use hard-coded paths for temporary working\ndirectories and log files (bsc#1182425)\n\nFix potential privilege escalation in virtfs (CVE-2021-20181,\nbsc#1182137)\n\nFix OOB access possibility in ES1370 audio device emulation\n(CVE-2020-13361, bsc#1172384)\n\nFix OOB access in ROM loading (CVE-2020-13765, bsc#1172478)\n\nFix qemu-testsuite failure\n\nFix vm migration is failing with input/output error when nfs server is\ndisconnected (bsc#1119115)\n\nFix OOB access in ARM interrupt handling (CVE-2021-20221, bsc#1181933)\n\nFix slowness in arm32 emulation (bsc#1112499)\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nFix OOB access possibility in MegaRAID SAS 8708EM2 emulation\n(CVE-2020-13362, bsc#1172383)\n\nFix use-after-free in usb xhci packet handling (CVE-2020-25723,\nbsc#1178934)\n\nFix use-after-free in usb ehci packet handling (CVE-2020-25084,\nbsc#1176673)\n\nFix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)\n\nFix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625,\nbsc#1176684)\n\nFix guest triggerable assert in shared network handling code\n(CVE-2020-27617, bsc#1178174)\n\nFix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916,\nbsc#1179468)\n\nFix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)\n\nFix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469,\nbsc#1173612)\n\nFix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257,\nbsc#1182577)\n\nFix OOB access (stack overflow) in rtl8139 NIC emulation\n(CVE-2021-3416, bsc#1182968)\n\nFix OOB access (stack overflow) in other NIC emulations\n(CVE-2021-3416)\n\nFix OOB access in SLIRP ARP/NCSI packet processing (CVE-2020-29129,\nbsc#1179466, CVE-2020-29130, bsc#1179467)\n\nFix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2\nemulation (CVE-2020-13659, bsc#1172386)\n\nFix OOB access in iscsi (CVE-2020-11947, bsc#1180523)\n\nFix OOB access in vmxnet3 emulation (CVE-2021-20203, bsc#1181639)\n\nFix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)\n\nFix DoS in packet processing of various emulated NICs (CVE-2020-16092,\nbsc#1174641)\n\nFix OOB access while processing USB packets (CVE-2020-14364,\nbsc#1175441)\n\nFix package scripts to not use hard-coded paths for temporary working\ndirectories and log files (bsc#1182425)\n\nFix potential privilege escalation in virtfs (CVE-2021-20181,\nbsc#1182137)\n\nFix OOB access possibility in ES1370 audio device emulation\n(CVE-2020-13361, bsc#1172384)\n\nFix OOB access in ROM loading (CVE-2020-13765, bsc#1172478)\n\nFix qemu-testsuite failure\n\nFix vm migration is failing with input/output error when nfs server is\ndisconnected (bsc#1119115)\n\nFix OOB access in ARM interrupt handling (CVE-2021-20221, bsc#1181933)\n\nFix slowness in arm32 emulation (bsc#1112499)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1112499\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1119115\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172383\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172384\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172385\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172478\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173612\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174641\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1175441\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176673\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176682\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176684\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179467\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179468\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1180523\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181108\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181639\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181933\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182137\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182425\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11947/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-12829/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13361/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13362/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13659/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13765/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-14364/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15469/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15863/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-16092/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25084/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25624/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25625/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25723/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-27617/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-28916/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29129/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29130/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29443/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20181/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20203/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20221/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20257/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-3416/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211241-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8b352f51\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-9-2021-1241=1\n\nSUSE OpenStack Cloud 9 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-9-2021-1241=1\n\nSUSE Linux Enterprise Server for SAP 12-SP4 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP4-2021-1241=1\n\nSUSE Linux Enterprise Server 12-SP4-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP4-LTSS-2021-1241=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20181\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-block-rbd-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-block-rbd-debuginfo-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", cpu:\"x86_64\", reference:\"qemu-x86-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", cpu:\"s390x\", reference:\"qemu-s390-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", cpu:\"s390x\", reference:\"qemu-s390-debuginfo-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"qemu-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"qemu-block-curl-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"qemu-block-curl-debuginfo-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"qemu-block-iscsi-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"qemu-block-iscsi-debuginfo-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"qemu-block-ssh-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"qemu-block-ssh-debuginfo-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"qemu-debugsource-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"qemu-guest-agent-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"qemu-guest-agent-debuginfo-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"qemu-kvm-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"qemu-lang-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"qemu-tools-2.11.2-5.29.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"4\", reference:\"qemu-tools-debuginfo-2.11.2-5.29.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:49", "description": "According to the versions of the qemu package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service.(CVE-2020-12829)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.(CVE-2020-25624)\n\n - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service.(CVE-2020-25723)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop.(CVE-2020-25625)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.(CVE-2020-28916)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-02-05T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : qemu (EulerOS-SA-2021-1275)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-12829", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-28916"], "modified": "2021-04-19T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu-img", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1275.NASL", "href": "https://www.tenable.com/plugins/nessus/146243", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146243);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/04/19\");\n\n script_cve_id(\n \"CVE-2020-12829\",\n \"CVE-2020-25624\",\n \"CVE-2020-25625\",\n \"CVE-2020-25723\",\n \"CVE-2020-28916\"\n );\n\n script_name(english:\"EulerOS 2.0 SP9 : qemu (EulerOS-SA-2021-1275)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - In QEMU through 5.0.0, an integer overflow was found in\n the SM501 display driver implementation. This flaw\n occurs in the COPY_AREA macro while handling MMIO write\n operations through the sm501_2d_engine_write()\n callback. A local attacker could abuse this flaw to\n crash the QEMU process in sm501_2d_operation() in\n hw/display/sm501.c on the host, resulting in a denial\n of service.(CVE-2020-12829)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based\n buffer over-read via values obtained from the host\n controller driver.(CVE-2020-25624)\n\n - A reachable assertion issue was found in the USB EHCI\n emulation code of QEMU. It could occur while processing\n USB requests due to missing handling of DMA memory map\n failure. A malicious privileged user within the guest\n may abuse this flaw to send bogus USB requests and\n crash the QEMU process on the host, resulting in a\n denial of service.(CVE-2020-25723)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop\n when a TD list has a loop.(CVE-2020-25625)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop\n via an RX descriptor with a NULL buffer\n address.(CVE-2020-28916)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1275\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eaa0c799\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25624\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"qemu-img-4.1.0-16.h4.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:48", "description": "According to the versions of the qemu package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :\n\n - In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service.(CVE-2020-12829)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver.(CVE-2020-25624)\n\n - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service.(CVE-2020-25723)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop.(CVE-2020-25625)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.(CVE-2020-28916)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-02-05T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP9 : qemu (EulerOS-SA-2021-1256)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-12829", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-28916"], "modified": "2021-02-09T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu-img", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1256.NASL", "href": "https://www.tenable.com/plugins/nessus/146222", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146222);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/09\");\n\n script_cve_id(\n \"CVE-2020-12829\",\n \"CVE-2020-25624\",\n \"CVE-2020-25625\",\n \"CVE-2020-25723\",\n \"CVE-2020-28916\"\n );\n\n script_name(english:\"EulerOS 2.0 SP9 : qemu (EulerOS-SA-2021-1256)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu package installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - In QEMU through 5.0.0, an integer overflow was found in\n the SM501 display driver implementation. This flaw\n occurs in the COPY_AREA macro while handling MMIO write\n operations through the sm501_2d_engine_write()\n callback. A local attacker could abuse this flaw to\n crash the QEMU process in sm501_2d_operation() in\n hw/display/sm501.c on the host, resulting in a denial\n of service.(CVE-2020-12829)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based\n buffer over-read via values obtained from the host\n controller driver.(CVE-2020-25624)\n\n - A reachable assertion issue was found in the USB EHCI\n emulation code of QEMU. It could occur while processing\n USB requests due to missing handling of DMA memory map\n failure. A malicious privileged user within the guest\n may abuse this flaw to send bogus USB requests and\n crash the QEMU process on the host, resulting in a\n denial of service.(CVE-2020-25723)\n\n - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop\n when a TD list has a loop.(CVE-2020-25625)\n\n - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop\n via an RX descriptor with a NULL buffer\n address.(CVE-2020-28916)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1256\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fed5c9e2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-25624\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"qemu-img-4.1.0-16.h4.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-06T16:45:31", "description": "The version of qemu installed on the remote host is prior to 3.1.0-8. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2061 advisory.\n\n - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)\n\n - A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.\n (CVE-2021-3392)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)\n\n - An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.\n (CVE-2021-3930)\n\n - A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4207)\n\n - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-06-05T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : qemu (ALAS-2023-2061)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20196", "CVE-2021-3392", "CVE-2021-3527", "CVE-2021-3930", "CVE-2021-4207", "CVE-2022-4144"], "modified": "2023-06-06T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:ivshmem-tools", "p-cpe:/a:amazon:linux:qemu", "p-cpe:/a:amazon:linux:qemu-audio-alsa", "p-cpe:/a:amazon:linux:qemu-audio-oss", "p-cpe:/a:amazon:linux:qemu-audio-pa", "p-cpe:/a:amazon:linux:qemu-audio-sdl", "p-cpe:/a:amazon:linux:qemu-block-curl", "p-cpe:/a:amazon:linux:qemu-block-dmg", "p-cpe:/a:amazon:linux:qemu-block-iscsi", "p-cpe:/a:amazon:linux:qemu-block-nfs", "p-cpe:/a:amazon:linux:qemu-block-rbd", "p-cpe:/a:amazon:linux:qemu-block-ssh", "p-cpe:/a:amazon:linux:qemu-common", "p-cpe:/a:amazon:linux:qemu-debuginfo", "p-cpe:/a:amazon:linux:qemu-guest-agent", "p-cpe:/a:amazon:linux:qemu-img", "p-cpe:/a:amazon:linux:qemu-kvm", "p-cpe:/a:amazon:linux:qemu-kvm-core", "p-cpe:/a:amazon:linux:qemu-system-aarch64", "p-cpe:/a:amazon:linux:qemu-system-aarch64-core", "p-cpe:/a:amazon:linux:qemu-system-x86", "p-cpe:/a:amazon:linux:qemu-system-x86-core", "p-cpe:/a:amazon:linux:qemu-ui-curses", "p-cpe:/a:amazon:linux:qemu-ui-gtk", "p-cpe:/a:amazon:linux:qemu-ui-sdl", "p-cpe:/a:amazon:linux:qemu-user", "p-cpe:/a:amazon:linux:qemu-user-binfmt", "p-cpe:/a:amazon:linux:qemu-user-static", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2023-2061.NASL", "href": "https://www.tenable.com/plugins/nessus/176677", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2023-2061.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(176677);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/06/06\");\n\n script_cve_id(\n \"CVE-2021-3392\",\n \"CVE-2021-3527\",\n \"CVE-2021-3930\",\n \"CVE-2021-4207\",\n \"CVE-2021-20196\",\n \"CVE-2022-4144\"\n );\n script_xref(name:\"IAVB\", value:\"2020-B-0075-S\");\n script_xref(name:\"IAVB\", value:\"2022-B-0057\");\n\n script_name(english:\"Amazon Linux 2 : qemu (ALAS-2023-2061)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of qemu installed on the remote host is prior to 3.1.0-8. It is, therefore, affected by multiple\nvulnerabilities as referenced in the ALAS2-2023-2061 advisory.\n\n - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while\n processing read/write ioport commands if the selected floppy drive is not initialized with a block device.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)\n\n - A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI\n I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req'\n from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the\n host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.\n (CVE-2021-3392)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a\n single, large transfer request, to reduce the overhead and improve performance. The combined size of the\n bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper\n validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the\n array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a\n denial of service. (CVE-2021-3527)\n\n - An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE\n SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious\n guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.\n (CVE-2021-3930)\n\n - A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values\n `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object\n followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw\n to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU\n process. (CVE-2021-4207)\n\n - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt()\n function does not check the size of the structure pointed to by the guest physical address, potentially\n reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to\n crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2023-2061.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-20196.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-3392.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-3527.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-3930.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2021-4207.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/cve/html/CVE-2022-4144.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/faqs.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update qemu' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-4207\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/05/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/06/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ivshmem-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-audio-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-audio-oss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-audio-pa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-audio-sdl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-block-dmg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-block-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-block-nfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-kvm-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-system-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-system-aarch64-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-system-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-system-x86-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-ui-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-ui-gtk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-ui-sdl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-user\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-user-binfmt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:qemu-user-static\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar alas_release = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nvar os_ver = pregmatch(pattern: \"^AL(A|\\d+|-\\d+)\", string:alas_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar pkgs = [\n {'reference':'ivshmem-tools-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ivshmem-tools-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ivshmem-tools-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-audio-alsa-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-audio-alsa-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-audio-alsa-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-audio-oss-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-audio-oss-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-audio-oss-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-audio-pa-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-audio-pa-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-audio-pa-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-audio-sdl-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-audio-sdl-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-audio-sdl-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-curl-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-curl-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-curl-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-dmg-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-dmg-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-dmg-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-iscsi-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-iscsi-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-iscsi-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-nfs-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-nfs-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-nfs-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-rbd-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-rbd-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-ssh-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-ssh-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-block-ssh-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-common-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-common-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-common-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-debuginfo-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-debuginfo-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-debuginfo-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-guest-agent-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-guest-agent-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-guest-agent-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-img-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-img-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-img-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-kvm-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-kvm-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-kvm-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-kvm-core-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-kvm-core-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-kvm-core-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-system-aarch64-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-system-aarch64-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-system-aarch64-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-system-aarch64-core-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-system-aarch64-core-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-system-aarch64-core-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-system-x86-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-system-x86-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-system-x86-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-system-x86-core-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-system-x86-core-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-system-x86-core-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-ui-curses-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-ui-curses-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-ui-curses-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-ui-gtk-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-ui-gtk-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-ui-gtk-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-ui-sdl-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-ui-sdl-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-ui-sdl-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-user-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-user-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-user-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-user-binfmt-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-user-binfmt-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-user-binfmt-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-user-static-3.1.0-8.amzn2.0.10', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-user-static-3.1.0-8.amzn2.0.10', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-user-static-3.1.0-8.amzn2.0.10', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ivshmem-tools / qemu / qemu-audio-alsa / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:27:21", "description": "This update for qemu fixes the following issues :\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nFix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)\n\nFix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)\n\nFix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)\n\nFix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)\n\nFix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)\n\nFix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)\n\nFix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916, bsc#1179468)\n\nFix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)\n\nFix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)\n\nFix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)\n\nFix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)\n\nFix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)\n\nFix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467)\n\nFix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386\n\nFix OOB access in iscsi (CVE-2020-11947 bsc#1180523)\n\nFix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)\n\nFix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)\n\nFix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)\n\nFix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)\n\nFix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)\n\nFix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)\n\nFix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)\n\nFix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-04-19T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : qemu (SUSE-SU-2021:1240-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11947", "CVE-2020-12829", "CVE-2020-13361", "CVE-2020-13362", "CVE-2020-13659", "CVE-2020-13765", "CVE-2020-14364", "CVE-2020-15469", "CVE-2020-15863", "CVE-2020-16092", "CVE-2020-25084", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-27617", "CVE-2020-28916", "CVE-2020-29130", "CVE-2020-29443", "CVE-2021-20181", "CVE-2021-20203", "CVE-2021-20257", "CVE-2021-3416"], "modified": "2021-06-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:qemu", "p-cpe:/a:novell:suse_linux:qemu-block-curl", "p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-rbd", "p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-ssh", "p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-debugsource", "p-cpe:/a:novell:suse_linux:qemu-guest-agent", "p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-kvm", "p-cpe:/a:novell:suse_linux:qemu-lang", "p-cpe:/a:novell:suse_linux:qemu-s390", "p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-tools", "p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-x86", "p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-1240-1.NASL", "href": "https://www.tenable.com/plugins/nessus/148758", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1240-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148758);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/08\");\n\n script_cve_id(\"CVE-2020-11947\", \"CVE-2020-12829\", \"CVE-2020-13361\", \"CVE-2020-13362\", \"CVE-2020-13659\", \"CVE-2020-13765\", \"CVE-2020-14364\", \"CVE-2020-15469\", \"CVE-2020-15863\", \"CVE-2020-16092\", \"CVE-2020-25084\", \"CVE-2020-25624\", \"CVE-2020-25625\", \"CVE-2020-25723\", \"CVE-2020-27617\", \"CVE-2020-28916\", \"CVE-2020-29130\", \"CVE-2020-29443\", \"CVE-2021-20181\", \"CVE-2021-20203\", \"CVE-2021-20257\", \"CVE-2021-3416\");\n\n script_name(english:\"SUSE SLES12 Security Update : qemu (SUSE-SU-2021:1240-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for qemu fixes the following issues :\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nFix OOB access possibility in MegaRAID SAS 8708EM2 emulation\n(CVE-2020-13362 bsc#1172383)\n\nFix use-after-free in usb xhci packet handling (CVE-2020-25723,\nbsc#1178934)\n\nFix use-after-free in usb ehci packet handling (CVE-2020-25084,\nbsc#1176673)\n\nFix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)\n\nFix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625,\nbsc#1176684)\n\nFix guest triggerable assert in shared network handling code\n(CVE-2020-27617, bsc#1178174)\n\nFix infinite loop (DoS) in e1000e device emulation (CVE-2020-28916,\nbsc#1179468)\n\nFix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)\n\nFix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469,\nbsc#1173612)\n\nFix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257,\nbsc#1182577)\n\nFix OOB access (stack overflow) in rtl8139 NIC emulation\n(CVE-2021-3416, bsc#1182968)\n\nFix OOB access (stack overflow) in other NIC emulations\n(CVE-2021-3416)\n\nFix OOB access in SLIRP ARP packet processing (CVE-2020-29130,\nbsc#1179467)\n\nFix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2\nemulation (CVE-2020-13659 bsc#1172386\n\nFix OOB access in iscsi (CVE-2020-11947 bsc#1180523)\n\nFix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)\n\nFix buffer overflow in the XGMAC device (CVE-2020-15863, bsc#1174386)\n\nFix DoS in packet processing of various emulated NICs (CVE-2020-16092\nbsc#1174641)\n\nFix OOB access while processing USB packets (CVE-2020-14364\nbsc#1175441)\n\nFix package scripts to not use hard-coded paths for temporary working\ndirectories and log files (bsc#1182425)\n\nFix potential privilege escalation in virtfs (CVE-2021-20181\nbsc#1182137)\n\nFix OOB access possibility in ES1370 audio device emulation\n(CVE-2020-13361 bsc#1172384)\n\nFix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172383\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172384\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172385\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172478\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173612\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174641\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1175441\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176673\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176682\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176684\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179467\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179468\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1180523\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181108\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181639\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182137\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182425\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11947/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-12829/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13361/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13362/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13659/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13765/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-14364/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15469/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15863/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-16092/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25084/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25624/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25625/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25723/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-27617/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-28916/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29130/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29443/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20181/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20203/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20257/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-3416/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211240-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?89f01b2a\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud Crowbar 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-Crowbar-8-2021-1240=1\n\nSUSE OpenStack Cloud 8 :\n\nzypper in -t patch SUSE-OpenStack-Cloud-8-2021-1240=1\n\nSUSE Linux Enterprise Server for SAP 12-SP3 :\n\nzypper in -t patch SUSE-SLE-SAP-12-SP3-2021-1240=1\n\nSUSE Linux Enterprise Server 12-SP3-LTSS :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-2021-1240=1\n\nSUSE Linux Enterprise Server 12-SP3-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP3-BCL-2021-1240=1\n\nHPE Helion Openstack 8 :\n\nzypper in -t patch HPE-Helion-OpenStack-8-2021-1240=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20181\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-block-rbd-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-block-rbd-debuginfo-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-x86-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"x86_64\", reference:\"qemu-x86-debuginfo-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"s390x\", reference:\"qemu-s390-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", cpu:\"s390x\", reference:\"qemu-s390-debuginfo-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-block-curl-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-block-curl-debuginfo-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-block-iscsi-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-block-iscsi-debuginfo-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-block-ssh-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-block-ssh-debuginfo-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-debugsource-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-guest-agent-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-guest-agent-debuginfo-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-kvm-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-lang-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-tools-2.9.1-6.47.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"qemu-tools-debuginfo-2.9.1-6.47.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-25T15:28:15", "description": "The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9568 advisory.\n\n - In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. (CVE-2020-15469)\n\n - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.\n This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)\n\n - A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-dwc2.c in the hcd-dwc2 USB host controller emulation of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service. (CVE-2020-27661)\n\n - A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.\n (CVE-2021-3392)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)\n\n - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user- gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)\n\n - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost- user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host. (CVE-2021-3545)\n\n - An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process. (CVE-2021-3546)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-12-01T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : kvm_utils (ELSA-2021-9568)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-15469", "CVE-2020-17380", "CVE-2020-25085", "CVE-2020-27661", "CVE-2020-27821", "CVE-2021-20221", "CVE-2021-20257", "CVE-2021-3392", "CVE-2021-3409", "CVE-2021-3527", "CVE-2021-3544", "CVE-2021-3545", "CVE-2021-3546", "CVE-2021-3582", "CVE-2021-3607", "CVE-2021-3608"], "modified": "2022-11-21T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:hivex", "p-cpe:/a:oracle:linux:hivex-devel", "p-cpe:/a:oracle:linux:libguestfs", "p-cpe:/a:oracle:linux:libguestfs-bash-completion", "p-cpe:/a:oracle:linux:libguestfs-benchmarking", "p-cpe:/a:oracle:linux:libguestfs-devel", "p-cpe:/a:oracle:linux:libguestfs-gfs2", "p-cpe:/a:oracle:linux:libguestfs-gobject", "p-cpe:/a:oracle:linux:libguestfs-gobject-devel", "p-cpe:/a:oracle:linux:libguestfs-inspect-icons", "p-cpe:/a:oracle:linux:libguestfs-java", "p-cpe:/a:oracle:linux:libguestfs-java-devel", "p-cpe:/a:oracle:linux:libguestfs-javadoc", "p-cpe:/a:oracle:linux:libguestfs-man-pages-ja", "p-cpe:/a:oracle:linux:libguestfs-man-pages-uk", "p-cpe:/a:oracle:linux:libguestfs-rescue", "p-cpe:/a:oracle:linux:libguestfs-rsync", "p-cpe:/a:oracle:linux:libguestfs-tools", "p-cpe:/a:oracle:linux:libguestfs-tools-c", "p-cpe:/a:oracle:linux:libguestfs-winsupport", "p-cpe:/a:oracle:linux:libguestfs-xfs", "p-cpe:/a:oracle:linux:libiscsi", "p-cpe:/a:oracle:linux:libiscsi-devel", "p-cpe:/a:oracle:linux:libiscsi-utils", "p-cpe:/a:oracle:linux:libnbd", "p-cpe:/a:oracle:linux:libnbd-devel", "p-cpe:/a:oracle:linux:libvirt", "p-cpe:/a:oracle:linux:libvirt-admin", "p-cpe:/a:oracle:linux:libvirt-bash-completion", "p-cpe:/a:oracle:linux:libvirt-client", "p-cpe:/a:oracle:linux:libvirt-daemon", "p-cpe:/a:oracle:linux:libvirt-daemon-config-network", "p-cpe:/a:oracle:linux:libvirt-daemon-config-nwfilter", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-interface", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-network", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-nodedev", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-nwfilter", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-qemu", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-secret", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-core", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-disk", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-gluster", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-iscsi", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-iscsi-direct", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-logical", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-mpath", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-rbd", "p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-scsi", "p-cpe:/a:oracle:linux:libvirt-daemon-kvm", "p-cpe:/a:oracle:linux:libvirt-dbus", "p-cpe:/a:oracle:linux:libvirt-devel", "p-cpe:/a:oracle:linux:libvirt-docs", "p-cpe:/a:oracle:linux:libvirt-libs", "p-cpe:/a:oracle:linux:libvirt-lock-sanlock", "p-cpe:/a:oracle:linux:libvirt-nss", "p-cpe:/a:oracle:linux:lua-guestfs", "p-cpe:/a:oracle:linux:nbdfuse", "p-cpe:/a:oracle:linux:nbdkit", "p-cpe:/a:oracle:linux:nbdkit-bash-completion", "p-cpe:/a:oracle:linux:nbdkit-basic-filters", "p-cpe:/a:oracle:linux:nbdkit-basic-plugins", "p-cpe:/a:oracle:linux:nbdkit-curl-plugin", "p-cpe:/a:oracle:linux:nbdkit-devel", "p-cpe:/a:oracle:linux:nbdkit-example-plugins", "p-cpe:/a:oracle:linux:nbdkit-gzip-plugin", "p-cpe:/a:oracle:linux:nbdkit-linuxdisk-plugin", "p-cpe:/a:oracle:linux:nbdkit-python-plugin", "p-cpe:/a:oracle:linux:nbdkit-server", "p-cpe:/a:oracle:linux:nbdkit-ssh-plugin", "p-cpe:/a:oracle:linux:nbdkit-vddk-plugin", "p-cpe:/a:oracle:linux:nbdkit-xz-filter", "p-cpe:/a:oracle:linux:netcf", "p-cpe:/a:oracle:linux:netcf-devel", "p-cpe:/a:oracle:linux:netcf-libs", "p-cpe:/a:oracle:linux:perl-sys-guestfs", "p-cpe:/a:oracle:linux:perl-sys-virt", "p-cpe:/a:oracle:linux:perl-hivex", "p-cpe:/a:oracle:linux:python3-hivex", "p-cpe:/a:oracle:linux:python3-libguestfs", "p-cpe:/a:oracle:linux:python3-libnbd", "p-cpe:/a:oracle:linux:python3-libvirt", "p-cpe:/a:oracle:linux:qemu-guest-agent", "p-cpe:/a:oracle:linux:qemu-img", "p-cpe:/a:oracle:linux:qemu-kvm", "p-cpe:/a:oracle:linux:qemu-kvm-block-curl", "p-cpe:/a:oracle:linux:qemu-kvm-block-gluster", "p-cpe:/a:oracle:linux:qemu-kvm-block-iscsi", "p-cpe:/a:oracle:linux:qemu-kvm-block-rbd", "p-cpe:/a:oracle:linux:qemu-kvm-block-ssh", "p-cpe:/a:oracle:linux:qemu-kvm-common", "p-cpe:/a:oracle:linux:qemu-kvm-core", "p-cpe:/a:oracle:linux:ruby-hivex", "p-cpe:/a:oracle:linux:ruby-libguestfs", "p-cpe:/a:oracle:linux:seabios", "p-cpe:/a:oracle:linux:seabios-bin", "p-cpe:/a:oracle:linux:seavgabios-bin", "p-cpe:/a:oracle:linux:sgabios", "p-cpe:/a:oracle:linux:sgabios-bin", "p-cpe:/a:oracle:linux:supermin", "p-cpe:/a:oracle:linux:supermin-devel", "p-cpe:/a:oracle:linux:virt-dib", "p-cpe:/a:oracle:linux:virt-v2v"], "id": "ORACLELINUX_ELSA-2021-9568.NASL", "href": "https://www.tenable.com/plugins/nessus/155742", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2021-9568.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155742);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/21\");\n\n script_cve_id(\n \"CVE-2020-15469\",\n \"CVE-2020-27661\",\n \"CVE-2020-27821\",\n \"CVE-2021-3392\",\n \"CVE-2021-3409\",\n \"CVE-2021-3527\",\n \"CVE-2021-3544\",\n \"CVE-2021-3545\",\n \"CVE-2021-3546\",\n \"CVE-2021-3582\",\n \"CVE-2021-3607\",\n \"CVE-2021-3608\",\n \"CVE-2021-20221\",\n \"CVE-2021-20257\"\n );\n script_xref(name:\"IAVB\", value:\"2020-B-0041-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0075-S\");\n\n script_name(english:\"Oracle Linux 8 : kvm_utils (ELSA-2021-9568)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2021-9568 advisory.\n\n - In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer\n dereference. (CVE-2020-15469)\n\n - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.\n This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO\n operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial\n of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of\n QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an\n interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said\n issue while updating controller state fields and their subsequent processing. A privileged guest user may\n use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to\n the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This\n flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of\n service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)\n\n - A divide-by-zero issue was found in dwc2_handle_packet in hw/usb/hcd-dwc2.c in the hcd-dwc2 USB host\n controller emulation of QEMU. A malicious guest could use this flaw to crash the QEMU process on the host,\n resulting in a denial of service. (CVE-2020-27661)\n\n - A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI\n I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req'\n from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the\n host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.\n (CVE-2021-3392)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a\n single, large transfer request, to reduce the overhead and improve performance. The combined size of the\n bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper\n validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the\n array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a\n denial of service. (CVE-2021-3527)\n\n - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions\n up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-\n gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)\n\n - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of\n QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-\n user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit\n this issue to leak memory from the host. (CVE-2021-3545)\n\n - An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of\n QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET'\n command from the guest. It could allow a privileged guest user to crash the QEMU process on the host,\n resulting in a denial of service condition, or potential code execution with the privileges of the QEMU\n process. (CVE-2021-3546)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2021-9568.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3546\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/12/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/12/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:hivex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:hivex-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-bash-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-benchmarking\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-gfs2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-gobject\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-gobject-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-inspect-icons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-java-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-man-pages-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-man-pages-uk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-rescue\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-rsync\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-tools-c\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-winsupport\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libguestfs-xfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libiscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libiscsi-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libiscsi-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libnbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libnbd-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-bash-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-config-network\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-config-nwfilter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-interface\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-network\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-nodedev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-nwfilter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-secret\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-disk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-gluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-iscsi-direct\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-logical\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-mpath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-driver-storage-scsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-daemon-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-dbus\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-lock-sanlock\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:libvirt-nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:lua-guestfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdfuse\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdkit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdkit-bash-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdkit-basic-filters\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdkit-basic-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdkit-curl-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdkit-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdkit-example-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdkit-gzip-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdkit-linuxdisk-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdkit-python-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdkit-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdkit-ssh-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdkit-vddk-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nbdkit-xz-filter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:netcf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:netcf-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:netcf-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perl-Sys-Guestfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perl-Sys-Virt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:perl-hivex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python3-hivex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python3-libguestfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python3-libnbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python3-libvirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm-block-gluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm-block-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ruby-hivex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ruby-libguestfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:seabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:seabios-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:seavgabios-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:sgabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:sgabios-bin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:supermin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:supermin-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:virt-dib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:virt-v2v\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nvar os_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 8', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\nvar pkgs = [\n {'reference':'hivex-1.3.18-20.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'hivex-1.3.18-20.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'hivex-devel-1.3.18-20.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'hivex-devel-1.3.18-20.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libguestfs-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-bash-completion-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-benchmarking-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-benchmarking-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-devel-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-devel-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-gfs2-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-gfs2-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-gobject-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-gobject-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-gobject-devel-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-gobject-devel-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-inspect-icons-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-java-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-java-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-java-devel-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-java-devel-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-javadoc-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-man-pages-ja-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-man-pages-uk-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-rescue-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-rescue-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-rsync-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-rsync-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-tools-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-tools-c-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-tools-c-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-winsupport-8.2-1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libguestfs-winsupport-8.2-1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libguestfs-xfs-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libguestfs-xfs-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'libiscsi-1.18.0-8.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libiscsi-1.18.0-8.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libiscsi-devel-1.18.0-8.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libiscsi-devel-1.18.0-8.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libiscsi-utils-1.18.0-8.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libiscsi-utils-1.18.0-8.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libnbd-1.2.2-1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libnbd-1.2.2-1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libnbd-devel-1.2.2-1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libnbd-devel-1.2.2-1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-admin-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-admin-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-bash-completion-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-bash-completion-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-client-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-client-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-config-network-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-config-network-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-config-nwfilter-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-config-nwfilter-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-interface-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-interface-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-network-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-network-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-nodedev-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-nodedev-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-nwfilter-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-nwfilter-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-qemu-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-qemu-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-secret-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-secret-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-core-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-core-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-disk-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-disk-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-gluster-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-gluster-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-iscsi-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-iscsi-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-iscsi-direct-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-iscsi-direct-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-logical-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-logical-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-mpath-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-mpath-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-rbd-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-rbd-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-scsi-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-driver-storage-scsi-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-kvm-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-daemon-kvm-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-dbus-1.3.0-2.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-dbus-1.3.0-2.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-devel-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-devel-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-docs-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-docs-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-libs-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-libs-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-lock-sanlock-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-lock-sanlock-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-nss-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'libvirt-nss-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'lua-guestfs-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'lua-guestfs-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'nbdfuse-1.2.2-1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdfuse-1.2.2-1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-bash-completion-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-basic-filters-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-basic-filters-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-basic-plugins-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-basic-plugins-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-curl-plugin-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-curl-plugin-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-devel-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-devel-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-example-plugins-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-example-plugins-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-gzip-plugin-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-gzip-plugin-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-linuxdisk-plugin-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-linuxdisk-plugin-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-python-plugin-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-python-plugin-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-server-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-server-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-ssh-plugin-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-ssh-plugin-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-vddk-plugin-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-xz-filter-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nbdkit-xz-filter-1.16.2-4.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'netcf-0.2.8-12.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'netcf-0.2.8-12.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'netcf-devel-0.2.8-12.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'netcf-devel-0.2.8-12.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'netcf-libs-0.2.8-12.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'netcf-libs-0.2.8-12.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perl-hivex-1.3.18-20.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perl-hivex-1.3.18-20.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perl-Sys-Guestfs-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'perl-Sys-Guestfs-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'perl-Sys-Virt-4.5.0-5.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'perl-Sys-Virt-4.5.0-5.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-hivex-1.3.18-20.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-hivex-1.3.18-20.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-libguestfs-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'python3-libguestfs-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'python3-libnbd-1.2.2-1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-libnbd-1.2.2-1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-libvirt-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-libvirt-5.7.0-31.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'qemu-guest-agent-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-guest-agent-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-img-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-img-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-block-curl-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-block-curl-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-block-gluster-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-block-gluster-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-block-iscsi-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-block-iscsi-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-block-rbd-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-block-rbd-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-block-ssh-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-block-ssh-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-common-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-common-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-core-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'qemu-kvm-core-4.2.1-11.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'15'},\n {'reference':'ruby-hivex-1.3.18-20.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ruby-hivex-1.3.18-20.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'ruby-libguestfs-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'ruby-libguestfs-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'seabios-1.13.0-2.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'seabios-bin-1.13.0-2.module+el8.4.0+20319+6eb4347c', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'seavgabios-bin-1.13.0-2.module+el8.4.0+20319+6eb4347c', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'sgabios-0.20170427git-3.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'sgabios-bin-0.20170427git-3.module+el8.4.0+20319+6eb4347c', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'supermin-5.1.19-10.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'supermin-5.1.19-10.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'supermin-devel-5.1.19-10.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'supermin-devel-5.1.19-10.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'virt-dib-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'virt-dib-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'virt-v2v-1.40.2-25.0.1.module+el8.4.0+20319+6eb4347c', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var release = NULL;\n var sp = NULL;\n var cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && release) {\n if (exists_check) {\n if (rpm_exists(release:release, rpm:exists_check) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'hivex / hivex-devel / libguestfs / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:56", "description": "According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-35504)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.(CVE-2021-20221)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the(CVE-2021-3527)\n\n - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.(CVE-2020-25084)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-35505)\n\n - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.\n (CVE-2021-3545)\n\n - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.(CVE-2021-3544)\n\n - A flaw was found in vhost-user-gpu of QEMU in versions up to and including 6.0. An out-of-bounds write vulnerability can allow a malicious guest to crash the QEMU process on the host resulting in a denial of service or potentially execute arbitrary code on the host with the privileges of the QEMU process. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-3546)\n\n - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.(CVE-2021-20181)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-07-13T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.0 : qemu (EulerOS-SA-2021-2211)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25084", "CVE-2020-35504", "CVE-2020-35505", "CVE-2021-20181", "CVE-2021-20221", "CVE-2021-3527", "CVE-2021-3544", "CVE-2021-3545", "CVE-2021-3546"], "modified": "2022-05-09T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu", "p-cpe:/a:huawei:euleros:qemu-img", "cpe:/o:huawei:euleros:uvp:2.9.0"], "id": "EULEROS_SA-2021-2211.NASL", "href": "https://www.tenable.com/plugins/nessus/151557", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151557);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2020-25084\",\n \"CVE-2020-35504\",\n \"CVE-2020-35505\",\n \"CVE-2021-3527\",\n \"CVE-2021-3544\",\n \"CVE-2021-3545\",\n \"CVE-2021-3546\",\n \"CVE-2021-20181\",\n \"CVE-2021-20221\"\n );\n\n script_name(english:\"EulerOS Virtualization 2.9.0 : qemu (EulerOS-SA-2021-2211)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu packages installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - A NULL pointer dereference flaw was found in the SCSI\n emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the\n QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is\n to system availability.(CVE-2020-35504)\n\n - An out-of-bounds heap buffer access issue was found in\n the ARM Generic Interrupt Controller emulator of QEMU\n up to and including qemu 4.2.0on aarch64 platform. The\n issue occurs because while writing an interrupt ID to\n the controller memory area, it is not masked to be 4\n bits wide. It may lead to the said issue while updating\n controller state fields and their subsequent\n processing. A privileged guest user may use this flaw\n to crash the QEMU process on the host resulting in DoS\n scenario.(CVE-2021-20221)\n\n - A flaw was found in the USB redirector device\n (usb-redir) of QEMU. Small USB packets are combined\n into a single, large transfer request, to reduce the\n overhead and improve performance. The combined size of\n the bulk transfer is used to dynamically allocate a\n variable length array (VLA) on the stack without proper\n validation. Since the total size is not bounded, a\n malicious guest could use this flaw to influence the\n array length and cause the QEMU process to perform an\n excessive allocation on the(CVE-2021-3527)\n\n - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c\n because the usb_packet_map return value is not\n checked.(CVE-2020-25084)\n\n - A NULL pointer dereference flaw was found in the\n am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0. This issue occurs while handling\n the 'Information Transfer' command. This flaw allows a\n privileged guest user to crash the QEMU process on the\n host, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-35505)\n\n - An information disclosure vulnerability was found in\n the virtio vhost-user GPU device (vhost-user-gpu) of\n QEMU in versions up to and including 6.0. The flaw\n exists in virgl_cmd_get_capset_info() in\n contrib/vhost-user-gpu/virgl.c and could occur due to\n the read of uninitialized memory. A malicious guest\n could exploit this issue to leak memory from the host.\n (CVE-2021-3545)\n\n - Several memory leaks were found in the virtio\n vhost-user GPU device (vhost-user-gpu) of QEMU in\n versions up to and including 6.0. They exist in\n contrib/vhost-user-gpu/vhost-user-gpu.c and\n contrib/vhost-user-gpu/virgl.c due to improper release\n of memory (i.e., free) after effective\n lifetime.(CVE-2021-3544)\n\n - A flaw was found in vhost-user-gpu of QEMU in versions\n up to and including 6.0. An out-of-bounds write\n vulnerability can allow a malicious guest to crash the\n QEMU process on the host resulting in a denial of\n service or potentially execute arbitrary code on the\n host with the privileges of the QEMU process. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2021-3546)\n\n - A race condition flaw was found in the 9pfs server\n implementation of QEMU up to and including 5.2.0. This\n flaw allows a malicious 9p client to cause a\n use-after-free error, potentially escalating their\n privileges on the system. The highest threat from this\n vulnerability is to confidentiality, integrity as well\n as system availability.(CVE-2021-20181)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2211\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?069e25b9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20181\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-3546\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"qemu-4.1.0-2.9.1.2.285\",\n \"qemu-img-4.1.0-2.9.1.2.285\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:57:17", "description": "According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-35504)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.(CVE-2021-20221)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the(CVE-2021-3527)\n\n - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.(CVE-2020-25084)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-35505)\n\n - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.\n (CVE-2021-3545)\n\n - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.(CVE-2021-3544)\n\n - A flaw was found in vhost-user-gpu of QEMU in versions up to and including 6.0. An out-of-bounds write vulnerability can allow a malicious guest to crash the QEMU process on the host resulting in a denial of service or potentially execute arbitrary code on the host with the privileges of the QEMU process. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-3546)\n\n - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.(CVE-2021-20181)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-07-13T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.9.1 : qemu (EulerOS-SA-2021-2192)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-25084", "CVE-2020-35504", "CVE-2020-35505", "CVE-2021-20181", "CVE-2021-20221", "CVE-2021-3527", "CVE-2021-3544", "CVE-2021-3545", "CVE-2021-3546"], "modified": "2022-05-09T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu", "p-cpe:/a:huawei:euleros:qemu-img", "cpe:/o:huawei:euleros:uvp:2.9.1"], "id": "EULEROS_SA-2021-2192.NASL", "href": "https://www.tenable.com/plugins/nessus/151564", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151564);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/09\");\n\n script_cve_id(\n \"CVE-2020-25084\",\n \"CVE-2020-35504\",\n \"CVE-2020-35505\",\n \"CVE-2021-3527\",\n \"CVE-2021-3544\",\n \"CVE-2021-3545\",\n \"CVE-2021-3546\",\n \"CVE-2021-20181\",\n \"CVE-2021-20221\"\n );\n\n script_name(english:\"EulerOS Virtualization 2.9.1 : qemu (EulerOS-SA-2021-2192)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu packages installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - A NULL pointer dereference flaw was found in the SCSI\n emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the\n QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is\n to system availability.(CVE-2020-35504)\n\n - An out-of-bounds heap buffer access issue was found in\n the ARM Generic Interrupt Controller emulator of QEMU\n up to and including qemu 4.2.0on aarch64 platform. The\n issue occurs because while writing an interrupt ID to\n the controller memory area, it is not masked to be 4\n bits wide. It may lead to the said issue while updating\n controller state fields and their subsequent\n processing. A privileged guest user may use this flaw\n to crash the QEMU process on the host resulting in DoS\n scenario.(CVE-2021-20221)\n\n - A flaw was found in the USB redirector device\n (usb-redir) of QEMU. Small USB packets are combined\n into a single, large transfer request, to reduce the\n overhead and improve performance. The combined size of\n the bulk transfer is used to dynamically allocate a\n variable length array (VLA) on the stack without proper\n validation. Since the total size is not bounded, a\n malicious guest could use this flaw to influence the\n array length and cause the QEMU process to perform an\n excessive allocation on the(CVE-2021-3527)\n\n - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c\n because the usb_packet_map return value is not\n checked.(CVE-2020-25084)\n\n - A NULL pointer dereference flaw was found in the\n am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0. This issue occurs while handling\n the 'Information Transfer' command. This flaw allows a\n privileged guest user to crash the QEMU process on the\n host, resulting in a denial of service. The highest\n threat from this vulnerability is to system\n availability.(CVE-2020-35505)\n\n - An information disclosure vulnerability was found in\n the virtio vhost-user GPU device (vhost-user-gpu) of\n QEMU in versions up to and including 6.0. The flaw\n exists in virgl_cmd_get_capset_info() in\n contrib/vhost-user-gpu/virgl.c and could occur due to\n the read of uninitialized memory. A malicious guest\n could exploit this issue to leak memory from the host.\n (CVE-2021-3545)\n\n - Several memory leaks were found in the virtio\n vhost-user GPU device (vhost-user-gpu) of QEMU in\n versions up to and including 6.0. They exist in\n contrib/vhost-user-gpu/vhost-user-gpu.c and\n contrib/vhost-user-gpu/virgl.c due to improper release\n of memory (i.e., free) after effective\n lifetime.(CVE-2021-3544)\n\n - A flaw was found in vhost-user-gpu of QEMU in versions\n up to and including 6.0. An out-of-bounds write\n vulnerability can allow a malicious guest to crash the\n QEMU process on the host resulting in a denial of\n service or potentially execute arbitrary code on the\n host with the privileges of the QEMU process. The\n highest threat from this vulnerability is to data\n confidentiality and integrity as well as system\n availability.(CVE-2021-3546)\n\n - A race condition flaw was found in the 9pfs server\n implementation of QEMU up to and including 5.2.0. This\n flaw allows a malicious 9p client to cause a\n use-after-free error, potentially escalating their\n privileges on the system. The highest threat from this\n vulnerability is to confidentiality, integrity as well\n as system availability.(CVE-2021-20181)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2192\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e189a498\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20181\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-3546\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.9.1\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.9.1\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.9.1\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"qemu-4.1.0-2.9.1.2.285\",\n \"qemu-img-4.1.0-2.9.1.2.285\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:04", "description": "The remote Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5010-1 advisory.\n\n - In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer dereference. (CVE-2020-15469)\n\n - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. (CVE-2020-29443)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices. (CVE-2020-35517)\n\n - A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req' from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.\n (CVE-2021-3392)\n\n - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)\n\n - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-3416)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)\n\n - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user- gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)\n\n - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost- user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host. (CVE-2021-3545)\n\n - A flaw was found in vhost-user-gpu of QEMU in versions up to and including 6.0. An out-of-bounds write vulnerability can allow a malicious guest to crash the QEMU process on the host resulting in a denial of service or potentially execute arbitrary code on the host with the privileges of the QEMU process. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2021-3546)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3592)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3593)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3594)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3595)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-07-16T00:00:00", "type": "nessus", "title": "Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 : QEMU vulnerabilities (USN-5010-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-15469", "CVE-2020-17380", "CVE-2020-25085", "CVE-2020-29443", "CVE-2020-35504", "CVE-2020-35505", "CVE-2020-35517", "CVE-2021-20221", "CVE-2021-20257", "CVE-2021-3392", "CVE-2021-3409", "CVE-2021-3416", "CVE-2021-3527", "CVE-2021-3544", "CVE-2021-3545", "CVE-2021-3546", "CVE-2021-3582", "CVE-2021-3592", "CVE-2021-3593", "CVE-2021-3594", "CVE-2021-3595", "CVE-2021-3607", "CVE-2021-3608"], "modified": "2023-01-17T00:00:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.10", "cpe:/o:canonical:ubuntu_linux:21.04", "p-cpe:/a:canonical:ubuntu_linux:qemu", "p-cpe:/a:canonical:ubuntu_linux:qemu-block-extra", "p-cpe:/a:canonical:ubuntu_linux:qemu-guest-agent", "p-cpe:/a:canonical:ubuntu_linux:qemu-kvm", "p-cpe:/a:canonical:ubuntu_linux:qemu-system", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-common", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-data", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-gui", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-microvm", "p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-xen", "p-cpe:/a:canonical:ubuntu_linux:qemu-user", "p-cpe:/a:canonical:ubuntu_linux:qemu-user-binfmt", "p-cpe:/a:canonical:ubuntu_linux:qemu-user-static", "p-cpe:/a:canonical:ubuntu_linux:qemu-utils"], "id": "UBUNTU_USN-5010-1.NASL", "href": "https://www.tenable.com/plugins/nessus/151680", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-5010-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151680);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/17\");\n\n script_cve_id(\n \"CVE-2020-15469\",\n \"CVE-2020-29443\",\n \"CVE-2020-35504\",\n \"CVE-2020-35505\",\n \"CVE-2020-35517\",\n \"CVE-2021-3392\",\n \"CVE-2021-3409\",\n \"CVE-2021-3416\",\n \"CVE-2021-3527\",\n \"CVE-2021-3544\",\n \"CVE-2021-3545\",\n \"CVE-2021-3546\",\n \"CVE-2021-3582\",\n \"CVE-2021-3592\",\n \"CVE-2021-3593\",\n \"CVE-2021-3594\",\n \"CVE-2021-3595\",\n \"CVE-2021-3607\",\n \"CVE-2021-3608\",\n \"CVE-2021-20221\",\n \"CVE-2021-20257\"\n );\n script_xref(name:\"USN\", value:\"5010-1\");\n script_xref(name:\"IAVB\", value:\"2020-B-0041-S\");\n\n script_name(english:\"Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 : QEMU vulnerabilities (USN-5010-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 18.04 LTS / 20.04 LTS / 20.10 / 21.04 host has packages installed that are affected by multiple\nvulnerabilities as referenced in the USN-5010-1 advisory.\n\n - In QEMU 4.2.0, a MemoryRegionOps object may lack read/write callback methods, leading to a NULL pointer\n dereference. (CVE-2020-15469)\n\n - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer\n index is not validated. (CVE-2020-29443)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw\n allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system\n daemon where a privileged guest user is able to create a device special file in the shared directory and\n use it to r/w access host devices. (CVE-2020-35517)\n\n - A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI\n I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req'\n from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the\n host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.\n (CVE-2021-3392)\n\n - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to\n the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This\n flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of\n service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)\n\n - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions\n up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get\n bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the\n host resulting in DoS scenario. (CVE-2021-3416)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a\n single, large transfer request, to reduce the overhead and improve performance. The combined size of the\n bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper\n validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the\n array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a\n denial of service. (CVE-2021-3527)\n\n - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions\n up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-\n gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)\n\n - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of\n QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-\n user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit\n this issue to leak memory from the host. (CVE-2021-3545)\n\n - A flaw was found in vhost-user-gpu of QEMU in versions up to and including 6.0. An out-of-bounds write\n vulnerability can allow a malicious guest to crash the QEMU process on the host resulting in a denial of\n service or potentially execute arbitrary code on the host with the privileges of the QEMU process. The\n highest threat from this vulnerability is to data confidentiality and integrity as well as system\n availability. (CVE-2021-3546)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw\n exists in the bootp_input() function and could occur while processing a udp packet that is smaller than\n the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of\n uninitialized heap memory from the host. The highest threat from this vulnerability is to data\n confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3592)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw\n exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the\n size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory\n disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw\n affects libslirp versions prior to 4.6.0. (CVE-2021-3593)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw\n exists in the udp_input() function and could occur while processing a udp packet that is smaller than the\n size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory\n disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw\n affects libslirp versions prior to 4.6.0. (CVE-2021-3594)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw\n exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the\n size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory\n disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw\n affects libslirp versions prior to 4.6.0. (CVE-2021-3595)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of\n QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an\n interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said\n issue while updating controller state fields and their subsequent processing. A privileged guest user may\n use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-5010-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3546\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/02\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:21.04\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-block-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-gui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-microvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86-xen\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-user\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-user-binfmt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-user-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-utils\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2021-2023 Canonical, Inc. / NASL script (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(18\\.04|20\\.04|20\\.10|21\\.04)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 18.04 / 20.04 / 20.10 / 21.04', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '18.04', 'pkgname': 'qemu', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-block-extra', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-kvm', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-system', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-system-arm', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-system-common', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-system-mips', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-system-misc', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-system-x86', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-user', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-user-static', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '18.04', 'pkgname': 'qemu-utils', 'pkgver': '1:2.11+dfsg-1ubuntu7.37'},\n {'osver': '20.04', 'pkgname': 'qemu', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-block-extra', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-kvm', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-system', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-system-arm', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-system-common', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-system-data', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-system-gui', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-system-mips', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-system-misc', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-system-x86', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-system-x86-microvm', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-system-x86-xen', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-user', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-user-static', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.04', 'pkgname': 'qemu-utils', 'pkgver': '1:4.2-3ubuntu6.17'},\n {'osver': '20.10', 'pkgname': 'qemu', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-block-extra', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-kvm', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-system', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-system-arm', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-system-common', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-system-data', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-system-gui', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-system-mips', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-system-misc', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-system-x86', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-system-x86-microvm', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-system-x86-xen', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-user', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-user-static', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '20.10', 'pkgname': 'qemu-utils', 'pkgver': '1:5.0-5ubuntu9.9'},\n {'osver': '21.04', 'pkgname': 'qemu', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-block-extra', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-system', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-system-arm', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-system-common', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-system-data', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-system-gui', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-system-mips', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-system-misc', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-system-x86', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-system-x86-microvm', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-system-x86-xen', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-user', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-user-static', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'},\n {'osver': '21.04', 'pkgname': 'qemu-utils', 'pkgver': '1:5.2+dfsg-9ubuntu3.1'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-block-extra / qemu-guest-agent / qemu-kvm / qemu-system / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:27:49", "description": "This update for qemu fixes the following issues :\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nFix OOB access possibility in MegaRAID SAS 8708EM2 emulation (CVE-2020-13362 bsc#1172383)\n\nFix use-after-free in usb xhci packet handling (CVE-2020-25723, bsc#1178934)\n\nFix use-after-free in usb ehci packet handling (CVE-2020-25084, bsc#1176673)\n\nFix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)\n\nFix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625, bsc#1176684)\n\nFix guest triggerable assert in shared network handling code (CVE-2020-27617, bsc#1178174)\n\nFix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)\n\nFix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469, bsc#1173612)\n\nFix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257, bsc#1182577)\n\nFix OOB access (stack overflow) in rtl8139 NIC emulation (CVE-2021-3416, bsc#1182968)\n\nFix OOB access (stack overflow) in other NIC emulations (CVE-2021-3416)\n\nFix OOB access in SLIRP ARP packet processing (CVE-2020-29130, bsc#1179467)\n\nFix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2 emulation (CVE-2020-13659 bsc#1172386\n\nFix OOB access in iscsi (CVE-2020-11947 bsc#1180523)\n\nFix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)\n\nFix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386)\n\nFix DoS in packet processing of various emulated NICs (CVE-2020-16092 bsc#1174641)\n\nFix OOB access while processing USB packets (CVE-2020-14364 bsc#1175441)\n\nFix package scripts to not use hard-coded paths for temporary working directories and log files (bsc#1182425)\n\nFix potential privilege escalation in virtfs (CVE-2021-20181 bsc#1182137)\n\nFix OOB access possibility in ES1370 audio device emulation (CVE-2020-13361 bsc#1172384)\n\nFix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2021-04-23T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : qemu (SUSE-SU-2021:1305-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11947", "CVE-2020-12829", "CVE-2020-13361", "CVE-2020-13362", "CVE-2020-13659", "CVE-2020-13765", "CVE-2020-14364", "CVE-2020-15469", "CVE-2020-15863", "CVE-2020-16092", "CVE-2020-25084", "CVE-2020-25624", "CVE-2020-25625", "CVE-2020-25723", "CVE-2020-27617", "CVE-2020-29130", "CVE-2020-29443", "CVE-2021-20181", "CVE-2021-20203", "CVE-2021-20257", "CVE-2021-3416"], "modified": "2021-06-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:qemu", "p-cpe:/a:novell:suse_linux:qemu-block-curl", "p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-rbd", "p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-block-ssh", "p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-debugsource", "p-cpe:/a:novell:suse_linux:qemu-guest-agent", "p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-kvm", "p-cpe:/a:novell:suse_linux:qemu-lang", "p-cpe:/a:novell:suse_linux:qemu-tools", "p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo", "p-cpe:/a:novell:suse_linux:qemu-x86", "p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-1305-1.NASL", "href": "https://www.tenable.com/plugins/nessus/148966", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2021:1305-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(148966);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/06/08\");\n\n script_cve_id(\"CVE-2020-11947\", \"CVE-2020-12829\", \"CVE-2020-13361\", \"CVE-2020-13362\", \"CVE-2020-13659\", \"CVE-2020-13765\", \"CVE-2020-14364\", \"CVE-2020-15469\", \"CVE-2020-15863\", \"CVE-2020-16092\", \"CVE-2020-25084\", \"CVE-2020-25624\", \"CVE-2020-25625\", \"CVE-2020-25723\", \"CVE-2020-27617\", \"CVE-2020-29130\", \"CVE-2020-29443\", \"CVE-2021-20181\", \"CVE-2021-20203\", \"CVE-2021-20257\", \"CVE-2021-3416\");\n\n script_name(english:\"SUSE SLES12 Security Update : qemu (SUSE-SU-2021:1305-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for qemu fixes the following issues :\n\nFix OOB access in sm501 device emulation (CVE-2020-12829, bsc#1172385)\n\nFix OOB access possibility in MegaRAID SAS 8708EM2 emulation\n(CVE-2020-13362 bsc#1172383)\n\nFix use-after-free in usb xhci packet handling (CVE-2020-25723,\nbsc#1178934)\n\nFix use-after-free in usb ehci packet handling (CVE-2020-25084,\nbsc#1176673)\n\nFix OOB access in usb hcd-ohci emulation (CVE-2020-25624, bsc#1176682)\n\nFix infinite loop (DoS) in usb hcd-ohci emulation (CVE-2020-25625,\nbsc#1176684)\n\nFix guest triggerable assert in shared network handling code\n(CVE-2020-27617, bsc#1178174)\n\nFix OOB access in atapi emulation (CVE-2020-29443, bsc#1181108)\n\nFix NULL pointer deref. (DoS) in mmio ops (CVE-2020-15469,\nbsc#1173612)\n\nFix infinite loop (DoS) in e1000 device emulation (CVE-2021-20257,\nbsc#1182577)\n\nFix OOB access (stack overflow) in rtl8139 NIC emulation\n(CVE-2021-3416, bsc#1182968)\n\nFix OOB access (stack overflow) in other NIC emulations\n(CVE-2021-3416)\n\nFix OOB access in SLIRP ARP packet processing (CVE-2020-29130,\nbsc#1179467)\n\nFix NULL pointer dereference possibility (DoS) in MegaRAID SAS 8708EM2\nemulation (CVE-2020-13659 bsc#1172386\n\nFix OOB access in iscsi (CVE-2020-11947 bsc#1180523)\n\nFix OOB access in vmxnet3 emulation (CVE-2021-20203 bsc#1181639)\n\nFix buffer overflow in the XGMAC device (CVE-2020-15863 bsc#1174386)\n\nFix DoS in packet processing of various emulated NICs (CVE-2020-16092\nbsc#1174641)\n\nFix OOB access while processing USB packets (CVE-2020-14364\nbsc#1175441)\n\nFix package scripts to not use hard-coded paths for temporary working\ndirectories and log files (bsc#1182425)\n\nFix potential privilege escalation in virtfs (CVE-2021-20181\nbsc#1182137)\n\nFix OOB access possibility in ES1370 audio device emulation\n(CVE-2020-13361 bsc#1172384)\n\nFix OOB access in ROM loading (CVE-2020-13765 bsc#1172478)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172383\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172384\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172385\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172478\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173612\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174386\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1174641\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1175441\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176673\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176682\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1176684\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178174\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1178934\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1179467\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1180523\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181108\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1181639\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182137\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182425\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182577\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1182968\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11947/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-12829/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13361/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13362/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13659/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-13765/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-14364/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15469/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15863/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-16092/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25084/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25624/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25625/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-25723/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-27617/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29130/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-29443/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20181/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20203/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-20257/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2021-3416/\"\n );\n # https://www.suse.com/support/update/announcement/2021/suse-su-20211305-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?97413f9f\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP2-LTSS-SAP :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-SAP-2021-1305=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-LTSS-ERICSSON-2021-1305=1\n\nSUSE Linux Enterprise Server 12-SP2-BCL :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP2-BCL-2021-1305=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20181\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-curl-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-curl-debuginfo-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-rbd-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-rbd-debuginfo-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-ssh-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-block-ssh-debuginfo-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-debugsource-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-guest-agent-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-guest-agent-debuginfo-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-kvm-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-lang-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-tools-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-tools-debuginfo-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-x86-2.6.2-41.62.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"qemu-x86-debuginfo-2.6.2-41.62.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:41", "description": "According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null. (CVE-2019-12067)\n\n - QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address. (CVE-2020-15859)\n\n - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. (CVE-2020-25084)\n\n - pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer. (CVE-2020-25742)\n\n - hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call. (CVE-2020-25743)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)\n\n - An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.\n (CVE-2021-20203)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20255)\n\n - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user- gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)\n\n - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost- user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host. (CVE-2021-3545)\n\n - An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process. (CVE-2021-3546)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)\n\n - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. (CVE-2021-3748)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-04-18T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.10.0 : qemu (EulerOS-SA-2022-1418)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-12067", "CVE-2020-15859", "CVE-2020-25084", "CVE-2020-25742", "CVE-2020-25743", "CVE-2020-35504", "CVE-2020-35505", "CVE-2021-20196", "CVE-2021-20203", "CVE-2021-20221", "CVE-2021-20255", "CVE-2021-3544", "CVE-2021-3545", "CVE-2021-3546", "CVE-2021-3682", "CVE-2021-3748"], "modified": "2023-01-09T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu", "p-cpe:/a:huawei:euleros:qemu-img", "cpe:/o:huawei:euleros:uvp:2.10.0"], "id": "EULEROS_SA-2022-1418.NASL", "href": "https://www.tenable.com/plugins/nessus/159876", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159876);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/09\");\n\n script_cve_id(\n \"CVE-2019-12067\",\n \"CVE-2020-15859\",\n \"CVE-2020-25084\",\n \"CVE-2020-25742\",\n \"CVE-2020-25743\",\n \"CVE-2020-35504\",\n \"CVE-2020-35505\",\n \"CVE-2021-3544\",\n \"CVE-2021-3545\",\n \"CVE-2021-3546\",\n \"CVE-2021-3682\",\n \"CVE-2021-3748\",\n \"CVE-2021-20196\",\n \"CVE-2021-20203\",\n \"CVE-2021-20221\",\n \"CVE-2021-20255\"\n );\n script_xref(name:\"IAVB\", value:\"2020-B-0041-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0063-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0075-S\");\n\n script_name(english:\"EulerOS Virtualization 2.10.0 : qemu (EulerOS-SA-2022-1418)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is\naffected by the following vulnerabilities :\n\n - The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL\n dereference) when the command header 'ad->cur_cmd' is null. (CVE-2019-12067)\n\n - QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e\n packet with the data's address set to the e1000e's MMIO address. (CVE-2020-15859)\n\n - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not\n checked. (CVE-2020-25084)\n\n - pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because\n pci_get_bus() might not return a valid pointer. (CVE-2020-25742)\n\n - hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check\n before an ide_cancel_dma_sync call. (CVE-2020-25743)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw\n allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while\n processing read/write ioport commands if the selected floppy drive is not initialized with a block device.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)\n\n - An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It\n may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A\n privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.\n (CVE-2021-20203)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of\n QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an\n interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said\n issue while updating controller state fields and their subsequent processing. A privileged guest user may\n use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator\n of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw\n allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a\n denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20255)\n\n - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions\n up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-\n gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)\n\n - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of\n QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-\n user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit\n this issue to leak memory from the host. (CVE-2021-3545)\n\n - An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of\n QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET'\n command from the guest. It could allow a privileged guest user to crash the QEMU process on the host,\n resulting in a denial of service condition, or potential code execution with the privileges of the QEMU\n process. (CVE-2021-3546)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs\n when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A\n malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,\n resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3682)\n\n - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the\n descriptor's address belongs to the non direct access region, due to num_buffers being set after the\n virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a\n denial of service condition, or potentially execute code on the host with the privileges of the QEMU\n process. (CVE-2021-3748)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1418\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0edfba8e\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3748\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-3682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.10.0\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.10.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.10.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"qemu-4.1.0-2.10.0.3.427\",\n \"qemu-img-4.1.0-2.10.0.3.427\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-14T14:37:21", "description": "The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3613-1 advisory.\n\n - A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35503)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. (CVE-2020-35506)\n\n - A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20255)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)\n\n - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of- bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. (CVE-2021-3713)\n\n - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. (CVE-2021-3748)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-05T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : qemu (SUSE-SU-2021:3613-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-35503", "CVE-2020-35504", "CVE-2020-35505", "CVE-2020-35506", "CVE-2021-20255", "CVE-2021-3527", "CVE-2021-3682", "CVE-2021-3713", "CVE-2021-3748"], "modified": "2023-07-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:qemu", "p-cpe:/a:novell:suse_linux:qemu-arm", "p-cpe:/a:novell:suse_linux:qemu-block-curl", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi", "p-cpe:/a:novell:suse_linux:qemu-block-rbd", "p-cpe:/a:novell:suse_linux:qemu-block-ssh", "p-cpe:/a:novell:suse_linux:qemu-guest-agent", "p-cpe:/a:novell:suse_linux:qemu-ipxe", "p-cpe:/a:novell:suse_linux:qemu-kvm", "p-cpe:/a:novell:suse_linux:qemu-lang", "p-cpe:/a:novell:suse_linux:qemu-ppc", "p-cpe:/a:novell:suse_linux:qemu-s390", "p-cpe:/a:novell:suse_linux:qemu-seabios", "p-cpe:/a:novell:suse_linux:qemu-sgabios", "p-cpe:/a:novell:suse_linux:qemu-tools", "p-cpe:/a:novell:suse_linux:qemu-vgabios", "p-cpe:/a:novell:suse_linux:qemu-x86", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-3613-1.NASL", "href": "https://www.tenable.com/plugins/nessus/154922", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:3613-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154922);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/13\");\n\n script_cve_id(\n \"CVE-2020-35503\",\n \"CVE-2020-35504\",\n \"CVE-2020-35505\",\n \"CVE-2020-35506\",\n \"CVE-2021-3527\",\n \"CVE-2021-3682\",\n \"CVE-2021-3713\",\n \"CVE-2021-3748\",\n \"CVE-2021-20255\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:3613-1\");\n\n script_name(english:\"SUSE SLES15 Security Update : qemu (SUSE-SU-2021:3613-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the SUSE-SU-2021:3613-1 advisory.\n\n - A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in\n versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function\n while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the\n host, resulting in a denial of service. The highest threat from this vulnerability is to system\n availability. (CVE-2020-35503)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw\n allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows\n a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or\n potential code execution with the privileges of the QEMU process. (CVE-2020-35506)\n\n - A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator\n of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw\n allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a\n denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20255)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a\n single, large transfer request, to reduce the overhead and improve performance. The combined size of the\n bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper\n validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the\n array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a\n denial of service. (CVE-2021-3527)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs\n when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A\n malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,\n resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3682)\n\n - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions\n prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-\n bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this\n flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3713)\n\n - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the\n descriptor's address belongs to the non direct access region, due to num_buffers being set after the\n virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a\n denial of service condition, or potentially execute code on the host with the privileges of the QEMU\n process. (CVE-2021-3748)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180432\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180433\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180435\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182651\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186012\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35503\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35504\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35505\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35506\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-20255\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3527\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3713\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3748\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-November/009698.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?4ee7ab10\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3748\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-3682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ipxe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-seabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-sgabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-vgabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)(?:_SAP)?\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15|SLES_SAP15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15 / SLES_SAP15', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + service_pack);\nif (os_ver == \"SLES_SAP15\" && (! preg(pattern:\"^(0)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES_SAP15 SP0\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'qemu-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'qemu-block-curl-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'qemu-block-iscsi-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'qemu-block-rbd-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'qemu-block-ssh-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'qemu-guest-agent-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'qemu-ipxe-1.0.0+-70.59.1', 'sp':'0', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'qemu-kvm-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'qemu-lang-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'qemu-seabios-1.11.0_0_g63451fc-70.59.1', 'sp':'0', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'qemu-sgabios-8-70.59.1', 'sp':'0', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'qemu-tools-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'qemu-vgabios-1.11.0_0_g63451fc-70.59.1', 'sp':'0', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'qemu-x86-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15']},\n {'reference':'qemu-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-arm-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-arm-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15', 'sles-ltss-release-15']},\n {'reference':'qemu-block-curl-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-curl-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-curl-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-curl-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-iscsi-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-iscsi-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-iscsi-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-iscsi-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-rbd-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-rbd-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-rbd-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-rbd-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-ssh-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-ssh-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-ssh-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-block-ssh-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-guest-agent-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-guest-agent-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-guest-agent-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-guest-agent-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-ipxe-1.0.0+-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-ipxe-1.0.0+-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15', 'sles-ltss-release-15']},\n {'reference':'qemu-kvm-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-kvm-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-lang-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-lang-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-lang-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-lang-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-seabios-1.11.0_0_g63451fc-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-seabios-1.11.0_0_g63451fc-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15', 'sles-ltss-release-15']},\n {'reference':'qemu-sgabios-8-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-sgabios-8-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15', 'sles-ltss-release-15']},\n {'reference':'qemu-tools-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-tools-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-tools-2.11.2-70.59.1', 'sp':'0', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-tools-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-vgabios-1.11.0_0_g63451fc-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-vgabios-1.11.0_0_g63451fc-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15', 'sles-ltss-release-15']},\n {'reference':'qemu-x86-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15']},\n {'reference':'qemu-x86-2.11.2-70.59.1', 'sp':'0', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-15', 'SLE_HPC-LTSS-release-15', 'sles-ltss-release-15']},\n {'reference':'qemu-2.11.2-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'qemu-block-curl-2.11.2-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'qemu-block-iscsi-2.11.2-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'qemu-block-rbd-2.11.2-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'qemu-block-ssh-2.11.2-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'qemu-guest-agent-2.11.2-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'qemu-kvm-2.11.2-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'qemu-lang-2.11.2-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'qemu-s390-2.11.2-70.59.1', 'sp':'0', 'cpu':'s390x', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']},\n {'reference':'qemu-tools-2.11.2-70.59.1', 'sp':'0', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n if ('ltss' >< tolower(check)) ltss_caveat_required = TRUE;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-arm / qemu-block-curl / qemu-block-iscsi / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-14T14:38:44", "description": "The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3635-1 advisory.\n\n - A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35503)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. (CVE-2020-35506)\n\n - A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20255)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)\n\n - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of- bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. (CVE-2021-3713)\n\n - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. (CVE-2021-3748)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-10T00:00:00", "type": "nessus", "title": "SUSE SLES12 Security Update : qemu (SUSE-SU-2021:3635-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-35503", "CVE-2020-35504", "CVE-2020-35505", "CVE-2020-35506", "CVE-2021-20255", "CVE-2021-3527", "CVE-2021-3682", "CVE-2021-3713", "CVE-2021-3748"], "modified": "2023-07-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:qemu", "p-cpe:/a:novell:suse_linux:qemu-arm", "p-cpe:/a:novell:suse_linux:qemu-block-curl", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi", "p-cpe:/a:novell:suse_linux:qemu-block-rbd", "p-cpe:/a:novell:suse_linux:qemu-block-ssh", "p-cpe:/a:novell:suse_linux:qemu-guest-agent", "p-cpe:/a:novell:suse_linux:qemu-ipxe", "p-cpe:/a:novell:suse_linux:qemu-kvm", "p-cpe:/a:novell:suse_linux:qemu-lang", "p-cpe:/a:novell:suse_linux:qemu-ppc", "p-cpe:/a:novell:suse_linux:qemu-s390", "p-cpe:/a:novell:suse_linux:qemu-seabios", "p-cpe:/a:novell:suse_linux:qemu-sgabios", "p-cpe:/a:novell:suse_linux:qemu-tools", "p-cpe:/a:novell:suse_linux:qemu-vgabios", "p-cpe:/a:novell:suse_linux:qemu-x86", "cpe:/o:novell:suse_linux:12"], "id": "SUSE_SU-2021-3635-1.NASL", "href": "https://www.tenable.com/plugins/nessus/155004", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:3635-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(155004);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/13\");\n\n script_cve_id(\n \"CVE-2020-35503\",\n \"CVE-2020-35504\",\n \"CVE-2020-35505\",\n \"CVE-2020-35506\",\n \"CVE-2021-3527\",\n \"CVE-2021-3682\",\n \"CVE-2021-3713\",\n \"CVE-2021-3748\",\n \"CVE-2021-20255\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:3635-1\");\n\n script_name(english:\"SUSE SLES12 Security Update : qemu (SUSE-SU-2021:3635-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the SUSE-SU-2021:3635-1 advisory.\n\n - A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in\n versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function\n while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the\n host, resulting in a denial of service. The highest threat from this vulnerability is to system\n availability. (CVE-2020-35503)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw\n allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows\n a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or\n potential code execution with the privileges of the QEMU process. (CVE-2020-35506)\n\n - A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator\n of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw\n allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a\n denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20255)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a\n single, large transfer request, to reduce the overhead and improve performance. The combined size of the\n bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper\n validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the\n array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a\n denial of service. (CVE-2021-3527)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs\n when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A\n malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,\n resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3682)\n\n - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions\n prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-\n bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this\n flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3713)\n\n - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the\n descriptor's address belongs to the non direct access region, due to num_buffers being set after the\n virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a\n denial of service condition, or potentially execute code on the host with the privileges of the QEMU\n process. (CVE-2021-3748)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180432\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180433\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180435\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182651\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186012\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35503\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35504\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35505\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35506\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-20255\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3527\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3713\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3748\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-November/009705.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e9064c04\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3748\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-3682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ipxe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-seabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-sgabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-vgabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)(?:_SAP)?\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12|SLES_SAP12)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES12 / SLES_SAP12', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(4)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES12 SP4\", os_ver + \" SP\" + service_pack);\nif (os_ver == \"SLES_SAP12\" && (! preg(pattern:\"^(4)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES_SAP12 SP4\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'qemu-2.11.2-5.40.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'qemu-block-curl-2.11.2-5.40.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'qemu-block-iscsi-2.11.2-5.40.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'qemu-block-rbd-2.11.2-5.40.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'qemu-block-ssh-2.11.2-5.40.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'qemu-guest-agent-2.11.2-5.40.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'qemu-ipxe-1.0.0+-5.40.2', 'sp':'4', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'qemu-kvm-2.11.2-5.40.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'qemu-lang-2.11.2-5.40.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'qemu-seabios-1.11.0_0_g63451fc-5.40.2', 'sp':'4', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'qemu-sgabios-8-5.40.2', 'sp':'4', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'qemu-tools-2.11.2-5.40.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'qemu-vgabios-1.11.0_0_g63451fc-5.40.2', 'sp':'4', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'qemu-x86-2.11.2-5.40.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES_SAP12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-12.4']},\n {'reference':'qemu-2.11.2-5.40.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-arm-2.11.2-5.40.2', 'sp':'4', 'cpu':'aarch64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-block-curl-2.11.2-5.40.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-block-iscsi-2.11.2-5.40.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-block-rbd-2.11.2-5.40.2', 'sp':'4', 'cpu':'aarch64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-block-rbd-2.11.2-5.40.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-block-ssh-2.11.2-5.40.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-guest-agent-2.11.2-5.40.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-ipxe-1.0.0+-5.40.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-kvm-2.11.2-5.40.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-lang-2.11.2-5.40.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-s390-2.11.2-5.40.2', 'sp':'4', 'cpu':'s390x', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-seabios-1.11.0_0_g63451fc-5.40.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-sgabios-8-5.40.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-tools-2.11.2-5.40.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-vgabios-1.11.0_0_g63451fc-5.40.2', 'sp':'4', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']},\n {'reference':'qemu-x86-2.11.2-5.40.2', 'sp':'4', 'cpu':'x86_64', 'release':'SLES12', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-release-12.4']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n if ('ltss' >< tolower(check)) ltss_caveat_required = TRUE;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-arm / qemu-block-curl / qemu-block-iscsi / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:53", "description": "The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2970 advisory.\n\n - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3593)\n\n - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. (CVE-2021-3748)\n\n - An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.\n (CVE-2021-3930)\n\n - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.\n Affected QEMU versions <= 6.2.0. (CVE-2022-26354)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-04-05T00:00:00", "type": "nessus", "title": "Debian DLA-2970-1 : qemu - LTS security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20196", "CVE-2021-3593", "CVE-2021-3748", "CVE-2021-3930", "CVE-2022-26354"], "modified": "2023-01-09T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:qemu", "p-cpe:/a:debian:debian_linux:qemu-block-extra", "p-cpe:/a:debian:debian_linux:qemu-guest-agent", "p-cpe:/a:debian:debian_linux:qemu-kvm", "p-cpe:/a:debian:debian_linux:qemu-system", "p-cpe:/a:debian:debian_linux:qemu-system-arm", "p-cpe:/a:debian:debian_linux:qemu-system-common", "p-cpe:/a:debian:debian_linux:qemu-system-mips", "p-cpe:/a:debian:debian_linux:qemu-system-misc", "p-cpe:/a:debian:debian_linux:qemu-system-ppc", "p-cpe:/a:debian:debian_linux:qemu-system-sparc", "p-cpe:/a:debian:debian_linux:qemu-system-x86", "p-cpe:/a:debian:debian_linux:qemu-user", "p-cpe:/a:debian:debian_linux:qemu-user-binfmt", "p-cpe:/a:debian:debian_linux:qemu-user-static", "p-cpe:/a:debian:debian_linux:qemu-utils", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2970.NASL", "href": "https://www.tenable.com/plugins/nessus/159511", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory dla-2970. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159511);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/09\");\n\n script_cve_id(\n \"CVE-2021-3593\",\n \"CVE-2021-3748\",\n \"CVE-2021-3930\",\n \"CVE-2021-20196\",\n \"CVE-2022-26354\"\n );\n\n script_name(english:\"Debian DLA-2970-1 : qemu - LTS security update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing one or more security-related updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the\ndla-2970 advisory.\n\n - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while\n processing read/write ioport commands if the selected floppy drive is not initialized with a block device.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)\n\n - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw\n exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the\n size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory\n disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw\n affects libslirp versions prior to 4.6.0. (CVE-2021-3593)\n\n - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the\n descriptor's address belongs to the non direct access region, due to num_buffers being set after the\n virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a\n denial of service condition, or potentially execute code on the host with the privileges of the QEMU\n process. (CVE-2021-3748)\n\n - An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE\n SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious\n guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.\n (CVE-2021-3930)\n\n - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached\n from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.\n Affected QEMU versions <= 6.2.0. (CVE-2022-26354)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/source-package/qemu\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.debian.org/lts/security/2022/dla-2970\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-20196\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3593\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3748\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2021-3930\");\n script_set_attribute(attribute:\"see_also\", value:\"https://security-tracker.debian.org/tracker/CVE-2022-26354\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/stretch/qemu\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the qemu packages.\n\nFor Debian 9 stretch, these problems have been fixed in version 1\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3748\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-block-extra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-mips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-sparc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-system-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user-binfmt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-user-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:qemu-utils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar release = get_kb_item('Host/Debian/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');\nvar release = chomp(release);\nif (! preg(pattern:\"^(9)\\.[0-9]+\", string:release)) audit(AUDIT_OS_NOT, 'Debian 9.0', 'Debian ' + release);\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);\n\nvar pkgs = [\n {'release': '9.0', 'prefix': 'qemu', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-block-extra', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-guest-agent', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-kvm', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-system', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-system-arm', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-system-common', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-system-mips', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-system-misc', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-system-ppc', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-system-sparc', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-system-x86', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-user', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-user-binfmt', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-user-static', 'reference': '1:2.8+dfsg-6+deb9u17'},\n {'release': '9.0', 'prefix': 'qemu-utils', 'reference': '1:2.8+dfsg-6+deb9u17'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var release = NULL;\n var prefix = NULL;\n var reference = NULL;\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (release && prefix && reference) {\n if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : deb_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = deb_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-block-extra / qemu-guest-agent / qemu-kvm / qemu-system / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-15T18:45:51", "description": "The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3614-1 advisory.\n\n - A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35503)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or potential code execution with the privileges of the QEMU process. (CVE-2020-35506)\n\n - A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20255)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)\n\n - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of- bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. (CVE-2021-3713)\n\n - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. (CVE-2021-3748)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-11-05T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : qemu (SUSE-SU-2021:3614-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-35503", "CVE-2020-35504", "CVE-2020-35505", "CVE-2020-35506", "CVE-2021-20255", "CVE-2021-3527", "CVE-2021-3682", "CVE-2021-3713", "CVE-2021-3748"], "modified": "2023-07-13T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:qemu", "p-cpe:/a:novell:suse_linux:qemu-arm", "p-cpe:/a:novell:suse_linux:qemu-audio-alsa", "p-cpe:/a:novell:suse_linux:qemu-audio-oss", "p-cpe:/a:novell:suse_linux:qemu-audio-pa", "p-cpe:/a:novell:suse_linux:qemu-block-curl", "p-cpe:/a:novell:suse_linux:qemu-block-iscsi", "p-cpe:/a:novell:suse_linux:qemu-block-rbd", "p-cpe:/a:novell:suse_linux:qemu-block-ssh", "p-cpe:/a:novell:suse_linux:qemu-guest-agent", "p-cpe:/a:novell:suse_linux:qemu-ipxe", "p-cpe:/a:novell:suse_linux:qemu-kvm", "p-cpe:/a:novell:suse_linux:qemu-lang", "p-cpe:/a:novell:suse_linux:qemu-ppc", "p-cpe:/a:novell:suse_linux:qemu-s390", "p-cpe:/a:novell:suse_linux:qemu-seabios", "p-cpe:/a:novell:suse_linux:qemu-sgabios", "p-cpe:/a:novell:suse_linux:qemu-tools", "p-cpe:/a:novell:suse_linux:qemu-ui-curses", "p-cpe:/a:novell:suse_linux:qemu-ui-gtk", "p-cpe:/a:novell:suse_linux:qemu-vgabios", "p-cpe:/a:novell:suse_linux:qemu-x86", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2021-3614-1.NASL", "href": "https://www.tenable.com/plugins/nessus/154927", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2021:3614-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154927);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/13\");\n\n script_cve_id(\n \"CVE-2020-35503\",\n \"CVE-2020-35504\",\n \"CVE-2020-35505\",\n \"CVE-2020-35506\",\n \"CVE-2021-3527\",\n \"CVE-2021-3682\",\n \"CVE-2021-3713\",\n \"CVE-2021-3748\",\n \"CVE-2021-20255\"\n );\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2021:3614-1\");\n\n script_name(english:\"SUSE SLES15 Security Update : qemu (SUSE-SU-2021:3614-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the SUSE-SU-2021:3614-1 advisory.\n\n - A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in\n versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function\n while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the\n host, resulting in a denial of service. The highest threat from this vulnerability is to system\n availability. (CVE-2020-35503)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw\n allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows\n a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or\n potential code execution with the privileges of the QEMU process. (CVE-2020-35506)\n\n - A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator\n of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw\n allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a\n denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20255)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a\n single, large transfer request, to reduce the overhead and improve performance. The combined size of the\n bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper\n validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the\n array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a\n denial of service. (CVE-2021-3527)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs\n when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A\n malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,\n resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3682)\n\n - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions\n prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-\n bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this\n flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3713)\n\n - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the\n descriptor's address belongs to the non direct access region, due to num_buffers being set after the\n virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a\n denial of service condition, or potentially execute code on the host with the privileges of the QEMU\n process. (CVE-2021-3748)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180432\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180433\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180434\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1180435\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1182651\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1186012\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189145\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189702\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1189938\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35503\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35504\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35505\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-35506\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-20255\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3527\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3682\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3713\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2021-3748\");\n # https://lists.suse.com/pipermail/sle-security-updates/2021-November/009697.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c366fb13\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3748\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-3682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/11/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-alsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-oss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-audio-pa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-curl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-iscsi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-rbd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-block-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ipxe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-s390\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-seabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-sgabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-curses\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-ui-gtk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-vgabios\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:qemu-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)(?:_SAP)?\\d+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15|SLES_SAP15)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15 / SLES_SAP15', 'SUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + service_pack);\nif (os_ver == \"SLES_SAP15\" && (! preg(pattern:\"^(1)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES_SAP15 SP1\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'qemu-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-audio-alsa-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-audio-oss-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-audio-pa-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-block-curl-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-block-iscsi-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-block-rbd-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-block-ssh-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-guest-agent-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-ipxe-1.0.0+-80.40.1', 'sp':'1', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-kvm-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-lang-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-seabios-1.12.0_0_ga698c89-80.40.1', 'sp':'1', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-sgabios-8-80.40.1', 'sp':'1', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-tools-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-ui-curses-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-ui-gtk-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-vgabios-1.12.0_0_ga698c89-80.40.1', 'sp':'1', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-x86-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES_SAP15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLES_SAP-release-15.1']},\n {'reference':'qemu-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1']},\n {'reference':'qemu-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-arm-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1']},\n {'reference':'qemu-audio-alsa-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-audio-oss-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-audio-pa-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-block-curl-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1']},\n {'reference':'qemu-block-curl-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-block-iscsi-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1']},\n {'reference':'qemu-block-iscsi-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-block-rbd-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1']},\n {'reference':'qemu-block-rbd-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-block-ssh-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1']},\n {'reference':'qemu-block-ssh-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-guest-agent-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1']},\n {'reference':'qemu-guest-agent-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-ipxe-1.0.0+-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-kvm-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-lang-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1']},\n {'reference':'qemu-lang-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-seabios-1.12.0_0_ga698c89-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-sgabios-8-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-tools-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1']},\n {'reference':'qemu-tools-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-ui-curses-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-ui-gtk-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-vgabios-1.12.0_0_ga698c89-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-x86-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-ESPOS-release-1', 'sles-release-15.1']},\n {'reference':'qemu-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-arm-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},\n {'reference':'qemu-audio-alsa-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},\n {'reference':'qemu-audio-oss-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},\n {'reference':'qemu-audio-pa-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},\n {'reference':'qemu-block-curl-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-block-curl-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-block-iscsi-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-block-iscsi-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-block-rbd-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-block-rbd-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-block-ssh-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-block-ssh-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-guest-agent-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-guest-agent-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-ipxe-1.0.0+-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},\n {'reference':'qemu-kvm-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-lang-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-lang-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-seabios-1.12.0_0_ga698c89-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},\n {'reference':'qemu-sgabios-8-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},\n {'reference':'qemu-tools-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'aarch64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-tools-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1']},\n {'reference':'qemu-ui-curses-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},\n {'reference':'qemu-ui-gtk-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},\n {'reference':'qemu-vgabios-1.12.0_0_ga698c89-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},\n {'reference':'qemu-x86-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'x86_64', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['SLE_HPC-LTSS-release-15.1', 'sles-ltss-release-15.1']},\n {'reference':'qemu-3.1.1.1-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'qemu-block-curl-3.1.1.1-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'qemu-block-iscsi-3.1.1.1-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'qemu-block-rbd-3.1.1.1-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'qemu-block-ssh-3.1.1.1-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'qemu-guest-agent-3.1.1.1-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'qemu-kvm-3.1.1.1-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'qemu-lang-3.1.1.1-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'qemu-s390-3.1.1.1-80.40.1', 'sp':'1', 'cpu':'s390x', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']},\n {'reference':'qemu-tools-3.1.1.1-80.40.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sles-ltss-release-15.1']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n if ('ltss' >< tolower(check)) ltss_caveat_required = TRUE;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n var ltss_plugin_caveat = NULL;\n if(ltss_caveat_required) ltss_plugin_caveat = '\\n' +\n 'NOTE: This vulnerability check contains fixes that apply to\\n' +\n 'packages only available in SUSE Enterprise Linux Server LTSS\\n' +\n 'repositories. Access to these package security updates require\\n' +\n 'a paid SUSE LTSS subscription.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + ltss_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-arm / qemu-audio-alsa / qemu-audio-oss / qemu-audio-pa / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:43:41", "description": "According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null. (CVE-2019-12067)\n\n - QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address. (CVE-2020-15859)\n\n - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. (CVE-2020-25084)\n\n - pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer. (CVE-2020-25742)\n\n - hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call. (CVE-2020-25743)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)\n\n - An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.\n (CVE-2021-20203)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20255)\n\n - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user- gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)\n\n - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost- user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host. (CVE-2021-3545)\n\n - An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process. (CVE-2021-3546)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)\n\n - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. (CVE-2021-3748)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2022-04-18T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 2.10.1 : qemu (EulerOS-SA-2022-1392)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-12067", "CVE-2020-15859", "CVE-2020-25084", "CVE-2020-25742", "CVE-2020-25743", "CVE-2020-35504", "CVE-2020-35505", "CVE-2021-20196", "CVE-2021-20203", "CVE-2021-20221", "CVE-2021-20255", "CVE-2021-3544", "CVE-2021-3545", "CVE-2021-3546", "CVE-2021-3682", "CVE-2021-3748"], "modified": "2023-01-09T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu", "p-cpe:/a:huawei:euleros:qemu-img", "cpe:/o:huawei:euleros:uvp:2.10.1"], "id": "EULEROS_SA-2022-1392.NASL", "href": "https://www.tenable.com/plugins/nessus/159867", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(159867);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/09\");\n\n script_cve_id(\n \"CVE-2019-12067\",\n \"CVE-2020-15859\",\n \"CVE-2020-25084\",\n \"CVE-2020-25742\",\n \"CVE-2020-25743\",\n \"CVE-2020-35504\",\n \"CVE-2020-35505\",\n \"CVE-2021-3544\",\n \"CVE-2021-3545\",\n \"CVE-2021-3546\",\n \"CVE-2021-3682\",\n \"CVE-2021-3748\",\n \"CVE-2021-20196\",\n \"CVE-2021-20203\",\n \"CVE-2021-20221\",\n \"CVE-2021-20255\"\n );\n script_xref(name:\"IAVB\", value:\"2020-B-0041-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0063-S\");\n script_xref(name:\"IAVB\", value:\"2020-B-0075-S\");\n\n script_name(english:\"EulerOS Virtualization 2.10.1 : qemu (EulerOS-SA-2022-1392)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is\naffected by the following vulnerabilities :\n\n - The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL\n dereference) when the command header 'ad->cur_cmd' is null. (CVE-2019-12067)\n\n - QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e\n packet with the data's address set to the e1000e's MMIO address. (CVE-2020-15859)\n\n - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not\n checked. (CVE-2020-25084)\n\n - pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because\n pci_get_bus() might not return a valid pointer. (CVE-2020-25742)\n\n - hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check\n before an ide_cancel_dma_sync call. (CVE-2020-25743)\n\n - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)\n\n - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in\n versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw\n allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.\n The highest threat from this vulnerability is to system availability. (CVE-2020-35505)\n\n - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while\n processing read/write ioport commands if the selected floppy drive is not initialized with a block device.\n This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of\n service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)\n\n - An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It\n may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A\n privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.\n (CVE-2021-20203)\n\n - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of\n QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an\n interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said\n issue while updating controller state fields and their subsequent processing. A privileged guest user may\n use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)\n\n - A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator\n of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw\n allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a\n denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20255)\n\n - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions\n up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-\n gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)\n\n - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of\n QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-\n user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit\n this issue to leak memory from the host. (CVE-2021-3545)\n\n - An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of\n QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET'\n command from the guest. It could allow a privileged guest user to crash the QEMU process on the host,\n resulting in a denial of service condition, or potential code execution with the privileges of the QEMU\n process. (CVE-2021-3546)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs\n when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A\n malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,\n resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3682)\n\n - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the\n descriptor's address belongs to the non direct access region, due to num_buffers being set after the\n virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a\n denial of service condition, or potentially execute code on the host with the privileges of the QEMU\n process. (CVE-2021-3748)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1392\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7942147b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-3748\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-3682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/21\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/04/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/04/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:2.10.1\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"2.10.1\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 2.10.1\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"qemu-4.1.0-2.10.0.3.427\",\n \"qemu-img-4.1.0-2.10.0.3.427\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:41:56", "description": "According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :\n\n - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. (CVE-2021-20181)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2023-01-30T00:00:00", "type": "nessus", "title": "EulerOS Virtualization 3.0.2.2 : qemu-kvm (EulerOS-SA-2023-1289)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-20181", "CVE-2021-3527", "CVE-2021-3682"], "modified": "2023-01-30T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:qemu-kvm", "p-cpe:/a:huawei:euleros:qemu-kvm-common", "p-cpe:/a:huawei:euleros:qemu-kvm-tools", "cpe:/o:huawei:euleros:uvp:3.0.2.2"], "id": "EULEROS_SA-2023-1289.NASL", "href": "https://www.tenable.com/plugins/nessus/170819", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(170819);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/30\");\n\n script_cve_id(\"CVE-2021-3527\", \"CVE-2021-3682\", \"CVE-2021-20181\");\n\n script_name(english:\"EulerOS Virtualization 3.0.2.2 : qemu-kvm (EulerOS-SA-2023-1289)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization installation on the remote host\nis affected by the following vulnerabilities :\n\n - A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This\n flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges\n on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as\n system availability. (CVE-2021-20181)\n\n - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a\n single, large transfer request, to reduce the overhead and improve performance. The combined size of the\n bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper\n validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the\n array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a\n denial of service. (CVE-2021-3527)\n\n - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs\n when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A\n malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,\n resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the\n host. (CVE-2021-3682)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security\nadvisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional\nissues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2023-1289\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?7eca9d23\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected qemu-kvm packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-20181\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2021-3682\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/05/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/01/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-kvm-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:qemu-kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar _release = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(_release) || _release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nvar uvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.2\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.2\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu && \"x86\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"x86\" >!< cpu) audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nvar flag = 0;\n\nvar pkgs = [\n \"qemu-kvm-2.8.1-30.089\",\n \"qemu-kvm-common-2.8.1-30.089\",\n \"qemu-kvm-tools-2.8.1-30.089\"\n];\n\nforeach (var pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-kvm\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:30:44", "description": "The version of qemu installed on the remote host is prior to 3.1.0-8. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1671 advisory.\n\n - iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose unrelated information from process memory to an attacker. (CVE-2020-11947)\n\n - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate is a duplicate of CVE-2020-28916 (CVE-2020-25707)\n\n - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service. (CVE-2020-25723)\n\n - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.\n This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)\n\n - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. (CVE-2020-29129)\n\n - slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. (CVE-2020-29130)\n\n - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. (CVE-2020-29443)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-06-23T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : qemu (ALAS-2021-1671)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-11947", "CVE-2020-25707", "CVE-2020-25723", "CVE-2020-27821", "CVE-2020-28916", "CVE-2020-29129", "CVE-2020-29130", "CVE-2020-29443"], "modified": "2022-11-21T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:qemu-audio-oss", "p-cpe:/a:amazon:linux:qemu-audio-pa", "p-cpe:/a:amazon:linux:qemu-audio-sdl", "p-cpe:/a:amazon:linux:qemu-block-curl", "p-cpe:/a:amazon:linux:qemu-block-dmg", "p-cpe:/a:amazon:linux:qemu-block-iscsi", "p-cpe:/a:amazon:linux:qemu-block-nfs", "p-cpe:/a:amazon:linux:qemu-block-rbd", "p-cpe:/a:amazon:linux:qemu-block-ssh", "p-cpe:/a:amazon:linux:qemu-common", "p-cpe:/a:amazon:linux:qemu-debuginfo", "p-cpe:/a:amazon:linux:qemu-guest-agent", "p-cpe:/a:amazon:linux:qemu-img", "p-cpe:/a:amazon:linux:qemu-kvm", "p-cpe:/a:amazon:linux:qemu-kvm-core", "p-cpe:/a:amazon:linux:qemu-system-aarch64", "p-cpe:/a:amazon:linux:qemu-system-aarch64-core", "p-cpe:/a:amazon:linux:qemu-system-x86", "p-cpe:/a:amazon:linux:qemu-system-x86-core", "p-cpe:/a:amazon:linux:qemu-ui-curses", "p-cpe:/a:amazon:linux:qemu-ui-gtk", "p-cpe:/a:amazon:linux:qemu-ui-sdl", "p-cpe:/a:amazon:linux:qemu-user", "p-cpe:/a:amazon:linux:qemu-user-binfmt", "p-cpe:/a:amazon:linux:qemu-user-static", "cpe:/o:amazon:linux:2", "p-cpe:/a:amazon:linux:ivshmem-tools", "p-cpe:/a:amazon:linux:qemu", "p-cpe:/a:amazon:linux:qemu-audio-alsa"], "id": "AL2_ALAS-2021-1671.NASL", "href": "https://www.tenable.com/plugins/nessus/150965", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2021-1671.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(150965);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/11/21\&quo