Main Vulnerability Database SB2022022813

SB2022022813 - Ubuntu update for qemu

Published: February 28, 2022

Security Bulletin ID SB2022022813

Severity

High

Patch available

YES

Number of vulnerabilities 11

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 11 secuirty vulnerabilities.

1) NULL pointer dereference (CVE-ID: CVE-2021-20196)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the floppy disk emulator of QEMU. A privileged guest can trigger a NULL pointer dereference error and cause a denial of service.

2) Integer overflow (CVE-ID: CVE-2021-20203)

The vulnerability allows a local user to perform a denial of service attack.

The vulnerability exists due to integer overflow in the vmxnet3 NIC emulator of the QEMU. A privileged guest user can pass invalid values for the rx/tx queue size or other NIC parameters and perform a denial of service attack.

3) Memory leak (CVE-ID: CVE-2021-3544)

The vulnerability allows a remote user to perform DoS attack on the target system.

The vulnerability exists due to multiple memory leaks in the vhost-user-gpu/vhost-user-gpu.c. A remote authenticated user of the guest operating system can force the application to leak memory and perform denial of service attack.

4) Information disclosure (CVE-ID: CVE-2021-3545)

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to uninitialized memory disclosure within the virgl_cmd_get_capset_info() function in vhost-user-gpu/virgl.c. A remote authenticated user of the guest operating system can gain unauthorized access to sensitive information on the system.

5) Out-of-bounds write (CVE-ID: CVE-2021-3546)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists due to a boundary error when processing untrusted input within the virgl_cmd_get_capset() function in vhost-user-gpu/virgl.c. A remote authenticated user of the guest operating system can trigger an out-of-bounds write and escalate privileges.

6) Release of invalid pointer or reference (CVE-ID: CVE-2021-3682)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists in the USB redirector device emulation of QEMU when dropping packets during a bulk transfer from a SPICE client. A remote user can make QEMU call free() with faked heap chunk metadata to perform a denial of service or escalate privileges on the system.

7) Out-of-bounds write (CVE-ID: CVE-2021-3713)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the UAS (USB Attached SCSI) device emulation of QEMU. A local user can perform a denial of service or escalate privileges on the system.

8) Use-after-free (CVE-ID: CVE-2021-3748)

The vulnerability allows a remote guest to compromise vulnerable system.

The vulnerability exists due to a use-after-free error when in the virtio-net device of QEMU. A malicious guest can trigger the use-after-free error and execute arbitrary code on the host system with QEMU privileges.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

9) Off-by-one (CVE-ID: CVE-2021-3930)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to an off-by-one error in the SCSI device emulation in QEMU. A remote user on the guest OS can can trigger an off-by-one error while processing MODE SELECT commands in mode_sense_page() if the 'page' argument is set to MODE_PAGE_ALLS (0x3f). Successful exploitation of the vulnerability may result in QEMU crash.

10) NULL pointer dereference (CVE-ID: CVE-2021-4158)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in the ACPI code of QEMU when handling certain values. A privileged user can crash the QEMU process on the host, resulting in a denial of service condition.

11) Incorrect default permissions (CVE-ID: CVE-2022-0358)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect QEMU virtio-fs shared file system daemon (virtiofsd) implementation. An attacker on the guest OS can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This can lead to privilege escalation within the guest OS.

The vulnerability exists due to incomplete fox for #VU13631 (CVE-2018-13405).

Remediation

Install update from vendor's website.

References

https://ubuntu.com/security/notices/USN-5307-1

Vulnerable Software

Ubuntu: 18.04 - 21.10
qemu-system-x86-xen (Ubuntu package): before 1:4.2-3ubuntu6.21
qemu-system-mips (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.39
qemu-system-ppc (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.39
qemu-system-arm (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.39
qemu-system-sparc (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.39
qemu-system-x86 (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.39
qemu-system (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.39
qemu-system-s390x (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.39
qemu-system-misc (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.39
qemu-system-x86-microvm (Ubuntu package): before 1:4.2-3ubuntu6.21

SB2022022813 - Ubuntu update for qemu

Breakdown by Severity

Description

Remediation

References

Please verify you're human