#VU58812 Off-by-one in QEMU - CVE-2021-3930


Vulnerability identifier: #VU58812

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2021-3930

CWE-ID: CWE-193

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
QEMU
Client/Desktop applications / Virtualization software

Vendor: QEMU

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to an off-by-one error in the SCSI device emulation in QEMU. A remote user on the guest OS can can trigger an off-by-one error while processing MODE SELECT commands in mode_sense_page() if the 'page' argument is set to MODE_PAGE_ALLS (0x3f). Successful exploitation of the vulnerability may result in QEMU crash.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

QEMU: 6.0.0 - 6.1.0

External links
https://bugzilla.redhat.com/show_bug.cgi?id=2020588
https://gitlab.com/qemu-project/qemu/-/commit/b3af7fdf9cc537f8f0dd3e2423d83f5c99a457e8
https://www.mail-archive.com/qemu-devel@nongnu.org/msg779652.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


VMware Tanzu Operations Manager update for QEMU
Ubuntu update for qemu
SUSE update for qemu
SUSE update for qemu
Anolis OS update for virt:an module
Ubuntu update for qemu
Red Hat Enterprise Linux Advanced Virtualization 8 update for the virt:av and virt-devel:av modules
Red Hat Enterprise Linux 8 update for the virt:rhel and virt-devel:rhel modules
Red Hat Enterprise Linux Advanced Virtualization 8.4 update for the virt:av and virt-devel:av modules
Denial of service in QEMU