SB2018112614 - Denial of service in QEMU

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Race condition (CVE-ID: CVE-2018-19489)

The vulnerability allows an adjacent attacker to cause DoS condition on the target system.

The vulnerability exists due to race condition while renaming files on a shared host directory. An adjacent attacker can use-after-free flaw in the VirtFS, host directory sharing via Plan 9 File System(9pfs) support and cause the service to crash.

2) Integer overflow (CVE-ID: CVE-2018-19665)

The vulnerability allows an adjacent attacker to cause DoS condition on the target system.

The vulnerability exists due to integer overflow in various Bluetooth functions in routines wherein 'len' parameter is a 'signed int' which subsequently converts to an unsigned integer. An adjacent attacker can trigger memory corruption and cause the service to crash.

3) Use-after-free error (CVE-ID: CVE-2018-19364)

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The vulnerability exists due to use-after-free condition in the VirtFS component. A remote attacker can access the system and maliciously updatу the fid path in worker threads by using the v9fs_path_copy() function while accessing files on a shared host directory, trigger memory corruption and cause the service to crash.

Remediation

Install update from vendor's website.

References

• https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg04489.html
• https://bugzilla.redhat.com/show_bug.cgi?id=1653156
• https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg03570.html
• https://lists.gnu.org/archive/html/qemu-devel/2018-11/msg02795.html