SUSE SLES11 Security Update : kvm (SUSE-SU-2021:14704-1)

high Nessus Plugin ID 150537

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES11 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:14704-1 advisory.

- The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling. (CVE-2014-3689)

- The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section. (CVE-2015-1779)

- In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service. (CVE-2020-12829)

- In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
(CVE-2020-13361)

- In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. (CVE-2020-13362)

- rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation. (CVE-2020-13765)

- An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host. (CVE-2020-14364)

- QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. (CVE-2020-25084)

- hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver. (CVE-2020-25624)

- hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. (CVE-2020-25625)

- A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service. (CVE-2020-25723)

- slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. (CVE-2020-29130)

- ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. (CVE-2020-29443)

- A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. (CVE-2021-20181)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kvm package.

See Also

https://www.suse.com/security/cve/CVE-2020-25723

https://www.suse.com/security/cve/CVE-2021-20257

https://www.suse.com/security/cve/CVE-2020-14364

https://www.suse.com/security/cve/CVE-2020-29130

https://bugzilla.suse.com/1172383

https://bugzilla.suse.com/1172384

https://bugzilla.suse.com/1172385

https://bugzilla.suse.com/1172478

https://bugzilla.suse.com/1175441

https://bugzilla.suse.com/1176673

https://bugzilla.suse.com/1176682

https://bugzilla.suse.com/1176684

https://bugzilla.suse.com/1178934

https://bugzilla.suse.com/1179467

https://bugzilla.suse.com/1181108

https://bugzilla.suse.com/1182137

https://bugzilla.suse.com/1182425

https://bugzilla.suse.com/1182577

http://www.nessus.org/u?20ebf58d

https://www.suse.com/security/cve/CVE-2014-3689

https://www.suse.com/security/cve/CVE-2015-1779

https://www.suse.com/security/cve/CVE-2020-12829

https://www.suse.com/security/cve/CVE-2020-13361

https://www.suse.com/security/cve/CVE-2020-13362

https://www.suse.com/security/cve/CVE-2020-13765

https://www.suse.com/security/cve/CVE-2020-25084

https://www.suse.com/security/cve/CVE-2020-25624

https://www.suse.com/security/cve/CVE-2020-25625

https://www.suse.com/security/cve/CVE-2020-29443

https://www.suse.com/security/cve/CVE-2021-20181

Plugin Details

Severity: High

ID: 150537

File Name: suse_SU-2021-14704-1.nasl

Version: 1.3

Type: local

Agent: unix

Published: 6/10/2021

Updated: 5/9/2022

Supported Sensors: Nessus Agent

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS Score Source: CVE-2014-3689

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2021-20181

Vulnerability Information

CPE: cpe:2.3:o:novell:suse_linux:11:*:*:*:*:*:*:*, p-cpe:2.3:a:novell:suse_linux:kvm:*:*:*:*:*:*:*

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/20/2021

Vulnerability Publication Date: 10/30/2014

Reference Information

CVE: CVE-2014-3689, CVE-2015-1779, CVE-2020-13361, CVE-2020-13362, CVE-2020-13765, CVE-2020-12829, CVE-2020-14364, CVE-2020-25084, CVE-2020-25625, CVE-2020-25624, CVE-2020-29130, CVE-2020-25723, CVE-2020-29443, CVE-2021-20181, CVE-2021-20257

IAVB: 2020-B-0041-S, 2020-B-0075, 2020-B-0063-S

SuSE: SUSE-SU-2021:14704-1