The version of qemu installed on the remote host is prior to 3.1.0-8. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2061 advisory.

  - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while     processing read/write ioport commands if the selected floppy drive is not initialized with a block device.
    This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of     service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)

  - A use-after-free flaw was found in the MegaRAID emulator of QEMU. This issue occurs while processing SCSI     I/O requests in the case of an error mptsas_free_request() that does not dequeue the request object 'req'     from a pending requests queue. This flaw allows a privileged guest user to crash the QEMU process on the     host, resulting in a denial of service. Versions between 2.10.0 and 5.2.0 are potentially affected.
    (CVE-2021-3392)

  - A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a     single, large transfer request, to reduce the overhead and improve performance. The combined size of the     bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper     validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the     array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a     denial of service. (CVE-2021-3527)

  - An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE     SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious     guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
    (CVE-2021-3930)

  - A flaw was found in the QXL display device emulation in QEMU. A double fetch of guest controlled values     `cursor->header.width` and `cursor->header.height` can lead to the allocation of a small cursor object     followed by a subsequent heap-based buffer overflow. A malicious privileged guest user could use this flaw     to crash the QEMU process on the host or potentially execute arbitrary code within the context of the QEMU     process. (CVE-2021-4207)

  - An out-of-bounds read flaw was found in the QXL display device emulation in QEMU. The qxl_phys2virt()     function does not check the size of the structure pointed to by the guest physical address, potentially     reading past the end of the bar space into adjacent pages. A malicious guest user could use this flaw to     crash the QEMU process on the host causing a denial of service condition. (CVE-2022-4144)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2 : qemu (ALAS-2023-2061)

high Nessus Plugin ID 176677

Version 1.2

Version 1.1

Version 1.0

Version 1.2 Sep 28, 2023, 8:23 PM IAVM reference Plugin Feed: 202309282023
Version 1.1 Jun 6, 2023, 2:12 PM Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202306061412
Version 1.0 Jun 6, 2023, 12:00 AM New Plugin Feed: 202306060000