SUSE SLES12 Security Update : qemu (SUSE-SU-2021:1894-1)

medium Nessus Plugin ID 150399

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1894-1 advisory.

- libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. (CVE-2019-15890)

- An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator.
This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects versions of libslirp before 4.3.1. (CVE-2020-10756)

- hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. (CVE-2020-13754)

- An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host. (CVE-2020-14364)

- A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service. (CVE-2020-25723)

- slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. (CVE-2020-29130)

- In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code. (CVE-2020-8608)

- An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)

- An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20257)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1094725

https://bugzilla.suse.com/1149813

https://bugzilla.suse.com/1163019

https://bugzilla.suse.com/1172380

https://bugzilla.suse.com/1172382

https://bugzilla.suse.com/1175534

https://bugzilla.suse.com/1178683

https://bugzilla.suse.com/1178935

https://bugzilla.suse.com/1179477

https://bugzilla.suse.com/1181933

https://bugzilla.suse.com/1182846

https://bugzilla.suse.com/1182975

https://www.suse.com/security/cve/CVE-2019-15890

https://www.suse.com/security/cve/CVE-2020-10756

https://www.suse.com/security/cve/CVE-2020-13754

https://www.suse.com/security/cve/CVE-2020-14364

https://www.suse.com/security/cve/CVE-2020-25707

https://www.suse.com/security/cve/CVE-2020-25723

https://www.suse.com/security/cve/CVE-2020-29130

https://www.suse.com/security/cve/CVE-2020-8608

https://www.suse.com/security/cve/CVE-2021-20221

https://www.suse.com/security/cve/CVE-2021-20257

https://www.suse.com/security/cve/CVE-2021-3419

http://www.nessus.org/u?7f2c87cb

Plugin Details

Severity: Medium

ID: 150399

File Name: suse_SU-2021-1894-1.nasl

Version: 1.7

Type: local

Agent: unix

Published: 6/9/2021

Updated: 7/13/2023

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-8608

CVSS v3

Risk Factor: Medium

Base Score: 6.7

Temporal Score: 6

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2020-13754

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:qemu, p-cpe:/a:novell:suse_linux:qemu-arm, p-cpe:/a:novell:suse_linux:qemu-block-curl, p-cpe:/a:novell:suse_linux:qemu-block-iscsi, p-cpe:/a:novell:suse_linux:qemu-block-rbd, p-cpe:/a:novell:suse_linux:qemu-block-ssh, p-cpe:/a:novell:suse_linux:qemu-guest-agent, p-cpe:/a:novell:suse_linux:qemu-ipxe, p-cpe:/a:novell:suse_linux:qemu-kvm, p-cpe:/a:novell:suse_linux:qemu-lang, p-cpe:/a:novell:suse_linux:qemu-ppc, p-cpe:/a:novell:suse_linux:qemu-s390, p-cpe:/a:novell:suse_linux:qemu-seabios, p-cpe:/a:novell:suse_linux:qemu-sgabios, p-cpe:/a:novell:suse_linux:qemu-tools, p-cpe:/a:novell:suse_linux:qemu-vgabios, p-cpe:/a:novell:suse_linux:qemu-x86, cpe:/o:novell:suse_linux:12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/8/2021

Vulnerability Publication Date: 9/6/2019

Reference Information

CVE: CVE-2019-15890, CVE-2020-10756, CVE-2020-13754, CVE-2020-14364, CVE-2020-25707, CVE-2020-25723, CVE-2020-29130, CVE-2020-8608, CVE-2021-20221, CVE-2021-20257, CVE-2021-3419

IAVB: 2020-B-0041-S, 2020-B-0063-S, 2020-B-0075-S

SuSE: SUSE-SU-2021:1894-1