An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.

The remote CentOS Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the qemu-kvm-8.0.0-8.el9 build changelog.

  - A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the     Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be     written to the controller's registers and trigger undesirable actions (such as reset) while the device is     still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or     potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects     QEMU versions before 7.0.0. (CVE-2021-3750)

  - memory corruption issues in read_erst_record and write_erst_record [rhel-9]) (CVE-2022-4172)

  - DMA reentrancy issue (incomplete fix for CVE-2021-3750) [rhel-9]) (CVE-2023-2680)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS / 22.10 / 23.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6167-1 advisory.

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

  - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt()     function does not check the size of the structure pointed to by the guest physical address, potentially     reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to     crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

  - An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table     (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow     the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use     these flaws to crash the QEMU process on the host. (CVE-2022-4172)

  - A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem     may lead to memory corruption bugs like stack overflow or use-after-free. (CVE-2023-0330)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-2162 advisory.

  - An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the     extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially     crafted payload message, resulting in a denial of service. (CVE-2022-3165)

  - An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table     (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow     the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use     these flaws to crash the QEMU process on the host. (CVE-2022-4172)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2023:2162 advisory.

  - An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the     extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially     crafted payload message, resulting in a denial of service. (CVE-2022-3165)

  - An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table     (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow     the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use     these flaws to crash the QEMU process on the host. (CVE-2022-4172)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:2162 advisory.

  - QEMU: VNC: integer underflow in vnc_client_cut_text_ext leads to CPU exhaustion (CVE-2022-3165)

  - QEMU: ACPI ERST: memory corruption issues in read_erst_record and write_erst_record (CVE-2022-4172)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-12195 advisory.

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

  - An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table     (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow     the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use     these flaws to crash the QEMU process on the host. (CVE-2022-4172)

  - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt()     function does not check the size of the structure pointed to by the guest physical address, potentially     reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to     crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

  - An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the     extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially     crafted payload message, resulting in a denial of service. (CVE-2022-3165)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-12108 advisory.

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

  - A flaw was found in libvirt while it generates SELinux MCS category pairs for VMs' dynamic labels. This     flaw allows one exploited guest to access files labeled for another guest, resulting in the breaking out     of sVirt confinement. The highest threat from this vulnerability is to confidentiality and integrity.
    (CVE-2021-3631)

  - An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in     the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for     the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2021-3638)

  - An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the     extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially     crafted payload message, resulting in a denial of service. (CVE-2022-3165)

  - An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table     (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow     the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use     these flaws to crash the QEMU process on the host. (CVE-2022-4172)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-12065 advisory.

  - An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the     extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially     crafted payload message, resulting in a denial of service. (CVE-2022-3165)

  - An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table     (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow     the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use     these flaws to crash the QEMU process on the host. (CVE-2022-4172)

  - An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in     the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for     the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2021-3638)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An integer overflow and buffer overflow issues were found in the ACPI Error Record Serialization Table (ERST) device of QEMU in the read_erst_record() and write_erst_record() functions. Both issues may allow the guest to overrun the host buffer allocated for the ERST memory device. A malicious guest could use these flaws to crash the QEMU process on the host.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
191424	CentOS 9 : qemu-kvm-8.0.0-8.el9	Nessus	CentOS Local Security Checks	high
177423	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 LTS / 22.04 LTS / 23.04 : QEMU vulnerabilities (USN-6167-1)	Nessus	Ubuntu Local Security Checks	high
175701	Oracle Linux 9 : qemu-kvm (ELSA-2023-2162)	Nessus	Oracle Linux Local Security Checks	medium
175625	AlmaLinux 9 : qemu-kvm (ALSA-2023:2162)	Nessus	Alma Linux Local Security Checks	medium
175443	RHEL 9 : qemu-kvm (RHSA-2023:2162)	Nessus	Red Hat Local Security Checks	medium
172674	Oracle Linux 8 : virt:kvm_utils2 (ELSA-2023-12195)	Nessus	Oracle Linux Local Security Checks	high
171222	Oracle Linux 8 : virt:kvm_utils (ELSA-2023-12108)	Nessus	Oracle Linux Local Security Checks	high
170462	Oracle Linux 7 : qemu (ELSA-2023-12065)	Nessus	Oracle Linux Local Security Checks	high
168861	QEMU < 7.2.0 Overflow (CVE-2022-4172)	Nessus	Windows	medium

Detections

Analytics

CVE-2022-4172

medium

Tenable Plugins

high

high

medium

medium

medium

high

high

high

medium