ESB-2023.1572

Operating System:
[Debian]
Published:
15 March 2023
Protect yourself against future threats.
//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.
Resources > Security Bulletins > ESB-2023.1572
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2023.1572
                           qemu security update
                               15 March 2023

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           qemu
Publisher:         Debian
Operating System:  Debian GNU/Linux
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-1050 CVE-2022-0216 CVE-2021-3595
                   CVE-2021-3594 CVE-2021-3593 CVE-2021-3592
                   CVE-2021-3409 CVE-2020-29130 CVE-2020-17380
                   CVE-2020-14394  

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2023/03/msg00013.html

Comment: CVSS (Max):  8.8 CVE-2022-1050 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
         CVSS Source: NVD
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian LTS Advisory DLA-3362-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Sylvain Beucler
March 14, 2023                                https://wiki.debian.org/LTS
- - -------------------------------------------------------------------------

Package        : qemu
Version        : 1:3.1+dfsg-8+deb10u10
CVE ID         : CVE-2020-14394 CVE-2020-29130 CVE-2021-3592 CVE-2021-3593 
                 CVE-2021-3594 CVE-2021-3595 CVE-2022-0216 CVE-2022-1050
Debian Bug     : 970937 979677 986795 989993 989994 989995 989996 1014589 1014590

Multiple security issues were discovered in QEMU, a fast processor
emulator, which could result in denial of service, information leak,
or potentially the execution of arbitrary code.

CVE-2020-14394

    An infinite loop flaw was found in the USB xHCI controller
    emulation of QEMU while computing the length of the Transfer
    Request Block (TRB) Ring. This flaw allows a privileged guest user
    to hang the QEMU process on the host, resulting in a denial of
    service.

CVE-2020-17380/CVE-2021-3409

    A heap-based buffer overflow was found in QEMU in the SDHCI device
    emulation support. It could occur while doing a multi block SDMA
    transfer via the sdhci_sdma_transfer_multi_blocks() routine in
    hw/sd/sdhci.c. A guest user or process could use this flaw to
    crash the QEMU process on the host, resulting in a denial of
    service condition, or potentially execute arbitrary code with
    privileges of the QEMU process on the host.

CVE-2020-29130

    slirp.c has a buffer over-read because it tries to read a certain
    amount of header data even if that exceeds the total packet
    length.

CVE-2021-3592

    An invalid pointer initialization issue was found in the SLiRP
    networking implementation of QEMU. The flaw exists in the
    bootp_input() function and could occur while processing a udp
    packet that is smaller than the size of the 'bootp_t' structure. A
    malicious guest could use this flaw to leak 10 bytes of
    uninitialized heap memory from the host.

CVE-2021-3593

    An invalid pointer initialization issue was found in the SLiRP
    networking implementation of QEMU. The flaw exists in the
    udp6_input() function and could occur while processing a udp
    packet that is smaller than the size of the 'udphdr'
    structure. This issue may lead to out-of-bounds read access or
    indirect host memory disclosure to the guest.

CVE-2021-3594

    An invalid pointer initialization issue was found
    in the SLiRP networking implementation of QEMU. The flaw exists in
    the udp_input() function and could occur while processing a udp
    packet that is smaller than the size of the 'udphdr'
    structure. This issue may lead to out-of-bounds read access or
    indirect host memory disclosure to the guest.

CVE-2021-3595

    An invalid pointer initialization issue was found in the SLiRP
    networking implementation of QEMU. The flaw exists in the
    tftp_input() function and could occur while processing a udp
    packet that is smaller than the size of the 'tftp_t'
    structure. This issue may lead to out-of-bounds read access or
    indirect host memory disclosure to the guest.

CVE-2022-0216

    A use-after-free vulnerability was found in the LSI53C895A SCSI
    Host Bus Adapter emulation of QEMU. The flaw occurs while
    processing repeated messages to cancel the current SCSI request
    via the lsi_do_msgout function. This flaw allows a malicious
    privileged user within the guest to crash the QEMU process on the
    host, resulting in a denial of service.

CVE-2022-1050

    A flaw was found in the QEMU implementation of VMWare's
    paravirtual RDMA device. This flaw allows a crafted guest driver
    to execute HW commands when shared buffers are not yet allocated,
    potentially leading to a use-after-free condition.
    Note: PVRDMA is disabled in buster, but this was fixed
    preventively in case this changes in the future.

For Debian 10 buster, these problems have been fixed in version
1:3.1+dfsg-8+deb10u10.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qemu

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE1vEOfV7HXWKqBieIDTl9HeUlXjAFAmQQ1uEACgkQDTl9HeUl
XjAnFA/8Dm8SpCHCfbfDfbxIEyn1ZmIp/SBPSNguk7UgulimH9QwjnmkcweRzZFh
tv1ujlYic/qox38Qp3zq015Jxu3QpRVj8QFyGQ7fBXpNlzhkYW0N9uEcEM0TDeD7
zb7bMT2JDJ0uR8n2U+APaIvdfvv7Ro38lSSpn+wEU2g5TTF/JK0ygGYGfjUplT9R
T5MFyx58BaU3/DfT3gQPq15vsp9wejygkSwDhAmI8oWnrVDGJTNPEPhYAWK/EHs8
v4iJ4BB/f9rBHjDRWp+T100a6KQmyOpUAiD5qGyVzKaqmgEIACDd/njaGoAedgn0
T85MJQ7OpYuPAPl5cQ4xs+4rrEhAtiTbOnXwvhXQ8fhj8tjwOMlIrO/Pkyvv+d7+
Rn4okXxVnA/BD45KmkES0HvfmwBBM45X3Cuvy1MzfwDTjGY50r+3h8kdDbXVoNX8
H8sXlZOYE9ZzaL/1vxCNF8HaSM4QuBi9xQmNUpVAWuI/lv9IpneVqaDDv0OW+FGu
n1vpuRcK5OTqIaBm7VCqteROoMTsv044YiW4ebftniqyPUrfK19cImoknP/pM95h
159HX36SZgLVXdAC7JJxOtXPlOvuGtAvUBkakX874mWm7kXPx8MV4biv0R03yT8z
NoKtMOOGjamTs8D0+UZiQrl5yb6WGkVYYfKUr5zzvZR/xSrqOgI=
=n4Sq
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBZBFXe8kNZI30y1K9AQgMPg//eKgD6M8YXh+x4p9liH0zM3V8qlpm0uHn
em0tsKNucbdFIXeP7o011F8yRTYYJrOm/ETL4LlSn4usRQ237YzxIwk2QWY+bdOB
1FFcUSNYpvEOfAAIy5fSRNtyHs624RcGH0osNHnsCVzMkdeZT2BNciUuj4OWQnwr
LRf1NE2DzNk0DeiS5qt/4qsErGCVoOvg7GP9hKULJkmvOuVwtqTmmVyd0D5OIY7t
UCod9brY42yRFk6+Cvimt3FVciJmNrXCKbtIvMOHoMc7zoNNPfDDPpf/nTpwubje
7etmAFuOeRq2gVWrOtwhU1GLbUQKOm6JOnt/81ntTgc4Izv0KUeOkcz9JCyeZjkr
UrAtK7o6KAcgE56OfsN4lcx361ayoOcvQTuen0XPYvUQ+6RurKanVEFISu/MV3Ys
SCpuazqP+h8gczOTVLie4hvBNde6dr/d4j3yuWkE0t1sjLehsj+u4ujXfsnGXEdo
RQd4Qci4CtiJOeXtqF+3cL9A2narmVN7V+tUEe83S9JA9bGoIOeB3wtdoxzPj6V/
yQRkITjwSSBtO2FNuNnL+QGCLpDM8zIZH9lFzLSETMr+smlj1BYwD5LXnQxjEycv
nxoP7rJWu9xrV6gCOsXGQ314i7XU35FRhIwezAitOe5j1VyG/zrrqIcTMWgmZMhH
BDR+4MqwyTs=
=iOQq
-----END PGP SIGNATURE-----