6.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
8.2 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
0.0005 Low
EPSS
Percentile
17.9%
According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.
This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-35504)
An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.(CVE-2021-20221)
A flaw was found in the USB redirector device (usb-redir) of QEMU. Small USB packets are combined into a single, large transfer request, to reduce the overhead and improve performance. The combined size of the bulk transfer is used to dynamically allocate a variable length array (VLA) on the stack without proper validation. Since the total size is not bounded, a malicious guest could use this flaw to influence the array length and cause the QEMU process to perform an excessive allocation on the(CVE-2021-3527)
QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked.(CVE-2020-25084)
A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the ‘Information Transfer’ command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability.(CVE-2020-35505)
An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host.
(CVE-2021-3545)
Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime.(CVE-2021-3544)
A flaw was found in vhost-user-gpu of QEMU in versions up to and including 6.0. An out-of-bounds write vulnerability can allow a malicious guest to crash the QEMU process on the host resulting in a denial of service or potentially execute arbitrary code on the host with the privileges of the QEMU process. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.(CVE-2021-3546)
A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability.(CVE-2021-20181)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(151557);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/05/09");
script_cve_id(
"CVE-2020-25084",
"CVE-2020-35504",
"CVE-2020-35505",
"CVE-2021-3527",
"CVE-2021-3544",
"CVE-2021-3545",
"CVE-2021-3546",
"CVE-2021-20181",
"CVE-2021-20221"
);
script_name(english:"EulerOS Virtualization 2.9.0 : qemu (EulerOS-SA-2021-2211)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security
updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the qemu packages installed, the EulerOS
Virtualization installation on the remote host is affected by the
following vulnerabilities :
- A NULL pointer dereference flaw was found in the SCSI
emulation support of QEMU in versions before 6.0.0.
This flaw allows a privileged guest user to crash the
QEMU process on the host, resulting in a denial of
service. The highest threat from this vulnerability is
to system availability.(CVE-2020-35504)
- An out-of-bounds heap buffer access issue was found in
the ARM Generic Interrupt Controller emulator of QEMU
up to and including qemu 4.2.0on aarch64 platform. The
issue occurs because while writing an interrupt ID to
the controller memory area, it is not masked to be 4
bits wide. It may lead to the said issue while updating
controller state fields and their subsequent
processing. A privileged guest user may use this flaw
to crash the QEMU process on the host resulting in DoS
scenario.(CVE-2021-20221)
- A flaw was found in the USB redirector device
(usb-redir) of QEMU. Small USB packets are combined
into a single, large transfer request, to reduce the
overhead and improve performance. The combined size of
the bulk transfer is used to dynamically allocate a
variable length array (VLA) on the stack without proper
validation. Since the total size is not bounded, a
malicious guest could use this flaw to influence the
array length and cause the QEMU process to perform an
excessive allocation on the(CVE-2021-3527)
- QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c
because the usb_packet_map return value is not
checked.(CVE-2020-25084)
- A NULL pointer dereference flaw was found in the
am53c974 SCSI host bus adapter emulation of QEMU in
versions before 6.0.0. This issue occurs while handling
the 'Information Transfer' command. This flaw allows a
privileged guest user to crash the QEMU process on the
host, resulting in a denial of service. The highest
threat from this vulnerability is to system
availability.(CVE-2020-35505)
- An information disclosure vulnerability was found in
the virtio vhost-user GPU device (vhost-user-gpu) of
QEMU in versions up to and including 6.0. The flaw
exists in virgl_cmd_get_capset_info() in
contrib/vhost-user-gpu/virgl.c and could occur due to
the read of uninitialized memory. A malicious guest
could exploit this issue to leak memory from the host.
(CVE-2021-3545)
- Several memory leaks were found in the virtio
vhost-user GPU device (vhost-user-gpu) of QEMU in
versions up to and including 6.0. They exist in
contrib/vhost-user-gpu/vhost-user-gpu.c and
contrib/vhost-user-gpu/virgl.c due to improper release
of memory (i.e., free) after effective
lifetime.(CVE-2021-3544)
- A flaw was found in vhost-user-gpu of QEMU in versions
up to and including 6.0. An out-of-bounds write
vulnerability can allow a malicious guest to crash the
QEMU process on the host resulting in a denial of
service or potentially execute arbitrary code on the
host with the privileges of the QEMU process. The
highest threat from this vulnerability is to data
confidentiality and integrity as well as system
availability.(CVE-2021-3546)
- A race condition flaw was found in the 9pfs server
implementation of QEMU up to and including 5.2.0. This
flaw allows a malicious 9p client to cause a
use-after-free error, potentially escalating their
privileges on the system. The highest threat from this
vulnerability is to confidentiality, integrity as well
as system availability.(CVE-2021-20181)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2211
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?069e25b9");
script_set_attribute(attribute:"solution", value:
"Update the affected qemu packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-20181");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-3546");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"patch_publication_date", value:"2021/07/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/07/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-img");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.9.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.9.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.9.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["qemu-4.1.0-2.9.1.2.285",
"qemu-img-4.1.0-2.9.1.2.285"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu");
}
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25084
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35504
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35505
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20181
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20221
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3527
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3544
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3545
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3546
www.nessus.org/u?069e25b9
6.9 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
8.2 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
0.0005 Low
EPSS
Percentile
17.9%