Multiple vulnerabilities in QEMU



Published: 2020-07-24
Risk Medium
Patch available NO
Number of vulnerabilities 10
CVE-ID CVE-2020-15859
CVE-2020-15863
CVE-2020-13800
CVE-2020-13791
CVE-2020-13765
CVE-2020-10761
CVE-2020-13659
CVE-2020-13754
CVE-2020-13362
CVE-2020-13361
CWE-ID CWE-416
CWE-121
CWE-835
CWE-125
CWE-787
CWE-617
CWE-476
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
QEMU
Client/Desktop applications / Virtualization software

Vendor QEMU

Security Bulletin

This security bulletin contains information about 10 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU31800

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-15859

CWE-ID: CWE-416 - Use After Free

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in hw/net/e1000e_core.c when processing MMIO operation. A local user on guest operating system can send a specially crafted e1000e packet with the data's address set to the e1000e's MMIO address and crash the QEMU process.


Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: 4.1.0 - 5.0.0


CPE2.3 External links

http://bugs.launchpad.net/qemu/+bug/1886362
http://lists.gnu.org/archive/html/qemu-devel/2020-07/msg05304.html
http://www.openwall.com/lists/oss-security/2020/07/21/3

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Stack-based buffer overflow

EUVDB-ID: #VU31799

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-15863

CWE-ID: CWE-121 - Stack-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system with elevated privileges.

The vulnerability exists due to a boundary error when processing packets in xgmac_enet_send() in hw/net/xgmac.c. A local user on the guest operating system can send a specially crafted request to the application, trigger stack-based buffer overflow and execute arbitrary code on the target system with elevated privileges.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: 4.1.0 - 5.0.0


CPE2.3 External links

http://seclists.org/oss-sec/2020/q3/49
http://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Infinite loop

EUVDB-ID: #VU31808

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-13800

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in ati-vga in hw/display/ati.c. A local user on the guest operating system can trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call and perform a denial of service attack against the host system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: 4.1.0 - 5.0.0


CPE2.3 External links

http://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00825.html
http://security.netapp.com/advisory/ntap-20200717-0001/
http://www.openwall.com/lists/oss-security/2020/06/04/2

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Out-of-bounds read

EUVDB-ID: #VU31807

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-13791

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in hw/pci/pci.c. A local user on the guest operating system can trigger out-of-bounds read error by providing an address near the end of the PCI configuration space and read contents of memory on the system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: 4.1.0 - 5.0.0


CPE2.3 External links

http://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00706.html
http://security.netapp.com/advisory/ntap-20200717-0001/
http://www.openwall.com/lists/oss-security/2020/06/04/1

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

5) Out-of-bounds write

EUVDB-ID: #VU31806

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-13765

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in rom_copy() in hw/core/loader.c. A local user on the guest operating system can create a specially data to the application, trigger out-of-bounds write and execute arbitrary code on the host system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: 4.1.0 - 5.0.0


CPE2.3 External links

http://git.qemu.org/?p=qemu.git;a=commit;h=e423455c4f23a1a828901c78fe6d03b7dde79319
http://lists.debian.org/debian-lts-announce/2020/06/msg00032.html
http://security.netapp.com/advisory/ntap-20200619-0006/
http://www.openwall.com/lists/oss-security/2020/06/03/6

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

6) Reachable Assertion

EUVDB-ID: #VU31805

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-10761

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion in the Network Block Device(NBD) Server. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: 0.1 - 5.0.0


CPE2.3 External links

http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10761
http://www.openwall.com/lists/oss-security/2020/06/09/1

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

7) NULL pointer dereference

EUVDB-ID: #VU31804

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-13659

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in exec.c, related to BounceBuffer. A local user on the guest operating system can perform a denial of service (DoS) attack against the host system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability..

Vulnerable software versions

QEMU: 4.1.0 - 5.0.0


CPE2.3 External links

http://www.openwall.com/lists/oss-security/2020/06/01/3
http://lists.gnu.org/archive/html/qemu-devel/2020-05/msg07313.html
http://security.netapp.com/advisory/ntap-20200608-0007/
http://www.debian.org/security/2020/dsa-4728

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

8) Out-of-bounds write

EUVDB-ID: #VU31803

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-13754

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input in hw/pci/msix.c. A local user on the guest operating system can send specially crafted address in an msi-x mmio operation, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: 4.1.0 - 5.0.0


CPE2.3 External links

http://www.openwall.com/lists/oss-security/2020/06/01/6
http://www.openwall.com/lists/oss-security/2020/06/15/8
http://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00004.html
http://security.netapp.com/advisory/ntap-20200608-0007/
http://www.debian.org/security/2020/dsa-4728

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

9) Out-of-bounds read

EUVDB-ID: #VU31802

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2020-13362

CWE-ID: CWE-125 - Out-of-bounds Read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in megasas_lookup_frame in hw/scsi/megasas.c. A local user on the guest operating system can pass specially crafted message with reply_queue_head field, trigger out-of-bounds read error and read contents of memory on the system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: 4.1.0 - 5.0.0


CPE2.3 External links

http://www.openwall.com/lists/oss-security/2020/05/28/2
http://lists.debian.org/debian-lts-announce/2020/06/msg00032.html
http://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03131.html
http://lists.gnu.org/archive/html/qemu-devel/2020-05/msg06250.html
http://security.netapp.com/advisory/ntap-20200608-0003/
http://security-tracker.debian.org/tracker/CVE-2020-13362
http://www.debian.org/security/2020/dsa-4728

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

10) Out-of-bounds write

EUVDB-ID: #VU31801

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2020-13361

CWE-ID: CWE-787 - Out-of-bounds Write

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing frame count in es1370_transfer_audio in hw/audio/es1370.c. A local user on the guest operating system can send a specially crafted request and execute arbitrary code on the host operating system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: 4.1.0 - 5.0.0


CPE2.3 External links

http://www.openwall.com/lists/oss-security/2020/05/28/1
http://lists.debian.org/debian-lts-announce/2020/06/msg00032.html
http://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03983.html
http://security.netapp.com/advisory/ntap-20200608-0003/
http://security-tracker.debian.org/tracker/CVE-2020-13361
http://www.debian.org/security/2020/dsa-4728

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###