Off-by-one in QEMU

#VU58812 Off-by-one in QEMU

Published: 2021-12-09

Vulnerability identifier: #VU58812

Vulnerability risk: Medium

CVSSv3.1: 6.2 [CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2021-3930

CWE-ID: CWE-193

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
QEMU
Client/Desktop applications / Virtualization software

Vendor: QEMU

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to an off-by-one error in the SCSI device emulation in QEMU. A remote user on the guest OS can can trigger an off-by-one error while processing MODE SELECT commands in mode_sense_page() if the 'page' argument is set to MODE_PAGE_ALLS (0x3f). Successful exploitation of the vulnerability may result in QEMU crash.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: 6.0.0 - 6.1.0

External links
http://bugzilla.redhat.com/show_bug.cgi?id=2020588
http://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8
http://www.mail-archive.com/qemu-devel@nongnu.org/msg779652.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

VMware Tanzu Operations Manager update for QEMU

SUSE update for qemu

Ubuntu update for qemu

Red Hat Enterprise Linux Advanced Virtualization 8 update for the virt:av and virt-devel:av modules

Red Hat Enterprise Linux 8 update for the virt:rhel and virt-devel:rhel modules

Red Hat Enterprise Linux Advanced Virtualization 8.4 update for the virt:av and virt-devel:av modules

Denial of service in QEMU