Synopsis
The remote NewStart CGSL host is affected by multiple vulnerabilities.
Description
The remote NewStart CGSL host, running version MAIN 6.06, has qemu packages installed that are affected by multiple vulnerabilities:
- A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)
- In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
(CVE-2019-12068)
- libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. (CVE-2019-15890)
- An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host. (CVE-2020-14364)
- An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host. (CVE-2020-1711)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade the vulnerable CGSL qemu packages. Note that updated packages may not be available yet. Please contact ZTE for more information.
Plugin Details
File Name: newstart_cgsl_NS-SA-2025-0227_qemu.nasl
Supported Sensors: Nessus
Risk Information
Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:zte:cgsl_main:qemu-common, p-cpe:/a:zte:cgsl_main:qemu-block-ssh, p-cpe:/a:zte:cgsl_main:qemu-block-curl, p-cpe:/a:zte:cgsl_main:qemu-block-gluster, p-cpe:/a:zte:cgsl_main:qemu-block-rbd, cpe:/o:zte:cgsl_main:6, p-cpe:/a:zte:cgsl_main:qemu-img, p-cpe:/a:zte:cgsl_main:qemu-tools, p-cpe:/a:zte:cgsl_main:qemu-kvm, p-cpe:/a:zte:cgsl_main:qemu-block-dmg, p-cpe:/a:zte:cgsl_main:qemu-block-iscsi, p-cpe:/a:zte:cgsl_main:qemu
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list
Exploit Ease: Exploits are available
Patch Publication Date: 9/30/2025
Vulnerability Publication Date: 9/6/2019