SB2018121307 - Multiple vulnerabilities in QEMU

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Path traversal (CVE-ID: CVE-2018-16867)

The vulnerability allows an adjacent attacker to execute arbitrary code on the target system.

The vulnerability exists in qemu Media Transfer Protocol (MTP) due to an improper filename sanitization. When the guest device is mounted in read-write mode, an adjacent attacker can conduct directory traversal attack in the in usb_mtp_write_data function in hw/usb/dev-mtp.c to read/write arbitrary files which may lead do DoS scenario or arbitrary code execution on the host.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

2) Path traversal (CVE-ID: CVE-2018-16872)

The vulnerability allows an adjacent attacker to obtain potentially sensitive information on the target system.

The vulnerability exists in qemu Media Transfer Protocol (MTP) due to the code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An adjacent attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to.

3) Memory leak (CVE-ID: CVE-2018-20123)

The vulnerability allows an adjacent attacker to cause DoS condition on the target system.

The vulnerability exists due to memory leakage issue in the way QEMU initialised its VMWare's paravirtual RDMA device. An adjacent attacker can cause pvrdma_realize() routine not to release memory resources allocated to various objects and leak host memory, resulting in DoS for host.

4) Infinite loop (CVE-ID: CVE-2018-20216)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c when return values are not checked (and -1 is mishandled).. A remote attacker can cause the service to crash.

5) Memory leak (CVE-ID: CVE-2018-20126)

The vulnerability allows a local attacker to cause DoS condition on the target system.

The vulnerability exists due to memory leakage issue in hw/rdma/vmw/pvrdma_cmd.c when errors are mishandled. A local attacker can create_cq and create_qp memory leaks, resulting in DoS.

6) NULL pointer dereference (CVE-ID: CVE-2018-20125)

The vulnerability allows a local attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in hw/rdma/vmw/pvrdma_cmd.c. A local attacker can trigger excessive memory allocation in create_cq_ring or create_qp_rings and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg00390.html
• https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03135.html
• https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02817.html
• https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg03052.html
• https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02824.html
• https://lists.gnu.org/archive/html/qemu-devel/2018-12/msg02823.html