SUSE SLES11 Security Update : kvm (SUSE-SU-2021:14704-1)

high Nessus Plugin ID 150537
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES11 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:14704-1 advisory.

- The vmware-vga driver (hw/display/vmware_vga.c) in QEMU allows local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling. (CVE-2014-3689)

- The VNC websocket frame decoder in QEMU allows remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section. (CVE-2015-1779)

- In QEMU through 5.0.0, an integer overflow was found in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A local attacker could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service. (CVE-2020-12829)

- In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
(CVE-2020-13361)

- In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. (CVE-2020-13362)

- rom_copy() in hw/core/loader.c in QEMU 4.0 and 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation. (CVE-2020-13765)

- An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host. (CVE-2020-14364)

- QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. (CVE-2020-25084)

- hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver. (CVE-2020-25624)

- hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. (CVE-2020-25625)

- A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service. (CVE-2020-25723)

- slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. (CVE-2020-29130)

- ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. (CVE-2020-29443)

- A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. (CVE-2021-20181)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected kvm package.

See Also

https://bugzilla.suse.com/1172383

https://bugzilla.suse.com/1172384

https://bugzilla.suse.com/1172385

https://bugzilla.suse.com/1172478

https://bugzilla.suse.com/1175441

https://bugzilla.suse.com/1176673

https://bugzilla.suse.com/1176682

https://bugzilla.suse.com/1176684

https://bugzilla.suse.com/1178934

https://bugzilla.suse.com/1179467

https://bugzilla.suse.com/1181108

https://bugzilla.suse.com/1182137

https://bugzilla.suse.com/1182425

https://bugzilla.suse.com/1182577

http://www.nessus.org/u?20ebf58d

https://www.suse.com/security/cve/CVE-2014-3689

https://www.suse.com/security/cve/CVE-2015-1779

https://www.suse.com/security/cve/CVE-2020-12829

https://www.suse.com/security/cve/CVE-2020-13361

https://www.suse.com/security/cve/CVE-2020-13362

https://www.suse.com/security/cve/CVE-2020-13765

https://www.suse.com/security/cve/CVE-2020-14364

https://www.suse.com/security/cve/CVE-2020-25084

https://www.suse.com/security/cve/CVE-2020-25624

https://www.suse.com/security/cve/CVE-2020-25625

https://www.suse.com/security/cve/CVE-2020-25723

https://www.suse.com/security/cve/CVE-2020-29130

https://www.suse.com/security/cve/CVE-2020-29443

https://www.suse.com/security/cve/CVE-2021-20181

https://www.suse.com/security/cve/CVE-2021-20257

Plugin Details

Severity: High

ID: 150537

File Name: suse_SU-2021-14704-1.nasl

Version: 1.2

Type: local

Agent: unix

Published: 6/10/2021

Updated: 6/10/2021

Dependencies: ssh_get_info.nasl

Risk Information

CVSS Score Source: CVE-2014-3689

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:U/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:kvm, cpe:/o:novell:suse_linux:11

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 4/20/2021

Vulnerability Publication Date: 10/30/2014

Reference Information

CVE: CVE-2014-3689, CVE-2015-1779, CVE-2020-12829, CVE-2020-13361, CVE-2020-13362, CVE-2020-13765, CVE-2020-14364, CVE-2020-25084, CVE-2020-25624, CVE-2020-25625, CVE-2020-25723, CVE-2020-29130, CVE-2020-29443, CVE-2021-20181, CVE-2021-20257

SuSE: SUSE-SU-2021:14704-1

IAVB: 2020-B-0041-S, 2020-B-0063-S, 2020-B-0075