The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1103-1 advisory.

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to allocate and initialize a huge number of page tables to be used as a ring of     descriptors for CQ and async events, potentially leading to an out-of-bounds read and crash of QEMU.
    (CVE-2023-1544)

  - A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing     TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and     VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables     allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory     and send it to the wire, causing an information leak. (CVE-2023-6693)

  - QEMU before 8.2.0 has an integer underflow, and resultant buffer overflow, via a TI command when an     expected non-DMA transfer length is less than the length of the available FIFO data. This occurs in     esp_do_nodma in hw/scsi/esp.c because of an underflow of async_len. (CVE-2024-24474)

  - An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c mishandles the     situation where a guest writes NumVFs greater than TotalVFs, leading to a buffer overflow in VF     implementations. (CVE-2024-26327)

  - An issue was discovered in QEMU 7.1.0 through 8.2.1. register_vfs in hw/pci/pcie_sriov.c does not set     NumVFs to PCI_SRIOV_TOTAL_VF, and thus interaction with hw/nvme/ctrl.c is mishandled. (CVE-2024-26328)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : qemu (SUSE-SU-2024:1103-1)

medium Nessus Plugin ID 193075

Version 1.4