Ubuntu 20.04 LTS / 20.10 / 21.04 : libslirp vulnerabilities (USN-5009-1)
medium Nessus Plugin ID 151679
Language:
Synopsis
The remote Ubuntu host is missing one or more security updates.Description
The remote Ubuntu 20.04 LTS / 20.10 / 21.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5009-1 advisory.- ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. (CVE-2020-29129)
- slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of header data even if that exceeds the total packet length. (CVE-2020-29130)
- An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3592)
- An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3593)
- An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3594)
- An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3595)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Update the affected libslirp-dev and / or libslirp0 packages.See Also
Plugin Details
Severity: Medium
ID: 151679
File Name: ubuntu_USN-5009-1.nasl
Version: 1.2
Type: local
Agent: unix
Family: Ubuntu Local Security Checks
Published: 7/16/2021
Updated: 7/16/2021
Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent
Risk Information
VPR
Risk Factor: Low
Score: 2.4
CVSS v2
Risk Factor: Medium
Base Score: 4
Temporal Score: 3
Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N
Temporal Vector: E:U/RL:OF/RC:C
CVSS Score Source: CVE-2020-29130
CVSS v3
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.8
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Temporal Vector: E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:canonical:ubuntu_linux:20.04:-:lts, cpe:/o:canonical:ubuntu_linux:20.10, cpe:/o:canonical:ubuntu_linux:21.04, p-cpe:/a:canonical:ubuntu_linux:libslirp-dev, p-cpe:/a:canonical:ubuntu_linux:libslirp0
Required KB Items: Host/cpu, Host/Ubuntu, Host/Ubuntu/release, Host/Debian/dpkg-l
Exploit Ease: No known exploits are available
Patch Publication Date: 7/15/2021
Vulnerability Publication Date: 11/26/2020
Reference Information
CVE: CVE-2020-29129, CVE-2020-29130, CVE-2021-3592, CVE-2021-3593, CVE-2021-3594, CVE-2021-3595
USN: 5009-1