SUSE SLES12 Security Update : qemu (SUSE-SU-2021:1894-1)

medium Nessus Plugin ID 150399
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1894-1 advisory.

- libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. (CVE-2019-15890)

- An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator.
This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects versions of libslirp before 4.3.1. (CVE-2020-10756)

- hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. (CVE-2020-13754)

- An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host. (CVE-2020-14364)

- ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate is a duplicate of CVE-2020-28916 (CVE-2020-25707)

- A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service. (CVE-2020-25723)

- slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. (CVE-2020-29130)

- In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code. (CVE-2020-8608)

- An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)

- ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. (CVE-2021-3419)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1094725

https://bugzilla.suse.com/1149813

https://bugzilla.suse.com/1163019

https://bugzilla.suse.com/1172380

https://bugzilla.suse.com/1172382

https://bugzilla.suse.com/1175534

https://bugzilla.suse.com/1178683

https://bugzilla.suse.com/1178935

https://bugzilla.suse.com/1179477

https://bugzilla.suse.com/1181933

https://bugzilla.suse.com/1182846

https://bugzilla.suse.com/1182975

http://www.nessus.org/u?7f2c87cb

https://www.suse.com/security/cve/CVE-2019-15890

https://www.suse.com/security/cve/CVE-2020-10756

https://www.suse.com/security/cve/CVE-2020-13754

https://www.suse.com/security/cve/CVE-2020-14364

https://www.suse.com/security/cve/CVE-2020-25707

https://www.suse.com/security/cve/CVE-2020-25723

https://www.suse.com/security/cve/CVE-2020-29130

https://www.suse.com/security/cve/CVE-2020-8608

https://www.suse.com/security/cve/CVE-2021-20221

https://www.suse.com/security/cve/CVE-2021-20257

https://www.suse.com/security/cve/CVE-2021-3419

Plugin Details

Severity: Medium

ID: 150399

File Name: suse_SU-2021-1894-1.nasl

Version: 1.3

Type: local

Agent: unix

Published: 6/9/2021

Updated: 1/21/2022

Dependencies: ssh_get_info.nasl

Risk Information

CVSS Score Source: CVE-2020-8608

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: Medium

Base Score: 5.6

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:qemu, p-cpe:/a:novell:suse_linux:qemu-arm, p-cpe:/a:novell:suse_linux:qemu-block-curl, p-cpe:/a:novell:suse_linux:qemu-block-iscsi, p-cpe:/a:novell:suse_linux:qemu-block-rbd, p-cpe:/a:novell:suse_linux:qemu-block-ssh, p-cpe:/a:novell:suse_linux:qemu-guest-agent, p-cpe:/a:novell:suse_linux:qemu-ipxe, p-cpe:/a:novell:suse_linux:qemu-kvm, p-cpe:/a:novell:suse_linux:qemu-lang, p-cpe:/a:novell:suse_linux:qemu-ppc, p-cpe:/a:novell:suse_linux:qemu-s390, p-cpe:/a:novell:suse_linux:qemu-seabios, p-cpe:/a:novell:suse_linux:qemu-sgabios, p-cpe:/a:novell:suse_linux:qemu-tools, p-cpe:/a:novell:suse_linux:qemu-vgabios, p-cpe:/a:novell:suse_linux:qemu-x86, cpe:/o:novell:suse_linux:12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 6/8/2021

Vulnerability Publication Date: 9/6/2019

Reference Information

CVE: CVE-2019-15890, CVE-2020-8608, CVE-2020-10756, CVE-2020-13754, CVE-2020-14364, CVE-2020-25707, CVE-2020-25723, CVE-2020-29130, CVE-2021-3419, CVE-2021-20221, CVE-2021-20257

SuSE: SUSE-SU-2021:1894-1

IAVB: 2020-B-0041-S, 2020-B-0063-S, 2020-B-0075