SB2019070304 - Security restrictions bypass in QEMU

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2019-13164)

The vulnerability allows a local attacker to gain unauthorized access to sensitive information.

The vulnerability exists due to qemu-bridge-helper.c does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size. A local attacker can create a tap device and attach it to a denied bridge interface, bypass the Access Control List (ACL) and get access to confidential data transmitted on the bridge.

2) Buffer overflow (CVE-ID: CVE-2019-15034)

The vulnerability allows a local user to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the hw/display/bochs-display.c in QEMU due to application does not ensure a sufficient PCI config space allocation. A local user can trigger a buffer overflow and escalate privileges on the system.

3) Use-after-free (CVE-ID: CVE-2019-15890)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists in "ip_reass()" routine in "ip_input.c" file while reassembling incoming packets, if the first fragment is bigger than the m->m_dat[] buffer. A remote attacker can send a specially crafted packet and cause the application to crash.

Remediation

Install update from vendor's website.

References

• http://www.openwall.com/lists/oss-security/2019/07/02/2
• https://lists.gnu.org/archive/html/qemu-devel/2019-07/msg00145.html
• https://lists.gnu.org/archive/html/qemu-devel/2019-08/msg01959.html
• http://www.openwall.com/lists/oss-security/2019/09/06/3
• https://gitlab.freedesktop.org/slirp/libslirp/commit/c5927943