http://www.openwall.com/lists/oss-security/2020/01/17/2

https://gitlab.freedesktop.org/slirp/libslirp/commit/14ec36e107a8c9af7d0a80c3571fe39b291ff1d4

Debian

According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - The imx_fec_do_tx function in hw/net/imx_fec.c in QEMU     (aka Quick Emulator) does not properly limit the buffer     descriptor count when transmitting packets, which     allows local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of     0 and crafted values in bd.flags.(CVE-2016-7907)

  - Stack-based buffer overflow in hw/usb/redirect.c in     QEMU (aka Quick Emulator) allows local guest OS users     to cause a denial of service (QEMU process crash) via     vectors related to logging debug     messages.(CVE-2017-10806)

  - The dhcp_decode function in slirp/bootp.c in QEMU (aka     Quick Emulator) allows local guest OS users to cause a     denial of service (out-of-bounds read and QEMU process     crash) via a crafted DHCP options     string.(CVE-2017-11434)

  - A use-after-free issue was found in the Slirp     networking implementation of the Quick emulator (QEMU).
    It occurs when a Socket referenced from multiple     packets is freed while responding to a message. A     user/process could use this flaw to crash the QEMU     process on the host resulting in denial of     service.(CVE-2017-13711)

  - Buffer overflow in the 'megasas_mmio_write' function in     Qemu 2.9.0 allows remote attackers to have unspecified     impact via unknown vectors.(CVE-2017-8380)

  - A heap buffer overflow issue was found in the way SLiRP     networking back-end in QEMU processes fragmented     packets. It could occur while reassembling the     fragmented datagrams of an incoming packet. A     privileged user/process inside guest could use this     flaw to crash the QEMU process resulting in DoS or     potentially leverage it to execute arbitrary code on     the host with privileges of the QEMU     process.(CVE-2018-11806)

  - qemu-seccomp.c in QEMU might allow local OS guest users     to cause a denial of service (guest crash) by     leveraging mishandling of the seccomp policy for     threads other than the main thread.(CVE-2018-15746)

  - An integer overflow issue was found in the RTL8139 NIC     emulation in QEMU. It could occur while receiving     packets over the network if the size value is greater     than INT_MAX. Such overflow would lead to stack buffer     overflow issue. A user inside guest could use this flaw     to crash the QEMU process, resulting in DoS     scenario.(CVE-2018-17958)

  - An integer overflow issue was found in the AMD PC-Net     II NIC emulation in QEMU. It could occur while     receiving packets, if the size value was greater than     INT_MAX. Such overflow would lead to stack buffer     overflow issue. A user inside guest could use this flaw     to crash the QEMU process resulting in     DoS.(CVE-2018-17962)

  - A heap buffer overflow issue was found in the     load_device_tree() function of QEMU, which is invoked     to load a device tree blob at boot time. It occurs due     to device tree size manipulation before buffer     allocation, which could overflow a signed int type. A     user/process could use this flaw to potentially execute     arbitrary code on a host system with privileges of the     QEMU process.(CVE-2018-20815)

  - interface_release_resource in hw/display/qxl.c in QEMU     3.1.x through 4.0.0 has a NULL pointer     dereference.(CVE-2019-12155)

  - qemu-bridge-helper.c in QEMU 3.1 and 4.0.0 does not     ensure that a network interface name (obtained from     bridge.conf or a --br=bridge option) is limited to the     IFNAMSIZ size, which can lead to an ACL     bypass.(CVE-2019-13164)

  - A heap buffer overflow issue was found in the SLiRP     networking implementation of the QEMU emulator. This     flaw occurs in the ip_reass() routine while     reassembling incoming packets if the first fragment is     bigger than the m->m_dat[] buffer. An attacker could     use this flaw to crash the QEMU process on the host,     resulting in a Denial of Service or potentially     executing arbitrary code with privileges of the QEMU     process.(CVE-2019-14378)

  - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c)     in QEMU 3.0.0 uses uninitialized data in an snprintf     call, leading to Information disclosure.(CVE-2019-9824)

  - An out-of-bounds read vulnerability was found in the     SLiRP networking implementation of the QEMU emulator.
    This flaw occurs in the icmp6_send_echoreply() routine     while replying to an ICMP echo request, also known as     ping. This flaw allows a malicious guest to leak the     contents of the host memory, resulting in possible     information disclosure.(CVE-2020-10756)

  - A heap buffer overflow issue was found in the SLiRP     networking implementation of the QEMU emulator. This     flaw occurs in the tcp_emu() routine while emulating     IRC and other protocols. An attacker could use this     flaw to crash the QEMU process on the host, resulting     in a denial of service or potential execution of     arbitrary code with privileges of the QEMU     process.(CVE-2020-7039)

  - An out-of-bound write access flaw was found in the way     QEMU loads ROM contents at boot time. This flaw occurs     in the rom_copy() routine while loading the contents of     a 32-bit -kernel image into memory. Running an     untrusted -kernel image may load contents at arbitrary     memory locations, potentially leading to code execution     with the privileges of the QEMU     process.(CVE-2020-13765)

  - A use-after-free flaw was found in the USB(xHCI/eHCI)     controller emulators of QEMU. This flaw occurs while     setting up the USB packet as a usb_packet_map() routine     and returns an error that was not checked. This flaw     allows a guest user or process to crash the QEMU     process, resulting in a denial of     service.(CVE-2020-25084)

  - An infinite loop flaw was found in the USB OHCI     controller emulator of QEMU. This flaw occurs while     servicing OHCI isochronous transfer descriptors (TD) in     the ohci_service_iso_td routine, as it retires a TD if     it has passed its time frame. It does not check if the     TD was already processed and holds an error code in     TD_CC. This issue may happen if the TD list has a loop.
    This flaw allows a guest user or process to consume CPU     cycles on the host, resulting in a denial of     service.(CVE-2020-25625)

  - A reachable assertion issue was found in the USB EHCI     emulation code of QEMU. It could occur while processing     USB requests due to missing handling of DMA memory map     failure. A malicious privileged user within the guest     may abuse this flaw to send bogus USB requests and     crash the QEMU process on the host, resulting in a     denial of service.(CVE-2020-25723)

  - A potential directory traversal issue was found in the     tftp server of the SLiRP user-mode networking     implementation used by QEMU. It could occur on a     Windows host, as it allows the use of both forward     ('/') and backward slash('\') tokens as separators in a     file path. A user able to access the tftp server could     use this flaw to access undue files by using relative     paths.(CVE-2020-7211)

  - An out-of-bounds read/write access flaw was found in     the USB emulator of the QEMU in versions before 5.2.0.
    This issue occurs while processing USB packets from a     guest when USBDevice 'setup_len' exceeds its     'data_buf[4096]' in the do_token_in, do_token_out     routines. This flaw allows a guest user to crash the     QEMU process, resulting in a denial of service, or the     potential execution of arbitrary code with the     privileges of the QEMU process on the     host.(CVE-2020-14364)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SLES11 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2020:14444-1 advisory.

  - Improper invalidation for page table updates by a virtual guest operating system for multiple Intel(R)     Processors may allow an authenticated user to potentially enable denial of service of the host system via     local access. (CVE-2018-12207)

  - TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated     user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11135)

  - An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service     via a VCPUOP_initialise hypercall. hypercall_create_continuation() is a variadic function which uses a     printf-like format string to interpret its parameters. Error handling for a bad format character was done     using BUG(), which crashes Xen. One path, via the VCPUOP_initialise hypercall, has a bad format character.
    The BUG() can be hit if VCPUOP_initialise executes for a sufficiently long period of time for a     continuation to be created. Malicious guests may cause a hypervisor crash, resulting in a Denial of     Service (DoS). Xen versions 4.6 and newer are vulnerable. Xen versions 4.5 and earlier are not vulnerable.
    Only x86 PV guests can exploit the vulnerability. HVM and PVH guests, and guests on ARM systems, cannot     exploit the vulnerability. (CVE-2019-18420)

  - An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by     leveraging race conditions in pagetable promotion and demotion operations. There are issues with     restartable PV type change operations. To avoid using shadow pagetables for PV guests, Xen exposes the     actual hardware pagetables to the guest. In order to prevent the guest from modifying these page tables     directly, Xen keeps track of how pages are used using a type system; pages must be promoted before being     used as a pagetable, and demoted before being used for any other type. Xen also allows for recursive     promotions: i.e., an operating system promoting a page to an L4 pagetable may end up causing pages to be     promoted to L3s, which may in turn cause pages to be promoted to L2s, and so on. These operations may take     an arbitrarily large amount of time, and so must be re-startable. Unfortunately, making recursive     pagetable promotion and demotion operations restartable is incredibly complicated, and the code contains     several races which, if triggered, can cause Xen to drop or retain extra type counts, potentially allowing     guests to get write access to in-use pagetables. A malicious PV guest administrator may be able to     escalate their privilege to that of the host. All x86 systems with untrusted PV guests are vulnerable. HVM     and PVH guests cannot exercise this vulnerability. (CVE-2019-18421)

  - An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a     situation where an untrusted domain has access to a physical device. This occurs because passed through     PCI devices may corrupt host memory after deassignment. When a PCI device is assigned to an untrusted     domain, it is possible for that domain to program the device to DMA to an arbitrary address. The IOMMU is     used to protect the host from malicious DMA by making sure that the device addresses can only target     memory assigned to the guest. However, when the guest domain is torn down, or the device is deassigned,     the device is assigned back to dom0, thus allowing any in-flight DMA to potentially target critical host     data. An untrusted domain with access to a physical device can DMA into host memory, leading to privilege     escalation. Only systems where guests are given direct access to physical devices capable of DMA (PCI     pass-through) are vulnerable. Systems which do not use PCI pass-through are not vulnerable.
    (CVE-2019-18424)

  - An issue was discovered in Xen through 4.12.x allowing 32-bit PV guest OS users to gain guest OS     privileges by installing and using descriptors. There is missing descriptor table limit checking in x86 PV     emulation. When emulating certain PV guest operations, descriptor table accesses are performed by the     emulating code. Such accesses should respect the guest specified limits, unless otherwise guaranteed to     fail in such a case. Without this, emulation of 32-bit guest user mode calls through call gates would     allow guest user mode to install and then use descriptors of their choice, as long as the guest kernel did     not itself install an LDT. (Most OSes don't install any LDT by default). 32-bit PV guest user mode can     elevate its privileges to that of the guest kernel. Xen versions from at least 3.2 onwards are affected.
    Only 32-bit PV guest user mode can leverage this vulnerability. HVM, PVH, as well as 64-bit PV guests     cannot leverage this vulnerability. Arm systems are unaffected. (CVE-2019-18425)

  - An issue was discovered in Xen through 4.12.x allowing x86 AMD HVM guest OS users to cause a denial of     service or possibly gain privileges by triggering data-structure access during pagetable-height updates.
    When running on AMD systems with an IOMMU, Xen attempted to dynamically adapt the number of levels of     pagetables (the pagetable height) in the IOMMU according to the guest's address space size. The code to     select and update the height had several bugs. Notably, the update was done without taking a lock which is     necessary for safe operation. A malicious guest administrator can cause Xen to access data structures     while they are being modified, causing Xen to crash. Privilege escalation is thought to be very difficult     but cannot be ruled out. Additionally, there is a potential memory leak of 4kb per guest boot, under     memory pressure. Only Xen on AMD CPUs is vulnerable. Xen running on Intel CPUs is not vulnerable. ARM     systems are not vulnerable. Only systems where guests are given direct access to physical devices are     vulnerable. Systems which do not use PCI pass-through are not vulnerable. Only HVM guests can exploit the     vulnerability. PV and PVH guests cannot. All versions of Xen with IOMMU support are vulnerable.
    (CVE-2019-19577)

  - An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to cause a denial of service     via degenerate chains of linear pagetables, because of an incorrect fix for CVE-2017-15595. Linear     pagetables is a technique which involves either pointing a pagetable at itself, or to another pagetable     of the same or higher level. Xen has limited support for linear pagetables: A page may either point to     itself, or point to another pagetable of the same level (i.e., L2 to L2, L3 to L3, and so on). XSA-240     introduced an additional restriction that limited the depth of such chains by allowing pages to either
    *point to* other pages of the same level, or *be pointed to* by other pages of the same level, but not     both. To implement this, we keep track of the number of outstanding times a page points to or is pointed     to another page table, to prevent both from happening at the same time. Unfortunately, the original commit     introducing this reset this count when resuming validation of a partially-validated pagetable, incorrectly     dropping some linear_pt_entry counts. If an attacker could engineer such a situation to occur, they     might be able to make loops or other arbitrary chains of linear pagetables, as described in XSA-240. A     malicious or buggy PV guest may cause the hypervisor to crash, resulting in Denial of Service (DoS)     affecting the entire host. Privilege escalation and information leaks cannot be excluded. All versions of     Xen are vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can     leverage the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Only systems which     have enabled linear pagetables are vulnerable. Systems which have disabled linear pagetables, either by     selecting CONFIG_PV_LINEAR_PT=n when building the hypervisor, or adding pv-linear-pt=false on the command-     line, are not vulnerable. (CVE-2019-19578)

  - An issue was discovered in Xen through 4.12.x allowing attackers to gain host OS privileges via DMA in a     situation where an untrusted domain has access to a physical device (and assignable-add is not used),     because of an incomplete fix for CVE-2019-18424. XSA-302 relies on the use of libxl's assignable-add     feature to prepare devices to be assigned to untrusted guests. Unfortunately, this is not considered a     strictly required step for device assignment. The PCI passthrough documentation on the wiki describes     alternate ways of preparing devices for assignment, and libvirt uses its own ways as well. Hosts where     these alternate methods are used will still leave the system in a vulnerable state after the device     comes back from a guest. An untrusted domain with access to a physical device can DMA into host memory,     leading to privilege escalation. Only systems where guests are given direct access to physical devices     capable of DMA (PCI pass-through) are vulnerable. Systems which do not use PCI pass-through are not     vulnerable. (CVE-2019-19579)

  - An issue was discovered in Xen through 4.12.x allowing x86 PV guest OS users to gain host OS privileges by     leveraging race conditions in pagetable promotion and demotion operations, because of an incomplete fix     for CVE-2019-18421. XSA-299 addressed several critical issues in restartable PV type change operations.
    Despite extensive testing and auditing, some corner cases were missed. A malicious PV guest administrator     may be able to escalate their privilege to that of the host. All security-supported versions of Xen are     vulnerable. Only x86 systems are affected. Arm systems are not affected. Only x86 PV guests can leverage     the vulnerability. x86 HVM and PVH guests cannot leverage the vulnerability. Note that these attacks     require very precise timing, which may be difficult to exploit in practice. (CVE-2019-19580)

  - An issue was discovered in Xen through 4.12.x allowing x86 HVM/PVH guest OS users to cause a denial of     service (guest OS crash) because VMX VMEntry checks mishandle a certain case. Please see XSA-260 for     background on the MovSS shadow. Please see XSA-156 for background on the need for #DB interception. The     VMX VMEntry checks do not like the exact combination of state which occurs when #DB in intercepted, Single     Stepping is active, and blocked by STI/MovSS is active, despite this being a legitimate state to be in.
    The resulting VMEntry failure is fatal to the guest. HVM/PVH guest userspace code may be able to crash the     guest, resulting in a guest Denial of Service. All versions of Xen are affected. Only systems supporting     VMX hardware virtual extensions (Intel, Cyrix, or Zhaoxin CPUs) are affected. Arm and AMD systems are     unaffected. Only HVM/PVH guests are affected. PV guests cannot leverage the vulnerability.
    (CVE-2019-19583)

  - An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (without active     profiling) to obtain sensitive information about other guests. Unprivileged guests can request to map     xenoprof buffers, even if profiling has not been enabled for those guests. These buffers were not     scrubbed. (CVE-2020-11740)

  - An issue was discovered in xenoprof in Xen through 4.13.x, allowing guest OS users (with active profiling)     to obtain sensitive information about other guests, cause a denial of service, or possibly gain     privileges. For guests for which active profiling was enabled by the administrator, the xenoprof code     uses the standard Xen shared ring structure. Unfortunately, this code did not treat the guest as a     potential adversary: it trusts the guest not to modify buffer size information or modify head / tail     pointers in unexpected ways. This can crash the host (DoS). Privilege escalation cannot be ruled out.
    (CVE-2020-11741)

  - An issue was discovered in Xen through 4.13.x, allowing guest OS users to cause a denial of service     because of bad continuation handling in GNTTABOP_copy. Grant table operations are expected to return 0 for     success, and a negative number for errors. The fix for CVE-2017-12135 introduced a path through grant copy     handling where success may be returned to the caller without any action taken. In particular, the status     fields of individual operations are left uninitialised, and may result in errant behaviour in the caller     of GNTTABOP_copy. A buggy or malicious guest can construct its grant table in such a way that, when a     backend domain tries to copy a grant, it hits the incorrect exit path. This returns success to the caller     without doing anything, which may cause crashes or other incorrect behaviour. (CVE-2020-11742)

  - tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does not prevent ..\ directory traversal on Windows.
    (CVE-2020-7211)

  - In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer     overflow in later code. (CVE-2020-8608)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - In QEMU through 5.0.0, an integer overflow was found in     the SM501 display driver implementation. This flaw     occurs in the COPY_AREA macro while handling MMIO write     operations through the sm501_2d_engine_write()     callback. A local attacker could abuse this flaw to     crash the QEMU process in sm501_2d_operation() in     hw/display/sm501.c on the host, resulting in a denial     of service.(CVE-2020-12829)

  - slirp.c in libslirp through 4.3.1 has a buffer     over-read because it tries to read a certain amount of     header data even if that exceeds the total packet     length.(CVE-2020-29130)

  - ncsi.c in libslirp through 4.3.1 has a buffer over-read     because it tries to read a certain amount of header     data even if that exceeds the total packet     length.(CVE-2020-29129)

  - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop     via an RX descriptor with a NULL buffer     address.(CVE-2020-28916)

  - ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can     encounter an outside-limits situation in a calculation.
    A guest can crash the QEMU process.(CVE-2020-27616)

  - eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows     guest OS users to trigger an assertion failure. A guest     can crash the QEMU process via packet data that lacks a     valid Layer 3 protocol.(CVE-2020-27617)

  - A reachable assertion issue was found in the USB EHCI     emulation code of QEMU. It could occur while processing     USB requests due to missing handling of DMA memory map     failure. A malicious privileged user within the guest     may abuse this flaw to send bogus USB requests and     crash the QEMU process on the host, resulting in a     denial of service.(CVE-2020-25723)

  - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based     buffer over-read via values obtained from the host     controller driver.(CVE-2020-25624)

  - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop     when a TD list has a loop.(CVE-2020-25625)

  - In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c     misuses snprintf return values, leading to a buffer     overflow in later code.(CVE-2020-8608)

  - tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in     QEMU 4.2.0, mismanages memory, as demonstrated by IRC     DCC commands in EMU_IRC. This can cause a heap-based     buffer overflow or other out-of-bounds access which can     lead to a DoS or potential execute arbitrary     code.(CVE-2020-7039)

  - ip_reass in ip_input.c in libslirp 4.0.0 has a     heap-based buffer overflow via a large packet because     it mishandles a case involving the first     fragment.(CVE-2019-14378)

  - A flaw was found in the memory management API of QEMU     during the initialization of a memory region cache.
    This issue could lead to an out-of-bounds write access     to the MSI-X table while performing MMIO operations. A     guest user may abuse this flaw to crash the QEMU     process on the host, resulting in a denial of service.
    This flaw affects QEMU versions prior to     5.2.0.(CVE-2020-27821)

  - QEMU: reachable assertion failure in     net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c     (CVE-2020-16092)

  - hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to     trigger an out-of-bounds access by providing an address     near the end of the PCI configuration     space(CVE-2020-13791)

  - qmp_guest_file_read in qga/commands-posix.c and     qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent)     in QEMU 2.12.50 has an integer overflow causing a     g_malloc0() call to trigger a segmentation fault when     trying to allocate a large memory chunk. The     vulnerability can be exploited by sending a crafted QMP     command (including guest-file-read with a large count     value) to the agent via the listening     socket.(CVE-2018-12617)

  - sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an     unvalidated address, which leads to an out-of-bounds     read during sdhci_write() operations. A guest OS user     can crash the QEMU process.(CVE-2020-13253)

  - QEMU 4.1.0 has a memory leak in zrle_compress_data in     ui/vnc-enc-zrle.c during a VNC disconnect operation     because libz is misused, resulting in a situation where     memory allocated in deflateInit2 is not freed in     deflateEnd.(CVE-2019-20382)

  - An integer overflow was found in QEMU 4.0.1 through     4.2.0 in the way it implemented ATI VGA emulation. This     flaw occurs in the ati_2d_blt() routine in     hw/display/ati-2d.c while handling MMIO write     operations through the ati_mm_write() callback. A     malicious guest could abuse this flaw to crash the QEMU     process, resulting in a denial of     service.(CVE-2020-11869)

  - This vulnerability has been modified since it was last     analyzed by the NVD. It is awaiting reanalysis which     may result in further changes to the information     provided.(CVE-2020-13659)

  - A flaw was found in QEMU in the implementation of the     Pointer Authentication (PAuth) support for ARM     introduced in version 4.0 and fixed in version 5.0.0. A     general failure of the signature generation process     caused every PAuth-enforced pointer to be signed with     the same signature. A local attacker could obtain the     signature of a protected pointer and abuse this flaw to     bypass PAuth protection for all programs running on     QEMU.(CVE-2020-10702)

  - hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU     before 07-20-2020 has a buffer overflow. This occurs     during packet transmission and affects the highbank and     midway emulated machines. A guest user or process could     use this flaw to crash the QEMU process on the host,     resulting in a denial of service or potential     privileged code execution. This was fixed in commit     5519724a13664b43e225ca05351c60b4468e4555.(CVE-2020-1586     3)

  - In QEMU 5.0.0 and earlier, megasas_lookup_frame in     hw/scsi/megasas.c has an out-of-bounds read via a     crafted reply_queue_head field from a guest OS     user.(CVE-2020-13362)

  - ** DISPUTED ** An issue was discovered in ide_dma_cb()     in hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest     system can crash the QEMU process in the host system     via a special SCSI_IOCTL_SEND_COMMAND. It hits an     assertion that implies that the size of successful DMA     transfers there must be a multiple of 512 (the size of     a sector). NOTE: a member of the QEMU security team     disputes the significance of this issue because a     'privileged guest user has many ways to cause similar     DoS effect, without triggering this     assert.'(CVE-2019-20175)

  - In QEMU 5.0.0 and earlier, es1370_transfer_audio in     hw/audio/es1370.c does not properly validate the frame     count, which allows guest OS users to trigger an     out-of-bounds access during an es1370_write()     operation.(CVE-2020-13361)

  - rom_copy() in hw/core/loader.c in QEMU 4.1.0 does not     validate the relationship between two addresses, which     allows attackers to trigger an invalid memory copy     operation.(CVE-2020-13765)

  - libslirp 4.0.0, as used in QEMU 4.1.0, has a     use-after-free in ip_reass in     ip_input.c.(CVE-2019-15890)

  - A use after free vulnerability in ip_reass() in     ip_input.c of libslirp 4.2.0 and prior releases allows     crafted packets to cause a denial of     service.(CVE-2020-1983)

  - ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest     OS users to trigger infinite recursion via a crafted     mm_index value during an ati_mm_read or ati_mm_write     call.(CVE-2020-13800)

  - An out-of-bounds heap buffer access flaw was found in     the way the iSCSI Block driver in QEMU versions 2.12.0     before 4.2.1 handled a response coming from an iSCSI     server while checking the status of a Logical Address     Block (LBA) in an iscsi_co_block_status() routine. A     remote user could use this flaw to crash the QEMU     process, resulting in a denial of service or potential     execution of arbitrary code with privileges of the QEMU     process on the host.(CVE-2020-1711)

  - tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does     not prevent ..\ directory traversal on     Windows.(CVE-2020-7211)

  - An out-of-bounds read vulnerability was found in the     SLiRP networking implementation of the QEMU emulator.
    This flaw occurs in the icmp6_send_echoreply() routine     while replying to an ICMP echo request, also known as     ping. This flaw allows a malicious guest to leak the     contents of the host memory, resulting in possible     information disclosure. This flaw affects versions of     libslirp before 4.3.1.(CVE-2020-10756)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qemu package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - tftp.c in libslirp 4.1.0, as used in QEMU 4.2.0, does     not prevent ..\ directory traversal on     Windows.(CVE-2020-7211)

  - interface_release_resource in hw/display/qxl.c in QEMU     4.0.0 has a NULL pointer dereference.(CVE-2019-12155)

  - QEMU 3.0.0 has an Integer Overflow because the     qga/commands*.c files do not check the length of the     argument list or the number of environment variables.
    NOTE: This has been disputed as not     exploitable.(CVE-2019-12247)

  - qemu-bridge-helper.c in QEMU 4.0.0 does not ensure that     a network interface name (obtained from bridge.conf or     a --br=bridge option) is limited to the IFNAMSIZ size,     which can lead to an ACL bypass.(CVE-2019-13164)

  - ip_reass in ip_input.c in libslirp 4.0.0 has a     heap-based buffer overflow via a large packet because     it mishandles a case involving the first     fragment.(CVE-2019-14378)

  - An issue was discovered in ide_dma_cb() in     hw/ide/core.c in QEMU 2.4.0 through 4.2.0. The guest     system can crash the QEMU process in the host system     via a special SCSI_IOCTL_SEND_COMMAND. It hits an     assertion that implies that the size of successful DMA     transfers there must be a multiple of 512 (the size of     a sector). NOTE: a member of the QEMU security team     disputes the significance of this issue because a     'privileged guest user has many ways to cause similar     DoS effect, without triggering this     assert.'(CVE-2019-20175)

  - hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a     NULL pointer dereference, which allows the attacker to     cause a denial of service via a device     driver.(CVE-2019-5008)

  - An OOB heap buffer r/w access issue was found in the     NVM Express Controller emulation in QEMU. It could     occur in nvme_cmb_ops routines in nvme device. A guest     user/process could use this flaw to crash the QEMU     process resulting in DoS or potentially run arbitrary     code with privileges of the QEMU     process.(CVE-2018-16847)

  - hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to     cause a denial of service (NULL pointer dereference or     excessive memory allocation) in create_cq_ring or     create_qp_rings.(CVE-2018-20125)

  - QEMU can have an infinite loop in     hw/rdma/vmw/pvrdma_dev_ring.c because return values are     not checked (and -1 is mishandled).(CVE-2018-20216)

  - The load_multiboot function in hw/i386/multiboot.c in     Quick Emulator (aka QEMU) allows local guest OS users     to execute arbitrary code on the QEMU host via a     mh_load_end_addr value greater than mh_bss_end_addr,     which triggers an out-of-bounds read or write memory     access.(CVE-2018-7550)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

CVE-2020-0543: Fixed a side channel attack against special registers which could have resulted in leaking of read values to cores other than the one which called it. This attack is known as Special Register Buffer Data Sampling (SRBDS) or 'CrossTalk' (bsc#1172205).

CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392).

CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140).

CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142).

CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace code to crash the guest, leading to a guest denial of service (bsc#1158004 XSA-308).

CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).

CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).

CVE-2019-19579: Fixed a privilege escalation where an untrusted domain with access to a physical device can DMA into host memory (bsc#1157888 XSA-306).

CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).

CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311).

Xenstored Crashed during VM install (bsc#1167152)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen to version 4.12.2 fixes the following issues :

Security issues fixed :

CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392).

CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140).

CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142).

CVE-2020-11743: Bad error path in GNTTABOP_map_grant (bsc#1168143).

CVE-2020-7211: Fixed potential directory traversal using relative paths via tftp server on Windows host (bsc#1161181).

arm: a CPU may speculate past the ERET instruction (bsc#1160932).

Non-security issues fixed: Xenstored Crashed during VM install (bsc#1167152)

DomU hang: soft lockup CPU #0 stuck under high load (bsc#1165206, bsc#1134506)

Update API compatibility versions, fixes issues for libvirt.
(bsc#1167007, bsc#1157490)

aacraid blocks xen commands (bsc#1155200)

Problems Booting Fedora31 VM on sles15 sp1 Xen Dom0 (bsc#1162040).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

Security issues fixed :

CVE-2020-11742: Bad continuation handling in GNTTABOP_copy (bsc#1169392).

CVE-2020-11740, CVE-2020-11741: xen: XSA-313 multiple xenoprof issues (bsc#1168140).

CVE-2020-11739: Missing memory barriers in read-write unlock paths (bsc#1168142).

CVE-2020-11743: Bad error path in GNTTABOP_map_grant (bsc#1168143).

CVE-2020-7211: Fixed potential directory traversal using relative paths via tftp server on Windows host (bsc#1161181).

arm: a CPU may speculate past the ERET instruction (bsc#1160932).

Non-security issues fixed: Xenstored Crashed during VM install (bsc#1167152)

DomU hang: soft lockup CPU #0 stuck under high load (bsc#1165206, bsc#1134506)

Update API compatibility versions, fixes issues for libvirt.
(bsc#1167007, bsc#1157490)

aacraid blocks xen commands (bsc#1155200)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

CVE-2018-12207: Fixed a race condition where untrusted virtual machines could have been using the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional (bsc#1155945 XSA-304).

CVE-2018-19965: Fixed a DoS from attempting to use INVPCID with a non-canonical addresses (bsc#1115045 XSA-279).

CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate side-channel information leaks out of microarchitectural buffers, similar to the previously described 'Microarchitectural Data Sampling' attack. (bsc#1152497 XSA-305).

CVE-2019-12067: Fixed a NULL pointer dereference in QEMU AHCI (bsc#1145652).

CVE-2019-12068: Fixed an infinite loop while executing script (bsc#1146874).

CVE-2019-12155: Fixed a NULL pointer dereference while releasing spice resources (bsc#1135905).

CVE-2019-14378: Fixed a heap buffer overflow during packet reassembly in slirp networking implementation (bsc#1143797).

CVE-2019-15890: Fixed a use-after-free during packet reassembly (bsc#1149813).

CVE-2019-17340: Fixed grant table transfer issues on large hosts (XSA-284 bsc#1126140).

CVE-2019-17341: Fixed a race with pass-through device hotplug (XSA-285 bsc#1126141).

CVE-2019-17342: Fixed steal_page violating page_struct access discipline (XSA-287 bsc#1126192).

CVE-2019-17343: Fixed an inconsistent PV IOMMU discipline (XSA-288 bsc#1126195).

CVE-2019-17344: Fixed a missing preemption in x86 PV page table unvalidation (XSA-290 bsc#1126196).

CVE-2019-17347: Fixed a PV kernel context switch corruption (XSA-293 bsc#1126201).

CVE-2019-18420: Fixed a hypervisor crash that could be caused by malicious x86 PV guests, resulting in a denial of service (bsc#1154448 XSA-296).

CVE-2019-18421: Fixed a privilege escalation through malicious PV guest administrators (bsc#1154458 XSA-299).

CVE-2019-18424: Fixed a privilege escalation through DMA to physical devices by untrusted domains (bsc#1154461 XSA-302).

CVE-2019-18425: Fixed a privilege escalation from 32-bit PV guest used mode (bsc#1154456 XSA-298).

CVE-2019-19577: Fixed an issue where a malicious guest administrator could have caused Xen to access data structures while they are being modified leading to a crash (bsc#1158007 XSA-311).

CVE-2019-19578: Fixed an issue where a malicious or buggy PV guest could have caused hypervisor crash resulting in denial of service affecting the entire host (bsc#1158005 XSA-309).

CVE-2019-19579: Fixed a privilege escalation where an untrusted domain with access to a physical device can DMA into host memory (bsc#1157888 XSA-306).

CVE-2019-19580: Fixed a privilege escalation where a malicious PV guest administrator could have been able to escalate their privilege to that of the host (bsc#1158006 XSA-310).

CVE-2019-19581: Fixed a potential out of bounds on 32-bit Arm (bsc#1158003 XSA-307).

CVE-2019-19583: Fixed improper checks which could have allowed HVM/PVH guest userspace code to crash the guest, leading to a guest denial of service (bsc#1158004 XSA-308).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

CVE-2020-7211: potential directory traversal using relative paths via tftp server on Windows host (bsc#1161181).

CVE-2019-19579: Device quarantine for alternate pci assignment methods (bsc#1157888).

CVE-2019-19581: find_next_bit() issues (bsc#1158003).

CVE-2019-19583: VMentry failure with debug exceptions and blocked states (bsc#1158004).

CVE-2019-19578: Linear pagetable use / entry miscounts (bsc#1158005).

CVE-2019-19580: Further issues with restartable PV type change operations (bsc#1158006).

CVE-2019-19577: dynamic height for the IOMMU pagetables (bsc#1158007).

CVE-2019-18420: VCPUOP_initialise DoS (bsc#1154448).

CVE-2019-18425: missing descriptor table limit checking in x86 PV emulation (bsc#1154456).

CVE-2019-18421: Issues with restartable PV type change operations (bsc#1154458).

CVE-2019-18424: passed through PCI devices may corrupt host memory after deassignment (bsc#1154461).

CVE-2018-12207: Machine Check Error Avoidance on Page Size Change (aka IFU issue) (bsc#1155945).

CVE-2019-11135: TSX Asynchronous Abort (TAA) issue (bsc#1152497).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
151383	EulerOS Virtualization 3.0.2.2 : qemu-kvm (EulerOS-SA-2021-2166)	Nessus	Huawei Local Security Checks	critical
150584	SUSE SLES11 Security Update : xen (SUSE-SU-2020:14444-1)	Nessus	SuSE Local Security Checks	critical
147700	EulerOS Virtualization 2.9.0 : qemu (EulerOS-SA-2021-1667)	Nessus	Huawei Local Security Checks	medium
147523	EulerOS Virtualization 2.9.1 : qemu (EulerOS-SA-2021-1632)	Nessus	Huawei Local Security Checks	medium
139983	EulerOS 2.0 SP8 : qemu (EulerOS-SA-2020-1880)	Nessus	Huawei Local Security Checks	high
137624	SUSE SLES12 Security Update : xen (SUSE-SU-2020:1630-1)	Nessus	SuSE Local Security Checks	medium
136164	SUSE SLES12 Security Update : xen (SUSE-SU-2020:1139-1)	Nessus	SuSE Local Security Checks	high
136163	SUSE SLES12 Security Update : xen (SUSE-SU-2020:1138-1)	Nessus	SuSE Local Security Checks	high
133763	SUSE SLES12 Security Update : xen (SUSE-SU-2020:0388-1)	Nessus	SuSE Local Security Checks	critical
133539	SUSE SLES12 Security Update : xen (SUSE-SU-2020:0334-1)	Nessus	SuSE Local Security Checks	critical

CVE-2020-7211

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

medium

medium

high

medium

high

high

critical

critical