Errata ALT-PU-2021-3363-1: Information
Fixes
Published: May 10, 2021
BDU:2021-06303
Уязвимость функции virgl_cmd_get_capset_info() компонента contrib/vhost-user-gpu/virgl.c эмулятора аппаратного обеспечения QEMU, связанная с раскрытием информации, позволяющая нарушителю получить доступ к конфиденциальным данным
Severity: MEDIUM (6.5) Vector: AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Links:
Published: May 10, 2021
BDU:2021-06305
Уязвимость компонентов contrib/vhost-user-gpu/vhost-user-gpu.c и contrib/vhost-user-gpu/virgl.c эмулятора аппаратного обеспечения QEMU, связанная с неправильным освобождением памяти перед удалением последний ссылки, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (6.5) Vector: AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Links:
Published: Aug. 17, 2021
BDU:2021-06306
Уязвимость эмуляции устройства UAS эмулятора аппаратного обеспечения QEMU, связанная с записью за границами буфера, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Severity: HIGH (7.4) Vector: AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Links:
Published: May 10, 2021
BDU:2021-06308
Уязвимость команды VIRTIO_GPU_CMD_GET_CAPSET эмулятора аппаратного обеспечения QEMU, связанная с записью за границами буфера, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Severity: HIGH (8.2) Vector: AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Links:
Published: July 19, 2021
BDU:2022-05693
Уязвимость эмуляции USB-перенаправителя эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
Severity: HIGH (8.5) Vector: AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Links:
Published: June 17, 2021
BDU:2022-05706
Уязвимость эмулятора аппаратного обеспечения QEMU, связанная с доступом к неинициализированному указателю, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (6.0) Vector: AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Links:
Published: Feb. 10, 2021
BDU:2022-05772
Уязвимость эмулятора аппаратного обеспечения QEMU, связанная с выполнением цикла с недоступным условием выхода, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (6.5) Vector: AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Links:
Published: June 17, 2021
BDU:2022-05775
Уязвимость эмулятора аппаратного обеспечения QEMU, связанная с целочисленным переполнением, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (6.0) Vector: AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Links:
Published: May 31, 2021
BDU:2022-05783
Уязвимость команды PVRDMA_CMD_CREATE_MR эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (6.5) Vector: AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Links:
Published: April 30, 2021
BDU:2022-05840
Уязвимость эмулятора аппаратного обеспечения QEMU, связанная с выделением неограниченной памяти, позволяющая нарушителю вызвать отказ в обслуживании
Severity: MEDIUM (5.5) Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Links:
Published: April 19, 2021
BDU:2023-01705
Уязвимость функции fdctrl_transfer_handler() компонента hw/block/fdc.c эмулятора аппаратного обеспечения QEMU, позволяющая нарушителю получить доступ к конфиденциальным данным, а также вызвать отказ в обслуживании
Severity: MEDIUM (6.1) Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Links:
Published: June 2, 2021
Modified: May 13, 2022
Modified: May 13, 2022
CVE-2020-35503
A NULL pointer dereference flaw was found in the megasas-gen2 SCSI host bus adapter emulation of QEMU in versions before and including 6.0. This issue occurs in the megasas_command_cancelled() callback function while dropping a SCSI request. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Severity: MEDIUM (6.0) Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Links:
Published: March 16, 2022
Modified: Feb. 13, 2023
Modified: Feb. 13, 2023
CVE-2021-20257
An infinite loop flaw was found in the e1000 NIC emulator of the QEMU. This issue occurs while processing transmits (tx) descriptors in process_tx_desc if various descriptor fields are initialized with invalid values. This flaw allows a guest to consume CPU cycles on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Links:
- https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg07428.html
- https://github.com/qemu/qemu/commit/3de46e6fc489c52c9431a8a832ad8170a7569bd8
- https://bugzilla.redhat.com/show_bug.cgi?id=1930087
- https://www.openwall.com/lists/oss-security/2021/02/25/2
- https://security.netapp.com/advisory/ntap-20220425-0003/
- GLSA-202208-27
- [debian-lts-announce] 20220905 [SECURITY] [DLA 3099-1] qemu security update
Published: May 6, 2021
Modified: Feb. 13, 2023
Modified: Feb. 13, 2023
CVE-2021-3507
A heap buffer overflow was found in the floppy disk emulator of QEMU up to 6.0.0 (including). It could occur in fdctrl_transfer_handler() in hw/block/fdc.c while processing DMA read data transfers from the floppy drive to the guest system. A privileged guest user could use this flaw to crash the QEMU process on the host resulting in DoS scenario, or potential information leakage from the host memory.
Severity: MEDIUM (6.1) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
Links:
Published: May 27, 2021
Modified: Sept. 30, 2022
Modified: Sept. 30, 2022
CVE-2021-3527
A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service.
Severity: MEDIUM (5.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Links:
- https://www.openwall.com/lists/oss-security/2021/05/05/5
- https://gitlab.com/qemu-project/qemu/-/commit/05a40b172e4d691371534828078be47e7fff524c
- https://bugzilla.redhat.com/show_bug.cgi?id=1955695
- https://gitlab.com/qemu-project/qemu/-/commit/7ec54f9eb62b5d177e30eb8b1cad795a5f8d8986
- https://security.netapp.com/advisory/ntap-20210708-0008/
- [debian-lts-announce] 20210902 [SECURITY] [DLA 2753-1] qemu security update
- GLSA-202208-27
- [debian-lts-announce] 20220905 [SECURITY] [DLA 3099-1] qemu security update
Published: June 2, 2021
Modified: Oct. 25, 2022
Modified: Oct. 25, 2022
CVE-2021-3544
Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.
Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Links:
Published: June 2, 2021
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2021-3545
An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.
Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Links:
Published: June 2, 2021
Modified: Oct. 25, 2022
Modified: Oct. 25, 2022
CVE-2021-3546
An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process.
Severity: HIGH (8.2) Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Links:
Published: March 25, 2022
Modified: Oct. 5, 2022
Modified: Oct. 5, 2022
CVE-2021-3582
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device. The issue occurs while handling a "PVRDMA_CMD_CREATE_MR" command due to improper memory remapping (mremap). This flaw allows a malicious guest to crash the QEMU process on the host. The highest threat from this vulnerability is to system availability.
Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Links:
Published: Feb. 24, 2022
Modified: Nov. 7, 2023
Modified: Nov. 7, 2023
CVE-2021-3607
An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Severity: MEDIUM (6.0) Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Links:
Published: Feb. 24, 2022
Modified: Oct. 26, 2022
Modified: Oct. 26, 2022
CVE-2021-3608
A flaw was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest and may result in a crash of QEMU or cause undefined behavior due to the access of an uninitialized pointer. The highest threat from this vulnerability is to system availability.
Severity: MEDIUM (6.0) Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H
Links:
Published: Aug. 5, 2021
Modified: March 31, 2023
Modified: March 31, 2023
CVE-2021-3682
A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.
Severity: HIGH (8.5) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Links:
Published: Aug. 25, 2021
Modified: Oct. 25, 2022
Modified: Oct. 25, 2022
CVE-2021-3713
An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.
Severity: HIGH (7.4) Vector: CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Links:
Published: March 23, 2022
Modified: Jan. 3, 2023
Modified: Jan. 3, 2023
CVE-2021-3748
A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process.
Severity: HIGH (7.5) Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Links:
- https://github.com/qemu/qemu/commit/bedd7e93d01961fcb16a97ae45d93acf357e11f6
- https://ubuntu.com/security/CVE-2021-3748
- https://bugzilla.redhat.com/show_bug.cgi?id=1998514
- https://lists.nongnu.org/archive/html/qemu-devel/2021-09/msg00388.html
- [debian-lts-announce] 20220404 [SECURITY] [DLA 2970-1] qemu security update
- https://security.netapp.com/advisory/ntap-20220425-0004/
- GLSA-202208-27
- [debian-lts-announce] 20220905 [SECURITY] [DLA 3099-1] qemu security update
Published: Feb. 18, 2022
Modified: Oct. 25, 2022
Modified: Oct. 25, 2022
CVE-2021-3930
An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Links: