Oracle Linux 7 : qemu (ELSA-2019-4556)

high Nessus Plugin ID 180708

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-4556 advisory.

- A flaw was found in qemu Media Transfer Protocol (MTP) before version 3.1.0. A path traversal in the in usb_mtp_write_data function in hw/usb/dev-mtp.c due to an improper filename sanitization. When the guest device is mounted in read-write mode, this allows to read/write arbitrary files which may lead do DoS scenario OR possibly lead to code execution on the host. (CVE-2018-16867)

- hw/rdma/vmw/pvrdma_main.c in QEMU does not implement a read operation (such as uar_read by analogy to uar_write), which allows attackers to cause a denial of service (NULL pointer dereference).
(CVE-2018-20191)

- A flaw was found in qemu Media Transfer Protocol (MTP). The code opening files in usb_mtp_get_object and usb_mtp_get_partial_object and directories in usb_mtp_object_readdir doesn't consider that the underlying filesystem may have changed since the time lstat(2) was called in usb_mtp_object_alloc, a classical TOCTTOU problem. An attacker with write access to the host filesystem shared with a guest can use this property to navigate the host filesystem in the context of the QEMU process and read any file the QEMU process has access to. Access to the filesystem may be local or via a network share protocol such as CIFS.
(CVE-2018-16872)

- hw/rdma/rdma_backend.c in QEMU allows guest OS users to trigger out-of-bounds access via a PvrdmaSqWqe ring element with a large num_sge value. (CVE-2018-20124)

- QEMU can have an infinite loop in hw/rdma/vmw/pvrdma_dev_ring.c because return values are not checked (and
-1 is mishandled). (CVE-2018-20216)

- hw/rdma/vmw/pvrdma_cmd.c in QEMU allows attackers to cause a denial of service (NULL pointer dereference or excessive memory allocation) in create_cq_ring or create_qp_rings. (CVE-2018-20125)

- hw/rdma/vmw/pvrdma_cmd.c in QEMU allows create_cq and create_qp memory leaks because errors are mishandled. (CVE-2018-20126)

- pvrdma_realize in hw/rdma/vmw/pvrdma_main.c in QEMU has a Memory leak after an initialisation error.
(CVE-2018-20123)

- In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow. (CVE-2019-6778)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2019-4556.html

Plugin Details

Severity: High

ID: 180708

File Name: oraclelinux_ELSA-2019-4556.nasl

Version: 1.0

Type: local

Agent: unix

Published: 9/7/2023

Updated: 9/7/2023

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-6778

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:qemu-img, p-cpe:/a:oracle:linux:qemu-block-gluster, p-cpe:/a:oracle:linux:qemu-kvm-core, cpe:/o:oracle:linux:7, p-cpe:/a:oracle:linux:qemu-common, p-cpe:/a:oracle:linux:qemu-kvm, p-cpe:/a:oracle:linux:qemu-block-iscsi, p-cpe:/a:oracle:linux:qemu-system-x86-core, p-cpe:/a:oracle:linux:qemu-system-x86, p-cpe:/a:oracle:linux:qemu, p-cpe:/a:oracle:linux:qemu-block-rbd

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 2/22/2019

Vulnerability Publication Date: 12/12/2018

Reference Information

CVE: CVE-2018-16867, CVE-2018-16872, CVE-2018-20123, CVE-2018-20124, CVE-2018-20125, CVE-2018-20126, CVE-2018-20191, CVE-2018-20216, CVE-2019-6778