An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo (CVE-2017-2620)

  - The (1) fw_cfg_write and (2) fw_cfg_read functions in hw/nvram/fw_cfg.c in QEMU before 2.4, when built     with the Firmware Configuration device emulation support, allow guest OS users with the CAP_SYS_RAWIO     privilege to cause a denial of service (out-of-bounds read or write access and process crash) or possibly     execute arbitrary code via an invalid current entry value in a firmware configuration. (CVE-2016-1714)

  - QEMU (aka Quick Emulator) built with the e1000 NIC emulation support is vulnerable to an infinite loop     issue. It could occur while processing data via transmit or receive descriptors, provided the initial     receive/transmit descriptor head (TDH/RDH) is set outside the allocated descriptor buffer. A privileged     user inside guest could use this flaw to crash the QEMU instance resulting in DoS. (CVE-2016-1981)

  - The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local     guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via     vectors related to multiple eof_timers. (CVE-2016-2391)

  - The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1     allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash)     via crafted values for the PSTART and PSTOP registers, involving ring buffer control. (CVE-2016-2841)

  - The net_checksum_calculate function in net/checksum.c in QEMU allows local guest OS users to cause a     denial of service (out-of-bounds heap read and crash) via the payload length in a crafted packet.
    (CVE-2016-2857)

  - Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the     Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a     denial of service (QEMU crash) via a large packet. (CVE-2016-4001)

  - Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is     configured to accept large packets, allows remote attackers to cause a denial of service (memory     corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes.
    (CVE-2016-4002)

  - The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to     cause a denial of service (infinite loop and QEMU process crash) via a VGA command. (CVE-2016-4453)

  - The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators     to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing     FIFO registers and issuing a VGA command, which triggers an out-of-bounds read. (CVE-2016-4454)

  - The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a     denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for     completion. (CVE-2016-5403)

  - The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU (aka Quick Emulator) allows local guest OS     administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors     related to cursor.mask[] and cursor.image[] array sizes when processing a DEFINE_CURSOR svga command.
    (CVE-2016-7170)

  - The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest     OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors     involving a value of divider greater than baud base. (CVE-2016-8669)

  - The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS     administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to     limit the ring descriptor count. (CVE-2016-8910)

  - Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to a divide by     zero issue. It could occur while copying VGA data when cirrus graphics mode was set to be VGA. A     privileged user inside guest could use this flaw to crash the Qemu process instance on the host, resulting     in DoS. (CVE-2016-9921)

  - The cirrus_do_copy function in hw/display/cirrus_vga.c in QEMU (aka Quick Emulator), when cirrus graphics     mode is VGA, allows local guest OS privileged users to cause a denial of service (divide-by-zero error and     QEMU process crash) via vectors involving blit pitch values. (CVE-2016-9922)

  - The dhcp_decode function in slirp/bootp.c in QEMU (aka Quick Emulator) allows local guest OS users to     cause a denial of service (out-of-bounds read and QEMU process crash) via a crafted DHCP options string.
    (CVE-2017-11434)

  - QEMU (aka Quick Emulator), when built with the VGA display emulator support, allows local guest OS     privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors     involving display update. (CVE-2017-13672)

  - The vga display update in mis-calculated the region for the dirty bitmap snapshot in case split screen     mode is used causing a denial of service (assertion failure) in the cpu_physical_memory_snapshot_get_dirty     function. (CVE-2017-13673)

  - Use-after-free vulnerability in the sofree function in slirp/socket.c in QEMU (aka Quick Emulator) allows     attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear     ifq_so from pending packets. (CVE-2017-13711)

  - VNC server implementation in Quick Emulator (QEMU) 2.11.0 and older was found to be vulnerable to an     unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If     the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A     malicious remote VNC client could use this flaw to cause DoS to the server host. (CVE-2017-15124)

  - The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to     cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst     calculation. (CVE-2017-15289)

  - Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-     bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged     user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute     arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615)

  - Memory leak in hw/audio/ac97.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to     cause a denial of service (host memory consumption and QEMU process crash) via a large number of device     unplug operations. (CVE-2017-5525)

  - Memory leak in hw/audio/es1370.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to     cause a denial of service (host memory consumption and QEMU process crash) via a large number of device     unplug operations. (CVE-2017-5526)

  - Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local     guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash)     via a large number of device unplug operations. (CVE-2017-5579)

  - The ohci_service_ed_list function in hw/usb/hcd-ohci.c in QEMU (aka Quick Emulator) before 2.9.0 allows     local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link     endpoint list descriptors, a different vulnerability than CVE-2017-9330. (CVE-2017-6505)

  - hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a     denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via     the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions. (CVE-2017-7718)

  - Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier     allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors     related to a VNC client updating its display after a VGA operation. (CVE-2017-7980)

  - Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of     service (memory consumption) by repeatedly starting and stopping audio capture. (CVE-2017-8309)

  - Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest     OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large     keyboard events. (CVE-2017-8379)

  - QEMU (aka Quick Emulator) before 2.9.0, when built with the USB OHCI Emulation support, allows local guest     OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value, a different     vulnerability than CVE-2017-6505. (CVE-2017-9330)

  - m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.
    (CVE-2018-11806)

  - In Qemu 3.0.0, lsi_do_msgin in hw/scsi/lsi53c895a.c allows out-of-bounds access by triggering an invalid     msg_len value. (CVE-2018-18849)

  - The vga_draw_text function in Qemu allows local OS guest privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) by leveraging improper memory address validation.
    (CVE-2018-5683)

  - Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest     OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by     leveraging incorrect region calculation when updating VGA display. (CVE-2018-7858)

  - In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2,     and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter     emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode     is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
    (CVE-2019-12068)

  - interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference.
    (CVE-2019-12155)

  - ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it     mishandles a case involving the first fragment. (CVE-2019-14378)

  - libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. (CVE-2019-15890)

  - In QEMU 4.1.0, an out-of-bounds read flaw was found in the ATI VGA implementation. It occurs in the     ati_cursor_define() routine while handling MMIO write operations through the ati_mm_write() callback. A     malicious guest could abuse this flaw to crash the QEMU process, resulting in a denial of service.
    (CVE-2019-20808)

  - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an     snprintf call, leading to Information disclosure. (CVE-2019-9824)

  - An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator.
    This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known     as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible     information disclosure. This flaw affects versions of libslirp before 4.3.1. (CVE-2020-10756)

  - An integer overflow was found in QEMU 4.0.1 through 4.2.0 in the way it implemented ATI VGA emulation.
    This flaw occurs in the ati_2d_blt() routine in hw/display/ati-2d.c while handling MMIO write operations     through the ati_mm_write() callback. A malicious guest could abuse this flaw to crash the QEMU process,     resulting in a denial of service. (CVE-2020-11869)

  - iscsi_aio_ioctl_cb in block/iscsi.c in QEMU 4.1.0 has a heap-based buffer over-read that may disclose     unrelated information from process memory to an attacker. (CVE-2020-11947)

  - In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame     count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
    (CVE-2020-13361)

  - An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before     5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its     'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the     QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the     privileges of the QEMU process on the host. (CVE-2020-14364)

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects     the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the     QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in     hw/net/net_tx_pkt.c. (CVE-2020-16092)

  - A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows     crafted packets to cause a denial of service. (CVE-2020-1983)

  - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while     processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user     within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host,     resulting in a denial of service. (CVE-2020-25723)

  - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of     header data even if that exceeds the total packet length. (CVE-2020-29129)

  - slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of     header data even if that exceeds the total packet length. (CVE-2020-29130)

  - tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC     DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which     can lead to a DoS or potential execute arbitrary code. (CVE-2020-7039)

  - In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer     overflow in later code. (CVE-2020-8608)

  - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while     processing read/write ioport commands if the selected floppy drive is not initialized with a block device.
    This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of     service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6567-1 advisory.

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary     code, escalate privileges, and cause a denial of service (DoS). (CVE-2020-24165)

  - A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious     guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service     condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU     versions prior to 7.0.0. (CVE-2021-3611)

  - An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in     the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for     the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2021-3638)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of     descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
    (CVE-2023-1544)

  - A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not     prohibit opening special files on the host side, potentially allowing a malicious client to escape from     the exported 9p tree by creating and opening a device file in the shared folder. (CVE-2023-2861)

  - A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in     virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in     virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.
    (CVE-2023-3180)

  - A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit     condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the     `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard     to the VNC server to trigger a denial of service. (CVE-2023-3255)

  - A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device     backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this     time window to trigger an assertion and cause a denial of service. (CVE-2023-3301)

  - A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks     whether the current number of connections crosses a certain threshold and if so, cleans up the previous     connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the     connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated     client to cause a denial of service. (CVE-2023-3354)

  - QEMU through 8.0.4 accesses a NULL pointer in nvme_directive_receive in hw/nvme/ctrl.c because there is no     check for whether an endurance group is configured before checking whether Flexible Data Placement is     enabled. (CVE-2023-40360)

  - A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does     not validate an offset provided by the guest before computing a host heap pointer, which is used for     copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed.
    (CVE-2023-4135)

  - QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because     scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the     guest immediately. (CVE-2023-42467)

  - A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be     targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for     example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor     to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot.
    (CVE-2023-5088)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the qemu package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

  - A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious     guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service     condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU     versions prior to 7.0.0. (CVE-2021-3611)

  - A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the     Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be     written to the controller's registers and trigger undesirable actions (such as reset) while the device is     still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or     potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects     QEMU versions before 7.0.0. (CVE-2021-3750)

  - A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within     the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service     condition. (CVE-2021-4158)

  - A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc()     function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer     overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or     potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4206)

  - A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values     `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object     followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw     to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU     process. (CVE-2021-4207)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

  - A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is     strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by     virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and     is writable by a user who is not a member of the group. This could allow a malicious unprivileged user     inside the guest to gain access to resources accessible to the root group, potentially escalating their     privileges within the guest. A malicious local user in the host might also leverage this unexpected     executable file created by the guest to escalate their privileges on the host system. (CVE-2022-0358)

  - A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for     CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and     other unexpected results. Affected QEMU version: 6.2.0. (CVE-2022-26353)

  - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached     from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.
    Affected QEMU versions <= 6.2.0. (CVE-2022-26354)

  - An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the     extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially     crafted payload message, resulting in a denial of service. (CVE-2022-3165)

  - softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path,     leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-virtualization Use Case     in the qemu.org reference applies here, i.e., 'Bugs affecting the non-virtualization use case are not     considered security bugs at this time. (CVE-2022-35414)

  - An off-by-one read/write issue was found in the SDHCI device of QEMU. It occurs when reading/writing the     Buffer Data Port Register in sdhci_read_dataport and sdhci_write_dataport, respectively, if data_count ==     block_size. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a     denial of service condition. (CVE-2022-3872)

  - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt()     function does not check the size of the structure pointed to by the guest physical address, potentially     reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to     crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

  - A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem     may lead to memory corruption bugs like stack overflow or use-after-free. (CVE-2023-0330)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0879-1 advisory.

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0840-1 advisory.

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

  - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt()     function does not check the size of the structure pointed to by the guest physical address, potentially     reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to     crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0761-1 advisory.

  - sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read     during sdhci_write() operations. A guest OS user can crash the QEMU process. (CVE-2020-13253)

  - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address     in an msi-x mmio operation. (CVE-2020-13754)

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It     could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in     hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host,     resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the     QEMU process on the host. (CVE-2020-17380)

  - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c     mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)

  - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to     the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This     flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of     service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc()     function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer     overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or     potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4206)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

  - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached     from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.
    Affected QEMU versions <= 6.2.0. (CVE-2022-26354)

  - ** DISPUTED ** softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the     translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-     virtualization Use Case in the qemu.org reference applies here, i.e., Bugs affecting the non-     virtualization use case are not considered security bugs at this time. (CVE-2022-35414)

  - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt()     function does not check the size of the structure pointed to by the guest physical address, potentially     reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to     crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3362 advisory.

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It     could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in     hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host,     resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the     QEMU process on the host. (CVE-2020-17380)

  - slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of     header data even if that exceeds the total packet length. (CVE-2020-29130)

  - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to     the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This     flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of     service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)

  - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw     exists in the bootp_input() function and could occur while processing a udp packet that is smaller than     the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of     uninitialized heap memory from the host. The highest threat from this vulnerability is to data     confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3592)

  - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw     exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the     size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory     disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw     affects libslirp versions prior to 4.6.0. (CVE-2021-3593)

  - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw     exists in the udp_input() function and could occur while processing a udp packet that is smaller than the     size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory     disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw     affects libslirp versions prior to 4.6.0. (CVE-2021-3594)

  - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw     exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the     size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory     disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw     affects libslirp versions prior to 4.6.0. (CVE-2021-3595)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
196234	RHEL 5 : qemu (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
196203	RHEL 7 : qemu (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
196166	RHEL 6 : qemu (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
187683	Ubuntu 20.04 LTS / 22.04 LTS / 23.04 / 23.10 : QEMU vulnerabilities (USN-6567-1)	Nessus	Ubuntu Local Security Checks	high
176865	EulerOS Virtualization 2.11.1 : qemu (EulerOS-SA-2023-2082)	Nessus	Huawei Local Security Checks	high
176798	EulerOS Virtualization 2.11.0 : qemu (EulerOS-SA-2023-2134)	Nessus	Huawei Local Security Checks	high
173375	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : qemu (SUSE-SU-2023:0879-1)	Nessus	SuSE Local Security Checks	medium
173215	SUSE SLES15 Security Update : qemu (SUSE-SU-2023:0840-1)	Nessus	SuSE Local Security Checks	high
172642	SUSE SLES12 Security Update : qemu (SUSE-SU-2023:0761-1)	Nessus	SuSE Local Security Checks	high
172554	Debian DLA-3362-1 : qemu - LTS security update	Nessus	Debian Local Security Checks	high
169867	EulerOS Virtualization 2.9.1 : qemu (EulerOS-SA-2023-1212)	Nessus	Huawei Local Security Checks	high
169814	EulerOS Virtualization 2.9.0 : qemu (EulerOS-SA-2023-1242)	Nessus	Huawei Local Security Checks	high
169488	EulerOS Virtualization 2.10.0 : qemu (EulerOS-SA-2022-2925)	Nessus	Huawei Local Security Checks	high
169363	EulerOS Virtualization 2.10.1 : qemu (EulerOS-SA-2022-2951)	Nessus	Huawei Local Security Checks	high

Detections

Analytics

CVE-2020-14394

low

Tenable Plugins

critical

critical

critical

high

high

high

medium

high

high

high

high

high

high

high