openEuler 22.03 LTS SP2 update for qemu

1) Out-of-bounds write

EUVDB-ID: #VU77499

Risk: Low

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-0330

CWE-ID: CWE-787 - Out-of-bounds write

Exploit availability: No

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error within hw/scsi/lsi53c895a.c in QEMU caused by a DMA-MMIO reentrancy problem. A local privileged user can trigger an out-of-bounds write and execute arbitrary code on the target system.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 22.03 LTS SP2

qemu-seabios: before 6.2.0-91

qemu-help: before 6.2.0-91

qemu-block-curl: before 6.2.0-91

qemu-hw-usb-host: before 6.2.0-91

qemu-system-arm: before 6.2.0-91

qemu-guest-agent: before 6.2.0-91

qemu-system-riscv: before 6.2.0-91

qemu-img: before 6.2.0-91

qemu-debuginfo: before 6.2.0-91

qemu-debugsource: before 6.2.0-91

qemu-block-iscsi: before 6.2.0-91

qemu-block-rbd: before 6.2.0-91

qemu-system-x86_64: before 6.2.0-91

qemu-block-ssh: before 6.2.0-91

qemu-system-aarch64: before 6.2.0-91

qemu: before 6.2.0-91

CPE2.3

• cpe:2.3:o:openeuler:openeuler:22.03:LTS SP2:*:*:*:*:*:*
• cpe:2.3:o:openeuler:qemu-seabios:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-help:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-block-curl:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-hw-usb-host:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-system-arm:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-guest-agent:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-system-riscv:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-img:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-debuginfo:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-debugsource:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-block-iscsi:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-block-rbd:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-system-x86_64:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-block-ssh:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-system-aarch64:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu:*:*:*:*:*:openeuler:*:*

External links

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1511

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Double free

EUVDB-ID: #VU89047

Risk: Low

CVSSv4.0: 5.9 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-3446

CWE-ID: CWE-415 - Double Free

Exploit availability: No

Description

The vulnerability allows a malicious guest to escalate privileges on the system.

The vulnerability exists due to a boundary error in QEMU virtio devices (virtio-gpu, virtio-serial-bus, virtio-crypto), where the mem_reentrancy_guard flag insufficiently protects against DMA reentrancy issues. A malicious guest can trigger a double free error and execute arbitrary code within the context of the QEMU process on the host.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 22.03 LTS SP2

qemu-seabios: before 6.2.0-91

qemu-help: before 6.2.0-91

qemu-block-curl: before 6.2.0-91

qemu-hw-usb-host: before 6.2.0-91

qemu-system-arm: before 6.2.0-91

qemu-guest-agent: before 6.2.0-91

qemu-system-riscv: before 6.2.0-91

qemu-img: before 6.2.0-91

qemu-debuginfo: before 6.2.0-91

qemu-debugsource: before 6.2.0-91

qemu-block-iscsi: before 6.2.0-91

qemu-block-rbd: before 6.2.0-91

qemu-system-x86_64: before 6.2.0-91

qemu-block-ssh: before 6.2.0-91

qemu-system-aarch64: before 6.2.0-91

qemu: before 6.2.0-91

CPE2.3

• cpe:2.3:o:openeuler:openeuler:22.03:LTS SP2:*:*:*:*:*:*
• cpe:2.3:o:openeuler:qemu-seabios:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-help:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-block-curl:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-hw-usb-host:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-system-arm:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-guest-agent:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-system-riscv:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-img:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-debuginfo:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-debugsource:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-block-iscsi:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-block-rbd:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-system-x86_64:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-block-ssh:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-system-aarch64:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu:*:*:*:*:*:openeuler:*:*

External links

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1511

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Heap-based buffer overflow

EUVDB-ID: #VU89048

Risk: Low

CVSSv4.0: 4.4 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-3447

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a malicious guest to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error in the SDHCI device emulation. A malicious guest can set both "s->data_count" and the size of "s->fifo_buffer" to the value of "0x200" to trigger an out-of-bound memory access and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 22.03 LTS SP2

qemu-seabios: before 6.2.0-91

qemu-help: before 6.2.0-91

qemu-block-curl: before 6.2.0-91

qemu-hw-usb-host: before 6.2.0-91

qemu-system-arm: before 6.2.0-91

qemu-guest-agent: before 6.2.0-91

qemu-system-riscv: before 6.2.0-91

qemu-img: before 6.2.0-91

qemu-debuginfo: before 6.2.0-91

qemu-debugsource: before 6.2.0-91

qemu-block-iscsi: before 6.2.0-91

qemu-block-rbd: before 6.2.0-91

qemu-system-x86_64: before 6.2.0-91

qemu-block-ssh: before 6.2.0-91

qemu-system-aarch64: before 6.2.0-91

qemu: before 6.2.0-91

CPE2.3

• cpe:2.3:o:openeuler:openeuler:22.03:LTS SP2:*:*:*:*:*:*
• cpe:2.3:o:openeuler:qemu-seabios:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-help:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-block-curl:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-hw-usb-host:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-system-arm:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-guest-agent:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-system-riscv:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-img:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-debuginfo:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-debugsource:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-block-iscsi:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-block-rbd:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-system-x86_64:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-block-ssh:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu-system-aarch64:*:*:*:*:*:openeuler:*:*
• cpe:2.3:o:openeuler:qemu:*:*:*:*:*:openeuler:*:*

External links

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-1511

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.