A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host.

The version of qemu installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2021-3929 advisory.

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3800-1 advisory.

  - Insufficient policy enforcement in extensions in Google Chrome prior to 79.0.3945.79 allowed a remote     attacker to bypass navigation restrictions via a crafted HTML page. (CVE-2019-13754)

  - A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the     Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be     written to the controller's registers and trigger undesirable actions (such as reset) while the device is     still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or     potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects     QEMU versions before 7.0.0. (CVE-2021-3750)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

  - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached     from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.
    Affected QEMU versions <= 6.2.0. (CVE-2022-26354)

  - A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem     may lead to memory corruption bugs like stack overflow or use-after-free. (CVE-2023-0330)

  - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions     up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get     bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the     host resulting in DoS scenario. (CVE-2021-3416) (CVE-2023-2861)

  - A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in     virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in     virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.
    (CVE-2023-3180)

  - A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks     whether the current number of connections crosses a certain threshold and if so, cleans up the previous     connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the     connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated     client to cause a denial of service. (CVE-2023-3354)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3721-1 advisory.

  - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address     in an msi-x mmio operation. (CVE-2020-13754)

  - An out-of-bounds memory access flaw was found in the ATI VGA device emulation of QEMU. This flaw occurs in     the ati_2d_blt() routine while handling MMIO write operations when the guest provides invalid values for     the destination display parameters. A malicious guest could use this flaw to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2021-3638)

  - A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the     Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be     written to the controller's registers and trigger undesirable actions (such as reset) while the device is     still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or     potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects     QEMU versions before 7.0.0. (CVE-2021-3750)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

  - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached     from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.
    Affected QEMU versions <= 6.2.0. (CVE-2022-26354)

  - A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem     may lead to memory corruption bugs like stack overflow or use-after-free. (CVE-2023-0330)

  - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions     up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get     bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the     host resulting in DoS scenario. (CVE-2021-3416) (CVE-2023-2861)

  - A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in     virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in     virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.
    (CVE-2023-3180)

  - A flaw was found in the QEMU built-in VNC server. When a client connects to the VNC server, QEMU checks     whether the current number of connections crosses a certain threshold and if so, cleans up the previous     connection. If the previous connection happens to be in the handshake phase and fails, QEMU cleans up the     connection again, resulting in a NULL pointer dereference issue. This could allow a remote unauthenticated     client to cause a denial of service. (CVE-2023-3354)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2358-1 advisory.

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc()     function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer     overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or     potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4206)

  - A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values     `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object     followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw     to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU     process. (CVE-2021-4207)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0840-1 advisory.

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

  - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt()     function does not check the size of the structure pointed to by the guest physical address, potentially     reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to     crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0761-1 advisory.

  - sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read     during sdhci_write() operations. A guest OS user can crash the QEMU process. (CVE-2020-13253)

  - hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address     in an msi-x mmio operation. (CVE-2020-13754)

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It     could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in     hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host,     resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the     QEMU process on the host. (CVE-2020-17380)

  - QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c     mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)

  - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to     the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This     flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of     service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc()     function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer     overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or     potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4206)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. This flaw allows a     crafted guest driver to execute HW commands when shared buffers are not yet allocated, potentially leading     to a use-after-free condition. (CVE-2022-1050)

  - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached     from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.
    Affected QEMU versions <= 6.2.0. (CVE-2022-26354)

  - ** DISPUTED ** softmmu/physmem.c in QEMU through 7.0.0 can perform an uninitialized read on the     translate_fail path, leading to an io_readx or io_writex crash. NOTE: a third party states that the Non-     virtualization Use Case in the qemu.org reference applies here, i.e., Bugs affecting the non-     virtualization use case are not considered security bugs at this time. (CVE-2022-35414)

  - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt()     function does not check the size of the structure pointed to by the guest physical address, potentially     reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to     crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could     occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the     floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on     the host resulting in DoS scenario, or potential information leakage from the host memory. (CVE-2021-3507)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An infinite loop flaw was found in the USB xHCI controller emulation of QEMU while computing the length of     the Transfer Request Block (TRB) Ring. This flaw allows a privileged guest user to hang the QEMU process     on the host, resulting in a denial of service. (CVE-2020-14394)

  - A DMA reentrancy issue was found in the NVM Express Controller (NVME) emulation in QEMU. This CVE is     similar to CVE-2021-3750 and, just like it, when the reentrancy write triggers the reset function     nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or,     potentially, executing arbitrary code within the context of the QEMU process on the host. (CVE-2021-3929)

  - A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The     flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout     function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the     host, resulting in a denial of service. (CVE-2022-0216)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-202208-27 (QEMU: Multiple Vulnerabilities)

  - QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e     packet with the data's address set to the e1000e's MMIO address. (CVE-2020-15859)

  - hw/net/xgmac.c in the XGMAC Ethernet controller in QEMU before 07-20-2020 has a buffer overflow. This     occurs during packet transmission and affects the highbank and midway emulated machines. A guest user or     process could use this flaw to crash the QEMU process on the host, resulting in a denial of service or     potential privileged code execution. This was fixed in commit 5519724a13664b43e225ca05351c60b4468e4555.
    (CVE-2020-15863)

  - In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects     the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the     QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in     hw/net/net_tx_pkt.c. (CVE-2020-16092)

  - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.
    This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of     service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)

  - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in     versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw     allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
    The highest threat from this vulnerability is to system availability. (CVE-2020-35505)

  - A use-after-free vulnerability was found in the am53c974 SCSI host bus adapter emulation of QEMU in     versions before 6.0.0 during the handling of the 'Information Transfer' command (CMD_TI). This flaw allows     a privileged guest user to crash the QEMU process on the host, resulting in a denial of service or     potential code execution with the privileges of the QEMU process. (CVE-2020-35506)

  - A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system     daemon where a privileged guest user is able to create a device special file in the shared directory and     use it to r/w access host devices. (CVE-2020-35517)

  - An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It     may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A     privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
    (CVE-2021-20203)

  - An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing     transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid     values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The     highest threat from this vulnerability is to system availability. (CVE-2021-20257)

  - A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option     may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a     modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a     malicious user to elevate their privileges within the guest. (CVE-2021-20263)

  - The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to     the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This     flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of     service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)

  - A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions     up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get     bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the     host resulting in DoS scenario. (CVE-2021-3416)

  - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a     single, large transfer request, to reduce the overhead and improve performance. The combined size of the     bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper     validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the     array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a     denial of service. (CVE-2021-3527)

  - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions     up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-     gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)

  - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of     QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-     user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit     this issue to leak memory from the host. (CVE-2021-3545)

  - An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of     QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET'     command from the guest. It could allow a privileged guest user to crash the QEMU process on the host,     resulting in a denial of service condition, or potential code execution with the privileges of the QEMU     process. (CVE-2021-3546)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while     handling a PVRDMA_CMD_CREATE_MR command due to improper memory remapping (mremap). This flaw allows a     malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to     system availability. (CVE-2021-3582)

  - An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions     prior to 6.1.0. The issue occurs while handling a PVRDMA_REG_DSRHIGH write from the guest due to     improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount     of memory, resulting in a denial of service. The highest threat from this vulnerability is to system     availability. (CVE-2021-3607)

  - A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to     6.1.0. The issue occurs while handling a PVRDMA_REG_DSRHIGH write from the guest and may result in a     crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest     threat from this vulnerability is to system availability. (CVE-2021-3608)

  - A stack overflow vulnerability was found in the Intel HD Audio device (intel-hda) of QEMU. A malicious     guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service     condition. The highest threat from this vulnerability is to system availability. This flaw affects QEMU     versions prior to 7.0.0. (CVE-2021-3611)

  - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs     when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A     malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,     resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the     host. (CVE-2021-3682)

  - An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions     prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-     bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this     flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the     host. (CVE-2021-3713)

  - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the     descriptor's address belongs to the non direct access region, due to num_buffers being set after the     virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a     denial of service condition, or potentially execute code on the host with the privileges of the QEMU     process. (CVE-2021-3748)

  - A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the     Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be     written to the controller's registers and trigger undesirable actions (such as reset) while the device is     still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could     use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or     potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects     QEMU versions before 7.0.0. (CVE-2021-3750)

  - An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE     SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious     guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
    (CVE-2021-3930)

  - A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist()     where a malicious guest controlling certain input can read out of bounds memory. A malicious user could     use this flaw leading to disclosure of sensitive information. (CVE-2021-3947)

  - A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0.
    The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A     malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host     when writing data reaches the threshold of mirroring node. (CVE-2021-4145)

  - A flaw was found in the QXL display device emulation in QEMU. An integer overflow in the cursor_alloc()     function can lead to the allocation of a small cursor object followed by a subsequent heap-based buffer     overflow. This flaw allows a malicious privileged guest user to crash the QEMU process on the host or     potentially execute arbitrary code within the context of the QEMU process. (CVE-2021-4206)

  - A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values     `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object     followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw     to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU     process. (CVE-2021-4207)

  - A flaw was found in the virtio-net device of QEMU. This flaw was inadvertently introduced with the fix for     CVE-2021-3748, which forgot to unmap the cached virtqueue elements on error, leading to memory leakage and     other unexpected results. Affected QEMU version: 6.2.0. (CVE-2022-26353)

  - A flaw was found in the vhost-vsock device of QEMU. In case of error, an invalid element was not detached     from the virtqueue before freeing its memory, leading to memory leakage and other unexpected results.
    Affected QEMU versions <= 6.2.0. (CVE-2022-26354)

  -  Please review the referenced CVE identifiers for details.  (CVE-2021-3929)

  - QEMU: NULL pointer dereference in pci_write() in hw/acpi/pcihp.c (CVE-2021-4158)

  - QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405 (CVE-2022-0358)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5489-1 advisory.

    Alexander Bulekov discovered that QEMU incorrectly handled floppy disk emulation. A privileged attacker     inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or     possibly leak sensitive information. (CVE-2021-3507)

    It was discovered that QEMU incorrectly handled NVME controller emulation. An attacker inside the guest     could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute     arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2021-3929)

    It was discovered that QEMU incorrectly handled QXL display device emulation. A privileged attacker inside     the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly     execute arbitrary code. (CVE-2021-4206, CVE-2021-4207)

    Jietao Xiao, Jinku Li, Wenbo Shen, and Nanzi Yang discovered that QEMU incorrectly handled the virtiofsd     shared file system daemon. An attacker inside the guest could use this issue to create files with     incorrect ownership, possibly leading to privilege escalation. This issue only affected Ubuntu 22.04 LTS.
    (CVE-2022-0358)

    It was discovered that QEMU incorrectly handled virtio-net devices. A privileged attacker inside the guest     could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute     arbitrary code. (CVE-2022-26353)

    It was discovered that QEMU incorrectly handled vhost-vsock devices. A privileged attacker inside the     guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute     arbitrary code. (CVE-2022-26354)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
205064	CBL Mariner 2.0 Security Update: qemu (CVE-2021-3929)	Nessus	MarinerOS Local Security Checks	high
182125	SUSE SLES15 Security Update : qemu (SUSE-SU-2023:3800-1)	Nessus	SuSE Local Security Checks	high
181777	SUSE SLES15 / openSUSE 15 Security Update : qemu (SUSE-SU-2023:3721-1)	Nessus	SuSE Local Security Checks	high
176649	SUSE SLES12 Security Update : qemu (SUSE-SU-2023:2358-1)	Nessus	SuSE Local Security Checks	high
173215	SUSE SLES15 Security Update : qemu (SUSE-SU-2023:0840-1)	Nessus	SuSE Local Security Checks	high
172642	SUSE SLES12 Security Update : qemu (SUSE-SU-2023:0761-1)	Nessus	SuSE Local Security Checks	high
169867	EulerOS Virtualization 2.9.1 : qemu (EulerOS-SA-2023-1212)	Nessus	Huawei Local Security Checks	high
169814	EulerOS Virtualization 2.9.0 : qemu (EulerOS-SA-2023-1242)	Nessus	Huawei Local Security Checks	high
169488	EulerOS Virtualization 2.10.0 : qemu (EulerOS-SA-2022-2925)	Nessus	Huawei Local Security Checks	high
169363	EulerOS Virtualization 2.10.1 : qemu (EulerOS-SA-2022-2951)	Nessus	Huawei Local Security Checks	high
164115	GLSA-202208-27 : QEMU: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
162426	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : QEMU vulnerabilities (USN-5489-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2021-3929

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high