The load_multiboot function in hw/i386/multiboot.c in Quick Emulator (aka QEMU) allows local guest OS users to execute arbitrary code on the QEMU host via a mh_load_end_addr value greater than mh_bss_end_addr, which triggers an out-of-bounds read or write memory access.
http://www.securityfocus.com/bid/103181
https://access.redhat.com/errata/RHSA-2018:1369
https://access.redhat.com/errata/RHSA-2018:2462
https://bugzilla.redhat.com/show_bug.cgi?id=1549798
https://lists.debian.org/debian-lts-announce/2018/04/msg00015.html
https://lists.debian.org/debian-lts-announce/2018/04/msg00016.html
https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html
https://lists.gnu.org/archive/html/qemu-devel/2018-02/msg06890.html
Source: MITRE
Published: 2018-03-01
Updated: 2020-05-14
Type: CWE-787
Base Score: 4.6
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P
Impact Score: 6.4
Exploitability Score: 3.9
Severity: MEDIUM
Base Score: 8.8
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Impact Score: 6
Exploitability Score: 2
Severity: HIGH
OR
cpe:2.3:a:qemu:qemu:*:*:*:*:*:*:*:* versions up to 2.11.1 (inclusive)
OR
cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
OR
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
OR
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.5:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_eus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:7.7:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
ID | Name | Product | Family | Severity |
---|---|---|---|---|
139983 | EulerOS 2.0 SP8 : qemu (EulerOS-SA-2020-1880) | Nessus | Huawei Local Security Checks | medium |
124947 | EulerOS Virtualization 3.0.1.0 : qemu (EulerOS-SA-2019-1444) | Nessus | Huawei Local Security Checks | high |
124908 | EulerOS Virtualization for ARM 64 3.0.1.0 : qemu-kvm (EulerOS-SA-2019-1405) | Nessus | Huawei Local Security Checks | high |
123271 | openSUSE Security Update : qemu (openSUSE-2019-620) (Spectre) | Nessus | SuSE Local Security Checks | high |
120081 | SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2018:2340-1) (Spectre) | Nessus | SuSE Local Security Checks | high |
117757 | EulerOS 2.0 SP3 : qemu-kvm (EulerOS-SA-2018-1314) | Nessus | Huawei Local Security Checks | high |
117756 | EulerOS 2.0 SP2 : qemu-kvm (EulerOS-SA-2018-1313) | Nessus | Huawei Local Security Checks | high |
117589 | Amazon Linux 2 : qemu-kvm (ALAS-2018-1073) | Nessus | Amazon Linux Local Security Checks | high |
117577 | EulerOS Virtualization 2.5.1 : qemu-kvm (EulerOS-SA-2018-1268) | Nessus | Huawei Local Security Checks | medium |
117351 | Debian DLA-1497-1 : qemu security update (Spectre) | Nessus | Debian Local Security Checks | high |
117345 | Amazon Linux AMI : qemu-kvm (ALAS-2018-1073) | Nessus | Amazon Linux Local Security Checks | high |
112021 | CentOS 7 : qemu-kvm (CESA-2018:2462) | Nessus | CentOS Local Security Checks | high |
112003 | openSUSE Security Update : qemu (openSUSE-2018-894) (Spectre) | Nessus | SuSE Local Security Checks | high |
111807 | Scientific Linux Security Update : qemu-kvm on SL7.x x86_64 (20180816) | Nessus | Scientific Linux Local Security Checks | high |
111803 | RHEL 7 : qemu-kvm (RHSA-2018:2462) | Nessus | Red Hat Local Security Checks | high |
111801 | Oracle Linux 7 : qemu-kvm (ELSA-2018-2462) | Nessus | Oracle Linux Local Security Checks | high |
110208 | Debian DSA-4213-1 : qemu - security update (Spectre) | Nessus | Debian Local Security Checks | high |
109894 | Ubuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : QEMU vulnerabilities (USN-3649-1) | Nessus | Ubuntu Local Security Checks | medium |
109886 | SUSE SLES11 Security Update : kvm (SUSE-SU-2018:1308-1) (Spectre) | Nessus | SuSE Local Security Checks | medium |
109755 | RHEL 7 : qemu-kvm-rhev (RHSA-2018:1369) | Nessus | Red Hat Local Security Checks | medium |
109722 | SUSE SLES11 Security Update : xen (SUSE-SU-2018:1203-1) (Meltdown) | Nessus | SuSE Local Security Checks | high |
109721 | SUSE SLES12 Security Update : xen (SUSE-SU-2018:1202-1) (Meltdown) | Nessus | SuSE Local Security Checks | high |
109676 | SUSE SLES11 Security Update : xen (SUSE-SU-2018:1181-1) (Meltdown) | Nessus | SuSE Local Security Checks | high |
109672 | SUSE SLES12 Security Update : xen (SUSE-SU-2018:1177-1) (Meltdown) | Nessus | SuSE Local Security Checks | high |
109358 | SUSE SLES11 Security Update : kvm (SUSE-SU-2018:1077-1) (Spectre) | Nessus | SuSE Local Security Checks | medium |
109090 | Debian DLA-1351-1 : qemu security update | Nessus | Debian Local Security Checks | medium |
109089 | Debian DLA-1350-1 : qemu-kvm security update | Nessus | Debian Local Security Checks | medium |
108929 | GLSA-201804-08 : QEMU: Multiple vulnerabilities (Spectre) | Nessus | Gentoo Local Security Checks | high |
108686 | SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2018:0831-1) (Spectre) | Nessus | SuSE Local Security Checks | high |
108576 | openSUSE Security Update : qemu (openSUSE-2018-291) (Spectre) | Nessus | SuSE Local Security Checks | high |
108533 | SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2018:0762-1) (Spectre) | Nessus | SuSE Local Security Checks | high |