A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0761-1 advisory.

  - sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read     during sdhci_write() operations. A guest OS user can crash the QEMU process. (CVE-2020-13253)

  - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address     in an msi-x mmio operation. (CVE-2020-13754)

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It     could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in     hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host,     resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the     QEMU process on the host. (CVE-2020-17380)

  - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c     mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)

  - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to     the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This     flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of     service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc()     function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer     overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or     potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4206)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

  - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached     from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.
    Affected QEMU versions <= 6.2.0. (CVE-2022-26354)

  - ** DISPUTED ** softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the     translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-     virtualization Use Case in the qemu.org reference applies here, i.e., Bugs affecting the non-     virtualization use case are not considered security bugs at this time. (CVE-2022-35414)

  - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt()     function does not check the size of the structure pointed to by the guest physical address, potentially     reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to     crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3362 advisory.

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It     could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in     hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host,     resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the     QEMU process on the host. (CVE-2020-17380)

  - slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of     header data even if that exceeds the total packet length. (CVE-2020-29130)

  - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to     the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This     flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of     service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)

  - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw     exists in the bootp_input() function and could occur while processing a udp packet that is smaller than     the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of     uninitialized heap memory from the host. The highest threat from this vulnerability is to data     confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3592)

  - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw     exists in the udp6_input() function and could occur while processing a udp packet that is smaller than the     size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory     disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw     affects libslirp versions prior to 4.6.0. (CVE-2021-3593)

  - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw     exists in the udp_input() function and could occur while processing a udp packet that is smaller than the     size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory     disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw     affects libslirp versions prior to 4.6.0. (CVE-2021-3594)

  - An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw     exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the     size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory     disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw     affects libslirp versions prior to 4.6.0. (CVE-2021-3595)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:3768-1 advisory.

  - A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It     could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in     hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host,     resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the     QEMU process on the host. (CVE-2020-17380)

  - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to     the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This     flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of     service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

  - A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc()     function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer     overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or     potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4206)

  - A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values     `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object     followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw     to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU     process. (CVE-2021-4207)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

  - ** DISPUTED ** softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the     translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-     virtualization Use Case in the qemu.org reference applies here, i.e., Bugs affecting the non-     virtualization use case are not considered security bugs at this time. (CVE-2022-35414)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read     during sdhci_write() operations. A guest OS user can crash the QEMU process. (CVE-2020-13253)

  - In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame     count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
    (CVE-2020-13361)

  - In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a     crafted reply_queue_head field from a guest OS user. (CVE-2020-13362)

  - address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.
    (CVE-2020-13659)

  - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address     in an msi-x mmio operation. (CVE-2020-13754)

  - hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an     address near the end of the PCI configuration space. (CVE-2020-13791)

  - In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects     the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the     QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in     hw/net/net_tx_pkt.c. (CVE-2020-16092)

  - A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It     could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in     hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host,     resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the     QEMU process on the host. (CVE-2020-17380)

  - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c     mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)

  - hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host     controller driver. (CVE-2020-25624)

  - hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. (CVE-2020-25625)

  - eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest     can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. (CVE-2020-27617)

  - hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
    (CVE-2020-28916)

  - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to     the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This     flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of     service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)

  - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions     up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get     bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the     host resulting in DoS scenario. (CVE-2021-3416)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1942-1 advisory.

  - libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. (CVE-2019-15890)

  - An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before     5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its     'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the     QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the     privileges of the QEMU process on the host. (CVE-2020-14364)

  - A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It     could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in     hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host,     resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the     QEMU process on the host. (CVE-2020-17380)

  - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c     mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)

  - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate is a duplicate of CVE-2020-28916     (CVE-2020-25707)

  - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while     processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user     within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host,     resulting in a denial of service. (CVE-2020-25723)

  - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.
    This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO     operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial     of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)

  - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of     header data even if that exceeds the total packet length. (CVE-2020-29129)

  - slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of     header data even if that exceeds the total packet length. (CVE-2020-29130)

  - In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer     overflow in later code. (CVE-2020-8608)

  - A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option     may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a     modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a     malicious user to elevate their privileges within the guest. (CVE-2021-20263)

  - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to     the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This     flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of     service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)

  - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions     up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get     bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the     host resulting in DoS scenario. (CVE-2021-3416)

  - ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by     its CNA. Notes: none. (CVE-2021-3419)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A flaw was found in QEMU. A heap-based buffer overflow     vulnerability was found in the SDHCI device emulation     support allowing a guest user or process to crash the     QEMU process on the host resulting in a denial of     service condition, or potentially execute arbitrary     code with privileges of the QEMU process on the host.
    The highest threat from this vulnerability is to data     confidentiality and integrity as well as system     availability.(CVE-2020-17380)

  - A flaw was found in QEMU. An out-of-bounds read/write     access issue was found in the SDHCI Controller emulator     of QEMU. It may occur while doing multi block SDMA, if     transfer block size exceeds the     's->fifo_buffer[s->buf_maxsz]' size which would leave     the current element pointer 's->data_count' pointing     out of bounds. This would lead the subsequent DMA r/w     operation to an OOB access issue where a guest     user/process may use this flaw to crash the QEMU     process resulting in DoS scenario. The highest threat     from this vulnerability is to data confidentiality and     integrity as well as system     availability.(CVE-2020-25085)

  - The patch for CVE-2020-17380 and CVE-2020-25085, both     involving a heap buffer overflow in the SDHCI     controller emulation code of QEMU, was found to be     incomplete. A malicious privileged guest could     reproduce the same issues with specially crafted input,     inducing a bogus transfer and subsequent out-of-bounds     read/write access in sdhci_do_adma() or     sdhci_sdma_transfer_multi_blocks(). CVE-2021-3409 was     assigned to facilitate the tracking and backporting of     the new patch.(CVE-2021-3409)

  - A potential stack overflow via infinite loop issue was     found in various NIC emulators of QEMU. The issue     occurs in loopback mode of a NIC wherein reentrant DMA     checks get bypassed. A guest user/process may use this     flaw to consume CPU cycles or crash the QEMU process on     the host resulting in DoS scenario.(CVE-2021-3416)

  - An infinite loop flaw was found in the USB OHCI     controller emulator of QEMU. This flaw occurs while     servicing OHCI isochronous transfer descriptors (TD) in     the ohci_service_iso_td routine, as it retires a TD if     it has passed its time frame. It does not check if the     TD was already processed and holds an error code in     TD_CC. This issue may happen if the TD list has a loop.
    This flaw allows a guest user or process to consume CPU     cycles on the host, resulting in a denial of     service.(CVE-2020-25625)

  - An infinite loop flaw was found in the e1000e device     emulator in QEMU. This issue could occur while     receiving packets via the     e1000e_write_packet_to_guest() routine, if the     receive(RX) descriptor has a NULL buffer address. This     flaw allows a privileged guest user to cause a denial     of service. The highest threat from this vulnerability     is to system availability.(CVE-2020-28916)

  - An assert(3) failure flaw was found in the networking     helper functions of QEMU. This vulnerability can occur     in the eth_get_gso_type() routine if a packet does not     have a valid networking L3 protocol (ex. IPv4, IPv6)     value. This flaw allows a guest user to crash the QEMU     process on the host, resulting in a denial of     service.(CVE-2020-27617)

  - A use-after-free flaw was found in the USB(xHCI/eHCI)     controller emulators of QEMU. This flaw occurs while     setting up the USB packet as a usb_packet_map() routine     and returns an error that was not checked. This flaw     allows a guest user or process to crash the QEMU     process, resulting in a denial of     service.(CVE-2020-25084)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities :

  - A potential stack overflow via infinite loop issue was     found in various NIC emulators of QEMU in versions up     to and including 5.2.0. The issue occurs in loopback     mode of a NIC wherein reentrant DMA checks get     bypassed. A guest user/process may use this flaw to     consume CPU cycles or crash the QEMU process on the     host resulting in DoS scenario.(CVE-2021-34161)

  - hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to     trigger an out-of-bounds access by providing an address     near the end of the PCI configuration     space.(CVE-2020-13791)

  - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to     trigger an out-of-bounds access via a crafted address     in an msi-x mmio operation.(CVE-2020-13754)

  - A heap-based buffer overflow was found in QEMU through     5.0.0 in the SDHCI device emulation support. It could     occur while doing a multi block SDMA transfer via the     sdhci_sdma_transfer_multi_blocks() routine in     hw/sd/sdhci.c. A guest user or process could use this     flaw to crash the QEMU process on the host, resulting     in a denial of service condition, or potentially     execute arbitrary code with privileges of the QEMU     process on the host. (CVE-2020-17380)

  - QEMU 5.0.0 has a heap-based Buffer Overflow in     flatview_read_continue in exec.c because hw/sd/sdhci.c     mishandles a write operation in the SDHC_BLKSIZE case.
    (CVE-2020-25085)

  - The patch for CVE-2020-17380/CVE-2020-25085 was found     to be ineffective, thus making QEMU vulnerable to the     out-of-bounds read/write access issues previously found     in the SDHCI controller emulation code. This flaw     allows a malicious privileged guest to crash the QEMU     process on the host, resulting in a denial of service     or potential code execution. QEMU up to (including)     5.2.0 is affected by this. (CVE-2021-3409)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:1942-1 advisory.

  - libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c. (CVE-2019-15890)

  - An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before     5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its     'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the     QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the     privileges of the QEMU process on the host. (CVE-2020-14364)

  - A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It     could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in     hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host,     resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the     QEMU process on the host. (CVE-2020-17380)

  - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c     mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)

  - A reachable assertion issue was found in the USB EHCI emulation code of QEMU. It could occur while     processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user     within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host,     resulting in a denial of service. (CVE-2020-25723)

  - A flaw was found in the memory management API of QEMU during the initialization of a memory region cache.
    This issue could lead to an out-of-bounds write access to the MSI-X table while performing MMIO     operations. A guest user may abuse this flaw to crash the QEMU process on the host, resulting in a denial     of service. This flaw affects QEMU versions prior to 5.2.0. (CVE-2020-27821)

  - ncsi.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of     header data even if that exceeds the total packet length. (CVE-2020-29129)

  - slirp.c in libslirp through 4.3.1 has a buffer over-read because it tries to read a certain amount of     header data even if that exceeds the total packet length. (CVE-2020-29130)

  - In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer     overflow in later code. (CVE-2020-8608)

  - A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option     may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a     modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a     malicious user to elevate their privileges within the guest. (CVE-2021-20263)

  - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to     the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This     flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of     service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)

  - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions     up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get     bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the     host resulting in DoS scenario. (CVE-2021-3416)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0     allows out-of-bounds read access because a buffer index     is not validated. (CVE-2020-29443)

  - An out-of-bounds read/write access flaw was found in     the USB emulator of the QEMU in versions before 5.2.0.
    This issue occurs while processing USB packets from a     guest when USBDevice 'setup_len' exceeds its     'data_buf[4096]' in the do_token_in, do_token_out     routines. This flaw allows a guest user to crash the     QEMU process, resulting in a denial of service, or the     potential execution of arbitrary code with the     privileges of the QEMU process on the host.
    (CVE-2020-14364)

  - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to     trigger an out-of-bounds access via a crafted address     in an msi-x mmio operation.(CVE-2020-13754)

  - In QEMU 4.2.0, a MemoryRegionOps object may lack     read/write callback methods, leading to a NULL pointer     dereference.(CVE-2020-15469)

  - A heap-based buffer overflow was found in QEMU through     5.0.0 in the SDHCI device emulation support. It could     occur while doing a multi block SDMA transfer via the     sdhci_sdma_transfer_multi_blocks() routine in     hw/sd/sdhci.c. A guest user or process could use this     flaw to crash the QEMU process on the host, resulting     in a denial of service condition, or potentially     execute arbitrary code with privileges of the QEMU     process on the host.(CVE-2020-17380)

  - QEMU 5.0.0 has a heap-based Buffer Overflow in     flatview_read_continue in exec.c because hw/sd/sdhci.c     mishandles a write operation in the SDHC_BLKSIZE     case.(CVE-2020-25085)

  - The patch for CVE-2020-17380/CVE-2020-25085 was found     to be ineffective, thus making QEMU vulnerable to the     out-of-bounds read/write access issues previously found     in the SDHCI controller emulation code. This flaw     allows a malicious privileged guest to crash the QEMU     process on the host, resulting in a denial of service     or potential code execution. QEMU up to (including)     5.2.0 is affected by this.(CVE-2021-3409)

  - A potential stack overflow via infinite loop issue was     found in various NIC emulators of QEMU in versions up     to and including 5.2.0. The issue occurs in loopback     mode of a NIC wherein reentrant DMA checks get     bypassed. A guest user/process may use this flaw to     consume CPU cycles or crash the QEMU process on the     host resulting in DoS scenario.(CVE-2021-3416)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several security vulnerabilities have been discovered in QEMU, a fast processor emulator.

CVE-2021-20257

net: e1000: infinite loop while processing transmit descriptors

CVE-2021-20255

A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service.

CVE-2021-20203

An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.

CVE-2021-3416

A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0.
The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario.

CVE-2021-3416

The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution.

For Debian 9 stretch, these problems have been fixed in version 1:2.8+dfsg-6+deb9u14.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4650-1 advisory.

    Alexander Bulekov discovered that QEMU incorrectly handled SDHCI device emulation. An attacker inside the     guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute     arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would     be isolated by the libvirt AppArmor profile.

    (CVE-2020-17380)

    Sergej Schumilo, Cornelius Aschermann, and Simon Wrner discovered that QEMU incorrectly handled USB device     emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial     of service. (CVE-2020-25084)

    Sergej Schumilo, Cornelius Aschermann, and Simon Wrner discovered that QEMU incorrectly handled SDHCI     device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a     denial of service. (CVE-2020-25085)

    Gaoning Pan, Yongkang Jia, and Yi Ren discovered that QEMU incorrectly handled USB device emulation. An     attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
    (CVE-2020-25624)

    It was discovered that QEMU incorrectly handled USB device emulation. An attacker inside the guest could     use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2020-25625)

    Cheolwoo Myung discovered that QEMU incorrectly handled USB device emulation. An attacker inside the guest     could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2020-25723)

    Gaoning Pan discovered that QEMU incorrectly handled ATI graphics device emulation. An attacker inside the     guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only     affected Ubuntu 20.04 LTS and Ubuntu 20.10. (CVE-2020-27616)

    Gaoning Pan discovered that QEMU incorrectly handled networking. An attacker inside the guest could use     this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2020-27617)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
172642	SUSE SLES12 Security Update : qemu (SUSE-SU-2023:0761-1)	Nessus	SuSE Local Security Checks	high
172554	Debian DLA-3362-1 : qemu - LTS security update	Nessus	Debian Local Security Checks	high
166597	SUSE SLES15 Security Update : qemu (SUSE-SU-2022:3768-1)	Nessus	SuSE Local Security Checks	high
156489	EulerOS Virtualization 3.0.2.6 : qemu-kvm (EulerOS-SA-2021-2855)	Nessus	Huawei Local Security Checks	medium
151714	openSUSE 15 Security Update : qemu (openSUSE-SU-2021:1942-1)	Nessus	SuSE Local Security Checks	medium
151333	EulerOS Virtualization for ARM 64 3.0.2.0 : qemu-kvm (EulerOS-SA-2021-2125)	Nessus	Huawei Local Security Checks	medium
151162	EulerOS Virtualization for ARM 64 3.0.6.0 : qemu-kvm (EulerOS-SA-2021-2011)	Nessus	Huawei Local Security Checks	medium
150736	SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2021:1942-1)	Nessus	SuSE Local Security Checks	medium
148632	EulerOS Virtualization 2.9.0 : qemu (EulerOS-SA-2021-1763)	Nessus	Huawei Local Security Checks	medium
148583	EulerOS Virtualization 2.9.1 : qemu (EulerOS-SA-2021-1735)	Nessus	Huawei Local Security Checks	medium
148442	Debian DLA-2623-1 : qemu security update	Nessus	Debian Local Security Checks	medium
143376	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : QEMU vulnerabilities (USN-4650-1)	Nessus	Ubuntu Local Security Checks	medium

Detections

Analytics

CVE-2020-17380

medium

Tenable Plugins

high

high

high

medium

medium

medium

medium

medium

medium

medium

medium

medium