This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLELINUX_ELSA-2018-4262.NASLOracle Linux 7 : qemu (ELSA-2018-4262)
7.7 High
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:S/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.141 Low
EPSS
Percentile
95.7%
The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2018-4262 advisory.
-
An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the ‘vnc_refresh_server_surface’. A user inside a guest could use this flaw to crash the QEMU process.
(CVE-2017-2633) -
m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.
(CVE-2018-11806) -
qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread. (CVE-2018-15746)
-
qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. (CVE-2018-17963)
-
Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. (CVE-2018-17962)
-
Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used. (CVE-2018-17958)
-
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. (CVE-2018-10839)
-
qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP command (including guest-file-read with a large count value) to the agent via the listening socket.
(CVE-2018-12617) -
Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. (CVE-2017-7471)
-
A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network Block Device (NBD) client support. The flaw could occur while processing server’s response to a ‘NBD_OPT_LIST’ request. A malicious NBD server could use this issue to crash a remote NBD client resulting in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process.
(CVE-2017-2630)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2018-4262.
##
include('compat.inc');
if (description)
{
script_id(180821);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/07");
script_cve_id(
"CVE-2017-2630",
"CVE-2017-2633",
"CVE-2017-7471",
"CVE-2018-10839",
"CVE-2018-11806",
"CVE-2018-12617",
"CVE-2018-15746",
"CVE-2018-17958",
"CVE-2018-17962",
"CVE-2018-17963"
);
script_name(english:"Oracle Linux 7 : qemu (ELSA-2018-4262)");
script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2018-4262 advisory.
- An out-of-bounds memory access issue was found in Quick Emulator (QEMU) before 1.7.2 in the VNC display
driver. This flaw could occur while refreshing the VNC display surface area in the
'vnc_refresh_server_surface'. A user inside a guest could use this flaw to crash the QEMU process.
(CVE-2017-2633)
- m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams.
(CVE-2018-11806)
- qemu-seccomp.c in QEMU might allow local OS guest users to cause a denial of service (guest crash) by
leveraging mishandling of the seccomp policy for threads other than the main thread. (CVE-2018-15746)
- qemu_deliver_packet_iov in net/net.c in Qemu accepts packet sizes greater than INT_MAX, which allows
attackers to cause a denial of service or possibly have unspecified other impact. (CVE-2018-17963)
- Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is
used. (CVE-2018-17962)
- Qemu has a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data
type is used. (CVE-2018-17958)
- Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow,
which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user
inside guest could use this flaw to crash the Qemu process resulting in DoS. (CVE-2018-10839)
- qmp_guest_file_read in qga/commands-posix.c and qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent) in
QEMU 2.12.50 has an integer overflow causing a g_malloc0() call to trigger a segmentation fault when
trying to allocate a large memory chunk. The vulnerability can be exploited by sending a crafted QMP
command (including guest-file-read with a large count value) to the agent via the listening socket.
(CVE-2018-12617)
- Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System (9pfs) support,
is vulnerable to an improper access control issue. It could occur while accessing files on a shared host
directory. A privileged user inside guest could use this flaw to access host file system beyond the shared
folder and potentially escalating their privileges on a host. (CVE-2017-7471)
- A stack buffer overflow flaw was found in the Quick Emulator (QEMU) before 2.9 built with the Network
Block Device (NBD) client support. The flaw could occur while processing server's response to a
'NBD_OPT_LIST' request. A malicious NBD server could use this issue to crash a remote NBD client resulting
in DoS or potentially execute arbitrary code on client host with privileges of the QEMU process.
(CVE-2017-2630)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2018-4262.html");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:A/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-7471");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-17963");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/02/15");
script_set_attribute(attribute:"patch_publication_date", value:"2018/10/29");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/07");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-gluster");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-iscsi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-rbd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-img");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm-core");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-x86");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-x86-core");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Oracle Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_release = get_kb_item("Host/RedHat/release");
if (isnull(os_release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);
if ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);
var pkgs = [
{'reference':'qemu-2.9.0-17.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-block-gluster-2.9.0-17.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-block-iscsi-2.9.0-17.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-block-rbd-2.9.0-17.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-common-2.9.0-17.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-img-2.9.0-17.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-kvm-2.9.0-17.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-kvm-core-2.9.0-17.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-system-x86-2.9.0-17.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'},
{'reference':'qemu-system-x86-core-2.9.0-17.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'12'}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release) {
if (exists_check) {
if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
} else {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-block-gluster / qemu-block-iscsi / etc');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| oracle | linux | 7 | cpe:/o:oracle:linux:7 |
| oracle | linux | qemu | p-cpe:/a:oracle:linux:qemu |
| oracle | linux | qemu-block-gluster | p-cpe:/a:oracle:linux:qemu-block-gluster |
| oracle | linux | qemu-block-iscsi | p-cpe:/a:oracle:linux:qemu-block-iscsi |
| oracle | linux | qemu-block-rbd | p-cpe:/a:oracle:linux:qemu-block-rbd |
| oracle | linux | qemu-common | p-cpe:/a:oracle:linux:qemu-common |
| oracle | linux | qemu-img | p-cpe:/a:oracle:linux:qemu-img |
| oracle | linux | qemu-kvm | p-cpe:/a:oracle:linux:qemu-kvm |
| oracle | linux | qemu-kvm-core | p-cpe:/a:oracle:linux:qemu-kvm-core |
| oracle | linux | qemu-system-x86 | p-cpe:/a:oracle:linux:qemu-system-x86 |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2630
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2633
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7471
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10839
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11806
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12617
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15746
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17958
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17962
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17963
linux.oracle.com/errata/ELSA-2018-4262.html
Related
7.7 High
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:A/AC:L/Au:S/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.141 Low
EPSS
Percentile
95.7%