Detections
Analytics

SUSE SLES12 Security Update : qemu (SUSE-SU-2023:0761-1)

high Nessus Plugin ID 172642

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0761-1 advisory.

 - sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process. (CVE-2020-13253)

 - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. (CVE-2020-13754)

 - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process on the host, resulting in a denial of service. (CVE-2020-14394)

 - A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host. (CVE-2020-17380)

 - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)

 - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)

 - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

 - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

 - A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc() function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4206)

 - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service. (CVE-2022-0216)

 - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading to a use-after-free condition. (CVE-2022-1050)

 - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.
 Affected QEMU versions <= 6.2.0. (CVE-2022-26354)

 - ** DISPUTED ** softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non- virtualization Use Case in the qemu.org reference applies here, i.e., Bugs affecting the non- virtualization use case are not considered security bugs at this time. (CVE-2022-35414)

 - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt() function does not check the size of the structure pointed to by the guest physical address, potentially reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://bugzilla.suse.com/1172033

https://bugzilla.suse.com/1172382

https://bugzilla.suse.com/1175144

https://bugzilla.suse.com/1180207

https://bugzilla.suse.com/1182282

https://bugzilla.suse.com/1185000

https://bugzilla.suse.com/1193880

https://bugzilla.suse.com/1197653

https://bugzilla.suse.com/1198035

https://bugzilla.suse.com/1198038

https://bugzilla.suse.com/1198712

https://bugzilla.suse.com/1201367

https://bugzilla.suse.com/1205808

https://www.suse.com/security/cve/CVE-2020-13253

https://www.suse.com/security/cve/CVE-2020-13754

https://www.suse.com/security/cve/CVE-2020-14394

https://www.suse.com/security/cve/CVE-2020-17380

https://www.suse.com/security/cve/CVE-2020-25085

https://www.suse.com/security/cve/CVE-2021-3409

https://www.suse.com/security/cve/CVE-2021-3507

https://www.suse.com/security/cve/CVE-2021-3929

https://www.suse.com/security/cve/CVE-2021-4206

https://www.suse.com/security/cve/CVE-2022-0216

https://www.suse.com/security/cve/CVE-2022-1050

https://www.suse.com/security/cve/CVE-2022-26354

https://www.suse.com/security/cve/CVE-2022-35414

https://www.suse.com/security/cve/CVE-2022-4144

http://www.nessus.org/u?fc6e68d2

Plugin Details

Severity: High

ID: 172642

File Name: suse_SU-2023-0761-1.nasl

Version: 1.3

Type: local

Agent: unix

Published: 3/17/2023

Updated: 9/28/2023

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 4.8

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:C

CVSS Score Source: CVE-2022-35414

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:suse_linux:qemu, p-cpe:/a:novell:suse_linux:qemu-arm, p-cpe:/a:novell:suse_linux:qemu-audio-alsa, p-cpe:/a:novell:suse_linux:qemu-audio-oss, p-cpe:/a:novell:suse_linux:qemu-audio-pa, p-cpe:/a:novell:suse_linux:qemu-audio-sdl, p-cpe:/a:novell:suse_linux:qemu-block-curl, p-cpe:/a:novell:suse_linux:qemu-block-iscsi, p-cpe:/a:novell:suse_linux:qemu-block-rbd, p-cpe:/a:novell:suse_linux:qemu-block-ssh, p-cpe:/a:novell:suse_linux:qemu-guest-agent, p-cpe:/a:novell:suse_linux:qemu-ipxe, p-cpe:/a:novell:suse_linux:qemu-kvm, p-cpe:/a:novell:suse_linux:qemu-lang, p-cpe:/a:novell:suse_linux:qemu-ppc, p-cpe:/a:novell:suse_linux:qemu-s390, p-cpe:/a:novell:suse_linux:qemu-seabios, p-cpe:/a:novell:suse_linux:qemu-sgabios, p-cpe:/a:novell:suse_linux:qemu-tools, p-cpe:/a:novell:suse_linux:qemu-ui-curses, p-cpe:/a:novell:suse_linux:qemu-ui-gtk, p-cpe:/a:novell:suse_linux:qemu-ui-sdl, p-cpe:/a:novell:suse_linux:qemu-vgabios, p-cpe:/a:novell:suse_linux:qemu-x86, cpe:/o:novell:suse_linux:12

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/16/2023

Vulnerability Publication Date: 5/7/2020

Reference Information

CVE: CVE-2020-13253, CVE-2020-13754, CVE-2020-14394, CVE-2020-17380, CVE-2020-25085, CVE-2021-3409, CVE-2021-3507, CVE-2021-3929, CVE-2021-4206, CVE-2022-0216, CVE-2022-1050, CVE-2022-26354, CVE-2022-35414, CVE-2022-4144

IAVB: 2020-B-0026-S, 2020-B-0041-S, 2020-B-0063-S, 2020-B-0075-S, 2022-B-0057-S

SuSE: SUSE-SU-2023:0761-1