Lucene search

K
xenXen ProjectXSA-335
HistoryAug 24, 2020 - 12:00 p.m.

QEMU: usb: out-of-bounds r/w access issue

2020-08-2412:00:00
Xen Project
xenbits.xen.org
26

5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

15.8%

ISSUE DESCRIPTION

An out-of-bounds read/write access issue was found in the USB emulator of the QEMU. It occurs while processing USB packets from a guest, when β€˜USBDevice->setup_len’ exceeds the USBDevice->data_buf[4096], in do_token_{in,out} routines.

IMPACT

A guest user may use this flaw to crash the QEMU process resulting in DoS OR potentially execute arbitrary code with the privileges of the QEMU process on the host.

VULNERABLE SYSTEMS

All versions of Qemu shipped with in-support versions of Xen are vulnerable. This includes both qemu-traditional and qemu-xen.
The vulnerability can only be exploited when Qemu is used as a device model. This configuration is only used by default for x86 HVM guests. x86 PV, PVH and ARM guest do not use a device model by default.
Guests configured to use a Qemu stubdomain contain the code execution within the stubdomain, and are therefore not considered vulnerable.

5 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:L

4.4 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:M/Au:N/C:P/I:P/A:P

0.0005 Low

EPSS

Percentile

15.8%