Debian update for qemu



Published: 2020-09-07
Risk Medium
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2020-12829
CVE-2020-14364
CVE-2020-15863
CVE-2020-16092
CWE-ID CWE-190
CWE-787
CWE-121
CWE-617
Exploitation vector Local network
Public exploit Public exploit code for vulnerability #2 is available.
Vulnerable software
Subscribe 		qemu (Debian package)
Operating systems & Components / Operating system package or component

Vendor Debian

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Integer overflow

EUVDB-ID: #VU46318

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-12829

CWE-ID: CWE-190 - Integer overflow

Exploit availability: No

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow in the SM501 display driver implementation. This flaw occurs in the COPY_AREA macro while handling MMIO write operations through the sm501_2d_engine_write() callback. A remote user could abuse this flaw to crash the QEMU process in sm501_2d_operation() in hw/display/sm501.c on the host, resulting in a denial of service.

Mitigation

Update qemu package to version 1:3.1+dfsg-8+deb10u8.

Vulnerable software versions

qemu (Debian package): 1:3.1+dfsg-8+deb10u2 - 3.1+dfsg-8+deb10u7

External links

http://www.debian.org/security/2020/dsa-4760


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds write

EUVDB-ID: #VU45985

Risk: Medium

CVSSv3.1: 8.5 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:P/RL:U/RC:C]

CVE-ID: CVE-2020-14364

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: Yes

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a boundary error within the USB emulator in QEMU. A remote user with access to guest operating system on the guest operating system can send specially crafted USB packets, trigger out-of-bounds write and execute arbitrary code on the host system.

Mitigation

Update qemu package to version 1:3.1+dfsg-8+deb10u8.

Vulnerable software versions

qemu (Debian package): 1:3.1+dfsg-8+deb10u2 - 3.1+dfsg-8+deb10u7

External links

http://www.debian.org/security/2020/dsa-4760


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Stack-based buffer overflow

EUVDB-ID: #VU31799

Risk: Medium

CVSSv3.1: 8.2 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-15863

CWE-ID: CWE-121 - Stack-based buffer overflow

Exploit availability: No

Description

The vulnerability allows a local user to execute arbitrary code on the target system with elevated privileges.

The vulnerability exists due to a boundary error when processing packets in xgmac_enet_send() in hw/net/xgmac.c. A local user on the guest operating system can send a specially crafted request to the application, trigger stack-based buffer overflow and execute arbitrary code on the target system with elevated privileges.

Mitigation

Update qemu package to version 1:3.1+dfsg-8+deb10u8.

Vulnerable software versions

qemu (Debian package): 1:3.1+dfsg-8+deb10u2 - 3.1+dfsg-8+deb10u7

External links

http://www.debian.org/security/2020/dsa-4760


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Reachable Assertion

EUVDB-ID: #VU44163

Risk: Medium

CVSSv3.1: 6.2 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2020-16092

CWE-ID: CWE-617 - Reachable Assertion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a reachable assertion when processing certain network packets on "e1000e" and "vmxnet3" devices in net_tx_pkt_add_raw_fragment() in hw/net/net_tx_pkt.c. A remote attacker on a guest operating system can send a specially crafted packet that will result in hypervisor crash.

Mitigation

Update qemu package to version 1:3.1+dfsg-8+deb10u8.

Vulnerable software versions

qemu (Debian package): 1:3.1+dfsg-8+deb10u2 - 3.1+dfsg-8+deb10u7

External links

http://www.debian.org/security/2020/dsa-4760


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###