4.7 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:N/A:C
6.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.6 High
AI Score
Confidence
Low
0.002 Low
EPSS
Percentile
57.4%
According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :
sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read during sdhci_write() operations. A guest OS user can crash the QEMU process. (CVE-2020-13253)
In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
(CVE-2020-13361)
In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user. (CVE-2020-13362)
address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.
(CVE-2020-13659)
hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation. (CVE-2020-13754)
hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an address near the end of the PCI configuration space. (CVE-2020-13791)
In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in hw/net/net_tx_pkt.c. (CVE-2020-16092)
A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the QEMU process on the host. (CVE-2020-17380)
QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)
hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host controller driver. (CVE-2020-25624)
hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. (CVE-2020-25625)
eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. (CVE-2020-27617)
hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
(CVE-2020-28916)
The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)
A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-3416)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(156489);
script_version("1.5");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/21");
script_cve_id(
"CVE-2020-13253",
"CVE-2020-13361",
"CVE-2020-13362",
"CVE-2020-13659",
"CVE-2020-13754",
"CVE-2020-13791",
"CVE-2020-16092",
"CVE-2020-17380",
"CVE-2020-25085",
"CVE-2020-25624",
"CVE-2020-25625",
"CVE-2020-27617",
"CVE-2020-28916",
"CVE-2021-3409",
"CVE-2021-3416"
);
script_xref(name:"IAVB", value:"2020-B-0026-S");
script_xref(name:"IAVB", value:"2020-B-0041-S");
script_xref(name:"IAVB", value:"2020-B-0063-S");
script_xref(name:"IAVB", value:"2020-B-0075-S");
script_name(english:"EulerOS Virtualization 3.0.2.6 : qemu-kvm (EulerOS-SA-2021-2855)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the qemu-kvm packages installed, the EulerOS Virtualization installation on the remote host
is affected by the following vulnerabilities :
- sd_wp_addr in hw/sd/sd.c in QEMU 4.2.0 uses an unvalidated address, which leads to an out-of-bounds read
during sdhci_write() operations. A guest OS user can crash the QEMU process. (CVE-2020-13253)
- In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame
count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.
(CVE-2020-13361)
- In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a
crafted reply_queue_head field from a guest OS user. (CVE-2020-13362)
- address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.
(CVE-2020-13659)
- hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address
in an msi-x mmio operation. (CVE-2020-13754)
- hw/pci/pci.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access by providing an
address near the end of the PCI configuration space. (CVE-2020-13791)
- In QEMU through 5.0.0, an assertion failure can occur in the network packet processing. This issue affects
the e1000e and vmxnet3 network devices. A malicious guest user/process could use this flaw to abort the
QEMU process on the host, resulting in a denial of service condition in net_tx_pkt_add_raw_fragment in
hw/net/net_tx_pkt.c. (CVE-2020-16092)
- A heap-based buffer overflow was found in QEMU through 5.0.0 in the SDHCI device emulation support. It
could occur while doing a multi block SDMA transfer via the sdhci_sdma_transfer_multi_blocks() routine in
hw/sd/sdhci.c. A guest user or process could use this flaw to crash the QEMU process on the host,
resulting in a denial of service condition, or potentially execute arbitrary code with privileges of the
QEMU process on the host. (CVE-2020-17380)
- QEMU 5.0.0 has a heap-based Buffer Overflow in flatview_read_continue in exec.c because hw/sd/sdhci.c
mishandles a write operation in the SDHC_BLKSIZE case. (CVE-2020-25085)
- hw/usb/hcd-ohci.c in QEMU 5.0.0 has a stack-based buffer over-read via values obtained from the host
controller driver. (CVE-2020-25624)
- hw/usb/hcd-ohci.c in QEMU 5.0.0 has an infinite loop when a TD list has a loop. (CVE-2020-25625)
- eth_get_gso_type in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest
can crash the QEMU process via packet data that lacks a valid Layer 3 protocol. (CVE-2020-27617)
- hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
(CVE-2020-28916)
- The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to
the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This
flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of
service or potential code execution. QEMU up to (including) 5.2.0 is affected by this. (CVE-2021-3409)
- A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions
up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get
bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the
host resulting in DoS scenario. (CVE-2021-3416)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-2855
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b23d4511");
script_set_attribute(attribute:"solution", value:
"Update the affected qemu-kvm packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3409");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2020-13754");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/05/07");
script_set_attribute(attribute:"patch_publication_date", value:"2021/12/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/01/06");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-gpu-specs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-guest-agent");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-img");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-seabios");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.6");
script_set_attribute(attribute:"stig_severity", value:"II");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "3.0.2.6") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.6");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
var flag = 0;
var pkgs = [
"qemu-gpu-specs-2.8.1-30.093",
"qemu-guest-agent-2.8.1-30.093",
"qemu-img-2.8.1-30.093",
"qemu-kvm-2.8.1-30.093",
"qemu-kvm-common-2.8.1-30.093",
"qemu-kvm-tools-2.8.1-30.093",
"qemu-seabios-2.8.1-30.093"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-kvm");
}
Vendor | Product | Version | CPE |
---|---|---|---|
huawei | euleros | qemu-gpu-specs | p-cpe:/a:huawei:euleros:qemu-gpu-specs |
huawei | euleros | qemu-guest-agent | p-cpe:/a:huawei:euleros:qemu-guest-agent |
huawei | euleros | qemu-img | p-cpe:/a:huawei:euleros:qemu-img |
huawei | euleros | qemu-kvm | p-cpe:/a:huawei:euleros:qemu-kvm |
huawei | euleros | qemu-kvm-common | p-cpe:/a:huawei:euleros:qemu-kvm-common |
huawei | euleros | qemu-kvm-tools | p-cpe:/a:huawei:euleros:qemu-kvm-tools |
huawei | euleros | qemu-seabios | p-cpe:/a:huawei:euleros:qemu-seabios |
huawei | euleros | uvp | cpe:/o:huawei:euleros:uvp:3.0.2.6 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13253
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13361
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13362
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13659
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13754
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13791
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16092
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17380
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25085
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25624
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25625
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27617
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28916
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3409
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3416
www.nessus.org/u?b23d4511
4.7 Medium
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:N/I:N/A:C
6.7 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
7.6 High
AI Score
Confidence
Low
0.002 Low
EPSS
Percentile
57.4%