Detections
Analytics

CentOS 9 : qemu-kvm-6.1.0-3.el9

high Nessus Plugin ID 191255

Language:

Synopsis

The remote CentOS host is missing one or more security updates for qemu-guest-agent.

Description

The remote CentOS Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the qemu-kvm-6.1.0-3.el9 build changelog.

 - use-after-free during packet reassembly [rhel-av-8]) (CVE-2019-15890)

 - A flaw was found in QEMU in the implementation of the Pointer Authentication (PAuth) support for ARM introduced in version 4.0 and fixed in version 5.0.0. A general failure of the signature generation process caused every PAuth-enforced pointer to be signed with the same signature. A local attacker could obtain the signature of a protected pointer and abuse this flaw to bypass PAuth protection for all programs running on QEMU. (CVE-2020-10702)

 - A potential DoS flaw was found in the virtio-fs shared file system daemon (virtiofsd) implementation of the QEMU version >= v5.0. Virtio-fs is meant to share a host file system directory with a guest via virtio-fs device. If the guest opens the maximum number of file descriptors under the shared directory, a denial of service may occur. This flaw allows a guest user/process to cause this denial of service on the host. (CVE-2020-10717)

 - An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator.
 This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects versions of libslirp before 4.3.1. (CVE-2020-10756)

 - An assertion failure issue was found in the Network Block Device(NBD) Server in all QEMU versions before QEMU 5.0.1. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service. (CVE-2020-10761)

 - out-of-bounds r/w access issue while processing usb packets [rhel-av-8.3.0]) (CVE-2020-14364)

 - OOB heap access via an unexpected response of iSCSI Server [rhel-av-8.2.0]) (CVE-2020-1711)

 - A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service. (CVE-2020-1983)

 - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.
 This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)

 - A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices. (CVE-2020-35517)

 - OOB buffer access while emulating tcp protocols in tcp_emu() [rhel-av-8.2.0]) (CVE-2020-7039)

 - potential OOB access due to unsafe snprintf() usages [rhel-av-8.2.0]) (CVE-2020-8608)

 - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)

 - A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest. (CVE-2021-20263)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the CentOS 9 Stream qemu-guest-agent package.

See Also

https://kojihub.stream.centos.org/koji/buildinfo?buildID=14396

Plugin Details

Severity: High

ID: 191255

File Name: centos9_qemu-kvm-6_1_0-3.nasl

Version: 1.1

Type: local

Agent: unix

Published: 2/29/2024

Updated: 4/26/2024

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.3

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-8608

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.4

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2020-35517

Vulnerability Information

CPE: cpe:/a:centos:centos:9, p-cpe:/a:centos:centos:qemu-guest-agent, p-cpe:/a:centos:centos:qemu-img, p-cpe:/a:centos:centos:qemu-kvm, p-cpe:/a:centos:centos:qemu-kvm-audio-pa, p-cpe:/a:centos:centos:qemu-kvm-block-curl, p-cpe:/a:centos:centos:qemu-kvm-block-rbd, p-cpe:/a:centos:centos:qemu-kvm-block-ssh, p-cpe:/a:centos:centos:qemu-kvm-common, p-cpe:/a:centos:centos:qemu-kvm-core, p-cpe:/a:centos:centos:qemu-kvm-docs, p-cpe:/a:centos:centos:qemu-kvm-hw-usbredir, p-cpe:/a:centos:centos:qemu-kvm-tests, p-cpe:/a:centos:centos:qemu-kvm-tools, p-cpe:/a:centos:centos:qemu-kvm-ui-opengl, p-cpe:/a:centos:centos:qemu-pr-helper, p-cpe:/a:centos:centos:qemu-virtiofsd

Required KB Items: Host/local_checks_enabled, Host/CentOS/release, Host/CentOS/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/24/2021

Vulnerability Publication Date: 9/6/2019

Reference Information

CVE: CVE-2019-15890, CVE-2020-10702, CVE-2020-10717, CVE-2020-10756, CVE-2020-10761, CVE-2020-14364, CVE-2020-1711, CVE-2020-1983, CVE-2020-27821, CVE-2020-35517, CVE-2020-7039, CVE-2020-8608, CVE-2021-20221, CVE-2021-20263