Oracle Linux 7 : qemu (ELSA-2021-9034)

medium Nessus Plugin ID 146269

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-9034 advisory.

- An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host. (CVE-2020-14364)

- In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c. (CVE-2020-16092)

- hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. (CVE-2020-13754)

- In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. (CVE-2020-13362)

- hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length. (CVE-2020-11102)

- hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555.
(CVE-2020-15863)

- hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space. (CVE-2020-13791)

- address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.
(CVE-2020-13659)

- sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process. (CVE-2020-13253)

- A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU. (CVE-2020-10702)

- hw/display/bochs-display.c in QEMU 4.0.0 does not ensure a sufficient PCI config space allocation, leading to a buffer overflow involving the PCIe extended config space. (CVE-2019-15034)

- In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service. (CVE-2020-12829)

- oss_write in audio/ossaudio.c in QEMU before 5.0.0 mishandles a buffer position. (CVE-2020-14415)

- hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. (CVE-2020-25625)

- QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. (CVE-2020-25084)

- ati_2d_blt in hw/display/ati_2d.c in QEMU 4.2.1 can encounter an outside-limits situation in a calculation. A guest can crash the QEMU process. (CVE-2020-27616)

- ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. (CVE-2020-29129)

- slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. (CVE-2020-29130)

- hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver. (CVE-2020-25624)

- hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
(CVE-2020-28916)

- An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator.
This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects versions of libslirp before 4.3.1. (CVE-2020-10756)

- A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service. (CVE-2020-25723)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2021-9034.html

Plugin Details

Severity: Medium

ID: 146269

File Name: oraclelinux_ELSA-2021-9034.nasl

Version: 1.4

Type: local

Agent: unix

Published: 2/5/2021

Updated: 5/10/2022

Supported Sensors: Frictionless Assessment Agent, Nessus Agent

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2020-11102

CVSS v3

Risk Factor: Medium

Base Score: 6.7

Temporal Score: 5.8

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: E:U/RL:O/RC:C

CVSS Score Source: CVE-2020-13754

Vulnerability Information

CPE: cpe:/o:oracle:linux:7, p-cpe:/a:oracle:linux:qemu, p-cpe:/a:oracle:linux:qemu-block-gluster, p-cpe:/a:oracle:linux:qemu-block-iscsi, p-cpe:/a:oracle:linux:qemu-block-rbd, p-cpe:/a:oracle:linux:qemu-common, p-cpe:/a:oracle:linux:qemu-img, p-cpe:/a:oracle:linux:qemu-kvm, p-cpe:/a:oracle:linux:qemu-kvm-core, p-cpe:/a:oracle:linux:qemu-system-x86, p-cpe:/a:oracle:linux:qemu-system-x86-core

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 2/5/2021

Vulnerability Publication Date: 3/10/2020

Reference Information

CVE: CVE-2019-15034, CVE-2020-10702, CVE-2020-10756, CVE-2020-11102, CVE-2020-12829, CVE-2020-13253, CVE-2020-13362, CVE-2020-13659, CVE-2020-13754, CVE-2020-13791, CVE-2020-14364, CVE-2020-14415, CVE-2020-15863, CVE-2020-16092, CVE-2020-25084, CVE-2020-25624, CVE-2020-25625, CVE-2020-25723, CVE-2020-27616, CVE-2020-28916, CVE-2020-29129, CVE-2020-29130