Multiple vulnerabilities in QEMU
| Risk | Medium |
| Patch available | NO |
| Number of vulnerabilities | 10 |
| CVE-ID | CVE-2020-15859 CVE-2020-15863 CVE-2020-13800 CVE-2020-13791 CVE-2020-13765 CVE-2020-10761 CVE-2020-13659 CVE-2020-13754 CVE-2020-13362 CVE-2020-13361 |
| CWE-ID | CWE-416 CWE-121 CWE-835 CWE-125 CWE-787 CWE-617 CWE-476 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
QEMU Client/Desktop applications / Virtualization software |
| Vendor | QEMU |
Security Bulletin
This security bulletin contains information about 10 vulnerabilities.
1) Use-after-free
EUVDB-ID: #VU31800
Risk: Medium
CVSSv3.1: 5.2 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15859
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error in hw/net/e1000e_core.c when processing MMIO operation. A local user on guest operating system can send a specially crafted e1000e packet with the data's address set to the e1000e's MMIO address and crash the QEMU process.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsQEMU: 4.1.0 - 5.0.0
External linkshttp://bugs.launchpad.net/qemu/+bug/1886362
http://lists.gnu.org/archive/html/qemu-devel/2020-07/msg05304.html
http://www.openwall.com/lists/oss-security/2020/07/21/3
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Stack-based buffer overflow
EUVDB-ID: #VU31799
Risk: Medium
CVSSv3.1: 8.2 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-15863
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a local user to execute arbitrary code on the target system with elevated privileges.
The vulnerability exists due to a boundary error when processing packets in xgmac_enet_send() in hw/net/xgmac.c. A local user on the guest operating system can send a specially crafted request to the application, trigger stack-based buffer overflow and execute arbitrary code on the target system with elevated privileges.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsQEMU: 4.1.0 - 5.0.0
External linkshttp://seclists.org/oss-sec/2020/q3/49
http://git.qemu.org/?p=qemu.git;a=commit;h=5519724a13664b43e225ca05351c60b4468e4555
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Infinite loop
EUVDB-ID: #VU31808
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-13800
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop in ati-vga in hw/display/ati.c. A local user on the guest operating system can trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call and perform a denial of service attack against the host system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsQEMU: 4.1.0 - 5.0.0
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00825.html
http://security.netapp.com/advisory/ntap-20200717-0001/
http://www.openwall.com/lists/oss-security/2020/06/04/2
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds read
EUVDB-ID: #VU31807
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-13791
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in hw/pci/pci.c. A local user on the guest operating system can trigger out-of-bounds read error by providing an address near the end of the PCI configuration space and read contents of memory on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsQEMU: 4.1.0 - 5.0.0
External linkshttp://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00706.html
http://security.netapp.com/advisory/ntap-20200717-0001/
http://www.openwall.com/lists/oss-security/2020/06/04/1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Out-of-bounds write
EUVDB-ID: #VU31806
Risk: Medium
CVSSv3.1: 8.2 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-13765
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in rom_copy() in hw/core/loader.c. A local user on the guest operating system can create a specially data to the application, trigger out-of-bounds write and execute arbitrary code on the host system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsQEMU: 4.1.0 - 5.0.0
External linkshttp://git.qemu.org/?p=qemu.git;a=commit;h=e423455c4f23a1a828901c78fe6d03b7dde79319
http://lists.debian.org/debian-lts-announce/2020/06/msg00032.html
http://security.netapp.com/advisory/ntap-20200619-0006/
http://www.openwall.com/lists/oss-security/2020/06/03/6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Reachable Assertion
EUVDB-ID: #VU31805
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-10761
CWE-ID:
CWE-617 - Reachable Assertion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a reachable assertion in the Network Block Device(NBD) Server. This flaw occurs when an nbd-client sends a spec-compliant request that is near the boundary of maximum permitted request length. A remote nbd-client could use this flaw to crash the qemu-nbd server resulting in a denial of service.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsQEMU: 0.1 - 5.0.0
External linkshttp://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10761
http://www.openwall.com/lists/oss-security/2020/06/09/1
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) NULL pointer dereference
EUVDB-ID: #VU31804
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-13659
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error in exec.c, related to BounceBuffer. A local user on the guest operating system can perform a denial of service (DoS) attack against the host system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability..
Vulnerable software versionsQEMU: 4.1.0 - 5.0.0
External linkshttp://www.openwall.com/lists/oss-security/2020/06/01/3
http://lists.gnu.org/archive/html/qemu-devel/2020-05/msg07313.html
http://security.netapp.com/advisory/ntap-20200608-0007/
http://www.debian.org/security/2020/dsa-4728
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Out-of-bounds write
EUVDB-ID: #VU31803
Risk: Medium
CVSSv3.1: 8.2 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-13754
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing untrusted input in hw/pci/msix.c. A local user on the guest operating system can send specially crafted address in an msi-x mmio operation, trick the victim into opening it using the affected software, trigger out-of-bounds write and execute arbitrary code.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsQEMU: 4.1.0 - 5.0.0
External linkshttp://www.openwall.com/lists/oss-security/2020/06/01/6
http://www.openwall.com/lists/oss-security/2020/06/15/8
http://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00004.html
http://security.netapp.com/advisory/ntap-20200608-0007/
http://www.debian.org/security/2020/dsa-4728
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Out-of-bounds read
EUVDB-ID: #VU31802
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-13362
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in megasas_lookup_frame in hw/scsi/megasas.c. A local user on the guest operating system can pass specially crafted message with reply_queue_head field, trigger out-of-bounds read error and read contents of memory on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsQEMU: 4.1.0 - 5.0.0
External linkshttp://www.openwall.com/lists/oss-security/2020/05/28/2
http://lists.debian.org/debian-lts-announce/2020/06/msg00032.html
http://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03131.html
http://lists.gnu.org/archive/html/qemu-devel/2020-05/msg06250.html
http://security.netapp.com/advisory/ntap-20200608-0003/
http://security-tracker.debian.org/tracker/CVE-2020-13362
http://www.debian.org/security/2020/dsa-4728
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Out-of-bounds write
EUVDB-ID: #VU31801
Risk: Medium
CVSSv3.1: 8.2 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID: CVE-2020-13361
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing frame count in es1370_transfer_audio in hw/audio/es1370.c. A local user on the guest operating system can send a specially crafted request and execute arbitrary code on the host operating system.
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsQEMU: 4.1.0 - 5.0.0
External linkshttp://www.openwall.com/lists/oss-security/2020/05/28/1
http://lists.debian.org/debian-lts-announce/2020/06/msg00032.html
http://lists.gnu.org/archive/html/qemu-devel/2020-05/msg03983.html
http://security.netapp.com/advisory/ntap-20200608-0003/
http://security-tracker.debian.org/tracker/CVE-2020-13361
http://www.debian.org/security/2020/dsa-4728
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to open a a specially crafted file.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
