EulerOS Virtualization 2.11.1 : qemu (EulerOS-SA-2024-2176)

2024-08-2100:00:00

www.tenable.com

euleros virtualization

qemu

buffer overflow

denial of service

double free vulnerability

arbitrary code execution

cve-2024-3447

cve-2024-3446

CVSS3

8.2

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

AI Score

9.2

Confidence

High

JSON

According to the versions of the qemu package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.QEMU has two     operating modes: Full system emulation. In this mode, QEMU emulates a full system (for example a PC),     including one or several processors and various peripherals. It can be used to launch different Operating     Systems without rebooting the PC or to debug system code. User mode emulation. In this mode, QEMU can     launch processes compiled for one CPU on another CPU. It can be used to launch the Wine Windows API     emulator (https://www.winehq.org) or to ease cross-compilation and cross-debugging.You can refer to     https://www.qemu.org for more infortmation.A heap based buffer overflow was found in the SDHCI device     emulation of QEMU. The bug is triggered when both `s-data_count` and the size of `s-fifo_buffer` are     set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU     process on the host, resulting in a denial of service condition.(CVE-2024-3447     )

QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.QEMU has two     operating modes: Full system emulation. In this mode, QEMU emulates a full system (for example a PC),     including one or several processors and various peripherals. It can be used to launch different Operating     Systems without rebooting the PC or to debug system code. User mode emulation. In this mode, QEMU can     launch processes compiled for one CPU on another CPU. It can be used to launch the Wine Windows API     emulator (https://www.winehq.org) or to ease cross-compilation and cross-debugging.You can refer to     https://www.qemu.org for more infortmation.A double free vulnerability was found in QEMU virtio devices     (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently     protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash     the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within     the context of the QEMU process on the host.(CVE-2024-3446)

Tenable has extracted the preceding description block directly from the EulerOS Virtualization qemu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(205962);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/08/21");

  script_cve_id("CVE-2024-3446", "CVE-2024-3447");

  script_name(english:"EulerOS Virtualization 2.11.1 : qemu (EulerOS-SA-2024-2176)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the qemu package installed, the EulerOS Virtualization installation on the remote host is
affected by the following vulnerabilities :

    QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.QEMU has two
    operating modes: Full system emulation. In this mode, QEMU emulates a full system (for example a PC),
    including one or several processors and various peripherals. It can be used to launch different Operating
    Systems without rebooting the PC or to debug system code. User mode emulation. In this mode, QEMU can
    launch processes compiled for one CPU on another CPU. It can be used to launch the Wine Windows API
    emulator (https://www.winehq.org) or to ease cross-compilation and cross-debugging.You can refer to
    https://www.qemu.org for more infortmation.A heap based buffer overflow was found in the SDHCI device
    emulation of QEMU. The bug is triggered when both `s-data_count` and the size of `s-fifo_buffer` are
    set to 0x200, leading to an out-of-bound access. A malicious guest could use this flaw to crash the QEMU
    process on the host, resulting in a denial of service condition.(CVE-2024-3447
    )

    QEMU is a FAST! processor emulator using dynamic translation to achieve good emulation speed.QEMU has two
    operating modes: Full system emulation. In this mode, QEMU emulates a full system (for example a PC),
    including one or several processors and various peripherals. It can be used to launch different Operating
    Systems without rebooting the PC or to debug system code. User mode emulation. In this mode, QEMU can
    launch processes compiled for one CPU on another CPU. It can be used to launch the Wine Windows API
    emulator (https://www.winehq.org) or to ease cross-compilation and cross-debugging.You can refer to
    https://www.qemu.org for more infortmation.A double free vulnerability was found in QEMU virtio devices
    (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently
    protects against DMA reentrancy issues. This issue could allow a malicious privileged guest user to crash
    the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within
    the context of the QEMU process on the host.(CVE-2024-3446)

Tenable has extracted the preceding description block directly from the EulerOS Virtualization qemu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2024-2176
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?f96f0080");
  script_set_attribute(attribute:"solution", value:
"Update the affected qemu packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:M/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-3446");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/04/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/08/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/08/21");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.11.1");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.11.1") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.11.1");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

var flag = 0;

var pkgs = [
  "qemu-6.2.0-470"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu");
}