The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3604 advisory.

  - An issue was discovered in TCG Accelerator in QEMU 4.2.0, allows local attackers to execute arbitrary     code, escalate privileges, and cause a denial of service (DoS). (CVE-2020-24165)

  - A vulnerability in the lsi53c895a device affects the latest version of qemu. A DMA-MMIO reentrancy problem     may lead to memory corruption bugs like stack overflow or use-after-free. (CVE-2023-0330)

  - A flaw was found in the QEMU virtual crypto device while handling data encryption/decryption requests in     virtio_crypto_handle_sym_req. There is no check for the value of `src_len` and `dst_len` in     virtio_crypto_sym_op_helper, potentially leading to a heap buffer overflow when the two values differ.
    (CVE-2023-3180)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Debian DLA-3604-1 : qemu - LTS security update

high Nessus Plugin ID 182648

Version 1.1

Version 1.0

Version 1.1 Mar 15, 2024, 11:10 AM IAVM reference Plugin Feed: 202403151110
Version 1.0 Oct 6, 2023, 4:01 AM New Plugin Feed: 202310060401