6 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
8.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
71.3%
The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-2753 advisory.
A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a denial of service. (CVE-2021-3527)
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the bootp_input() function and could occur while processing a udp packet that is smaller than the size of the ‘bootp_t’ structure. A malicious guest could use this flaw to leak 10 bytes of uninitialized heap memory from the host. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3592)
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the udp_input() function and could occur while processing a udp packet that is smaller than the size of the ‘udphdr’ structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3594)
An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the size of the ‘tftp_t’ structure. This issue may lead to out-of-bounds read access or indirect host memory disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3595)
A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)
An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of- bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host. (CVE-2021-3713)
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-2753. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(152982);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/09/03");
script_cve_id(
"CVE-2021-3527",
"CVE-2021-3592",
"CVE-2021-3594",
"CVE-2021-3595",
"CVE-2021-3682",
"CVE-2021-3713"
);
script_name(english:"Debian DLA-2753-1 : qemu - LTS security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-2753 advisory.
- A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a
single, large transfer request, to reduce the overhead and improve performance. The combined size of the
bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper
validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the
array length and cause the QEMU process to perform an excessive allocation on the stack, resulting in a
denial of service. (CVE-2021-3527)
- An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw
exists in the bootp_input() function and could occur while processing a udp packet that is smaller than
the size of the 'bootp_t' structure. A malicious guest could use this flaw to leak 10 bytes of
uninitialized heap memory from the host. The highest threat from this vulnerability is to data
confidentiality. This flaw affects libslirp versions prior to 4.6.0. (CVE-2021-3592)
- An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw
exists in the udp_input() function and could occur while processing a udp packet that is smaller than the
size of the 'udphdr' structure. This issue may lead to out-of-bounds read access or indirect host memory
disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw
affects libslirp versions prior to 4.6.0. (CVE-2021-3594)
- An invalid pointer initialization issue was found in the SLiRP networking implementation of QEMU. The flaw
exists in the tftp_input() function and could occur while processing a udp packet that is smaller than the
size of the 'tftp_t' structure. This issue may lead to out-of-bounds read access or indirect host memory
disclosure to the guest. The highest threat from this vulnerability is to data confidentiality. This flaw
affects libslirp versions prior to 4.6.0. (CVE-2021-3595)
- A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs
when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A
malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,
resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the
host. (CVE-2021-3682)
- An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions
prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-
bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this
flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the
host. (CVE-2021-3713)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988157");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/qemu");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/lts/security/2021/dla-2753");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-3527");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-3592");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-3594");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-3595");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-3682");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-3713");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/stretch/qemu");
script_set_attribute(attribute:"solution", value:
"Upgrade the qemu packages.
For Debian 9 stretch, these problems have been fixed in version 1");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3682");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/05/26");
script_set_attribute(attribute:"patch_publication_date", value:"2021/09/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/09/03");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-block-extra");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-guest-agent");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-kvm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-arm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-mips");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-misc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-ppc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-sparc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-x86");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-user");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-user-binfmt");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-user-static");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-utils");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('audit.inc');
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var release = get_kb_item('Host/Debian/release');
if ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');
var release = chomp(release);
if (! preg(pattern:"^(9)\.[0-9]+", string:release)) audit(AUDIT_OS_NOT, 'Debian 9.0', 'Debian ' + release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '9.0', 'prefix': 'qemu', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-block-extra', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-guest-agent', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-kvm', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-system', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-system-arm', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-system-common', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-system-mips', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-system-misc', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-system-ppc', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-system-sparc', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-system-x86', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-user', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-user-binfmt', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-user-static', 'reference': '1:2.8+dfsg-6+deb9u15'},
{'release': '9.0', 'prefix': 'qemu-utils', 'reference': '1:2.8+dfsg-6+deb9u15'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (release && prefix && reference) {
if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-block-extra / qemu-guest-agent / qemu-kvm / qemu-system / etc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | qemu | p-cpe:/a:debian:debian_linux:qemu |
debian | debian_linux | qemu-block-extra | p-cpe:/a:debian:debian_linux:qemu-block-extra |
debian | debian_linux | qemu-guest-agent | p-cpe:/a:debian:debian_linux:qemu-guest-agent |
debian | debian_linux | qemu-kvm | p-cpe:/a:debian:debian_linux:qemu-kvm |
debian | debian_linux | qemu-system | p-cpe:/a:debian:debian_linux:qemu-system |
debian | debian_linux | qemu-system-arm | p-cpe:/a:debian:debian_linux:qemu-system-arm |
debian | debian_linux | qemu-system-common | p-cpe:/a:debian:debian_linux:qemu-system-common |
debian | debian_linux | qemu-system-mips | p-cpe:/a:debian:debian_linux:qemu-system-mips |
debian | debian_linux | qemu-system-misc | p-cpe:/a:debian:debian_linux:qemu-system-misc |
debian | debian_linux | qemu-system-ppc | p-cpe:/a:debian:debian_linux:qemu-system-ppc |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3527
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3592
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3594
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3595
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3682
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3713
bugs.debian.org/cgi-bin/bugreport.cgi?bug=988157
packages.debian.org/source/stretch/qemu
security-tracker.debian.org/tracker/CVE-2021-3527
security-tracker.debian.org/tracker/CVE-2021-3592
security-tracker.debian.org/tracker/CVE-2021-3594
security-tracker.debian.org/tracker/CVE-2021-3595
security-tracker.debian.org/tracker/CVE-2021-3682
security-tracker.debian.org/tracker/CVE-2021-3713
security-tracker.debian.org/tracker/source-package/qemu
www.debian.org/lts/security/2021/dla-2753
6 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
8.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
71.3%