NewStart CGSL MAIN 6.06 : qemu Multiple Vulnerabilities (NS-SA-2025-0227)

high Nessus Plugin ID 266253

Synopsis

The remote NewStart CGSL host is affected by multiple vulnerabilities.

Description

The remote NewStart CGSL host, running version MAIN 6.06, has qemu packages installed that are affected by multiple vulnerabilities:

- A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)

- In QEMU 1:4.1-1, 1:2.1+dfsg-12+deb8u6, 1:2.8+dfsg-6+deb9u8, 1:3.1+dfsg-8~deb10u1, 1:3.1+dfsg-8+deb10u2, and 1:2.1+dfsg-12+deb8u12 (fixed), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.
(CVE-2019-12068)

- libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. (CVE-2019-15890)

- An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host. (CVE-2020-14364)

- An out-of-bounds heap buffer access flaw was found in the way the iSCSI Block driver in QEMU versions 2.12.0 before 4.2.1 handled a response coming from an iSCSI server while checking the status of a Logical Address Block (LBA) in an iscsi_co_block_status() routine. A remote user could use this flaw to crash the QEMU process, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process on the host. (CVE-2020-1711)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the vulnerable CGSL qemu packages. Note that updated packages may not be available yet. Please contact ZTE for more information.

See Also

https://security.gd-linux.com/notice/NS-SA-2025-0227

https://security.gd-linux.com/info/CVE-2019-12068

https://security.gd-linux.com/info/CVE-2019-15890

https://security.gd-linux.com/info/CVE-2020-14364

https://security.gd-linux.com/info/CVE-2020-1711

https://security.gd-linux.com/info/CVE-2021-3682

https://security.gd-linux.com/info/CVE-2021-3713

https://security.gd-linux.com/info/CVE-2022-0216

https://security.gd-linux.com/info/CVE-2022-3872

Plugin Details

Severity: High

ID: 266253

File Name: newstart_cgsl_NS-SA-2025-0227_qemu.nasl

Version: 1.1

Type: local

Published: 9/30/2025

Updated: 9/30/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.5

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-3682

CVSS v3

Risk Factor: High

Base Score: 8.5

Temporal Score: 7.6

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:zte:cgsl_main:qemu-common, p-cpe:/a:zte:cgsl_main:qemu-block-ssh, p-cpe:/a:zte:cgsl_main:qemu-block-curl, p-cpe:/a:zte:cgsl_main:qemu-block-gluster, p-cpe:/a:zte:cgsl_main:qemu-block-rbd, cpe:/o:zte:cgsl_main:6, p-cpe:/a:zte:cgsl_main:qemu-img, p-cpe:/a:zte:cgsl_main:qemu-tools, p-cpe:/a:zte:cgsl_main:qemu-kvm, p-cpe:/a:zte:cgsl_main:qemu-block-dmg, p-cpe:/a:zte:cgsl_main:qemu-block-iscsi, p-cpe:/a:zte:cgsl_main:qemu

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/30/2025

Vulnerability Publication Date: 9/6/2019

Reference Information

CVE: CVE-2019-12068, CVE-2019-15890, CVE-2020-14364, CVE-2020-1711, CVE-2021-3682, CVE-2021-3713, CVE-2022-0216, CVE-2022-3872

IAVB: 2020-B-0063-S