Arch Linux Security Advisory ASA-202012-26
=========================================
Severity: Medium
Date    : 2020-12-16
CVE-ID  : CVE-2020-14364 CVE-2020-25624 CVE-2020-25625 CVE-2020-25723
          CVE-2020-28916
Package : qemu
Type    : multiple issues
Remote  : No
Link    : https://security.archlinux.org/AVG-1300

Summary
======
The package qemu before version 5.2.0-1 is vulnerable to multiple
issues including arbitrary code execution and denial of service.

Resolution
=========
Upgrade to 5.2.0-1.

# pacman -Syu "qemu>=5.2.0-1"

The problems have been fixed upstream in version 5.2.0.

Workaround
=========
None.

Description
==========
- CVE-2020-14364 (arbitrary code execution)

An out-of-bounds read/write access flaw was found in the USB emulator
of the QEMU in versions before 5.2.0. This issue occurs while
processing USB packets from a guest when USBDevice 'setup_len' exceeds
its 'data_buf[4096]' in the do_token_in, do_token_out routines. This
flaw allows a guest user to crash the QEMU process, resulting in a
denial of service, or the potential execution of arbitrary code with
the privileges of the QEMU process on the host.

- CVE-2020-25624 (arbitrary code execution)

A flaw was found in QEMU before version 5.2.0. An out-of-bounds
read/write access issue was found in the USB OHCI controller emulator.
The issue could occur while servicing transfer descriptors (TD), as
OHCI controller derives variables 'start_addr', 'end_addr', and 'len'
from values supplied by the host controller driver. The host controller
driver may supply values such that using these variables leads to an
out-of-bounds access issue leading to a guest user/process using this
flaw to crash the QEMU process on the host resulting in a denial of
service (DoS) scenario. The highest threat from this vulnerability is
to data confidentiality and integrity as well as system availability.

- CVE-2020-25625 (denial of service)

An infinite loop issue was found in the USB OHCI controller emulator of
QEMU before version 5.2.0. It could occur while servicing OHCI
isochronous transfer descriptors (TD) in ohci_service_iso_td routine,
as it retires a TD if it has passed its time frame. While doing so it
does not check if the TD was already processed ones and holds an error
code in TD_CC. It may happen if the TD list has a loop.

A guest user/process may use this flaw to consume cpu cycles on the
host resulting in a DoS scenario.

- CVE-2020-25723 (denial of service)

A reachable assertion issue was found in the USB EHCI emulation code of
QEMU before version 5.2.0. It could occur while processing USB requests
due to missing handling of DMA memory map failure. A malicious
privileged user within the guest may abuse this flaw to send bogus USB
requests and crash the QEMU process on the host, resulting in a denial
of service.

- CVE-2020-28916 (denial of service)

An infinite loop issue was found in the e1000e device emulator in QEMU
before version 5.2.0. The issue could occur while receiving packets via
e1000e_write_packet_to_guest() routine, if the receive(RX) descriptor
has NULL buffer address. A privileged guest user may use this flaw to
induce a DoS scenario on the host.

Impact
=====
A guest might be able to cause a denial of service or execute arbitrary
code on the host.

References
=========
https://bugs.archlinux.org/task/68356
https://www.openwall.com/lists/oss-security/2020/08/24/2
https://www.openwall.com/lists/oss-security/2020/08/24/3
https://gitlab.com/qemu-project/;a=commitdiff;h=b946434f2659a182afc17e155be6791ebfb302eb
https://gitlab.com/qemu-project/;a=commitdiff;h=1328fe0c32d5474604105b8105310e944976b058
https://www.openwall.com/lists/oss-security/2020/09/17/1
https://gitlab.com/qemu-project/;a=commitdiff;h=1be90ebecc95b09a2ee5af3f60c412b45a766c4f
https://gitlab.com/qemu-project/;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6
https://www.openwall.com/lists/oss-security/2020/12/01/2
https://gitlab.com/qemu-project/;a=commitdiff;h=c2cb511634012344e3d0fe49a037a33b12d8a98a
https://security.archlinux.org/CVE-2020-14364
https://security.archlinux.org/CVE-2020-25624
https://security.archlinux.org/CVE-2020-25625
https://security.archlinux.org/CVE-2020-25723
https://security.archlinux.org/CVE-2020-28916

ArchLinux: 202012-26: qemu: multiple issues

December 31, 2020

Summary

- CVE-2020-14364 (arbitrary code execution) An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.
- CVE-2020-25624 (arbitrary code execution)
A flaw was found in QEMU before version 5.2.0. An out-of-bounds read/write access issue was found in the USB OHCI controller emulator. The issue could occur while servicing transfer descriptors (TD), as OHCI controller derives variables 'start_addr', 'end_addr', and 'len' from values supplied by the host controller driver. The host controller driver may supply values such that using these variables leads to an out-of-bounds access issue leading to a guest user/process using this flaw to crash the QEMU process on the host resulting in a denial of service (DoS) scenario. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
- CVE-2020-25625 (denial of service)
An infinite loop issue was found in the USB OHCI controller emulator of QEMU before version 5.2.0. It could occur while servicing OHCI isochronous transfer descriptors (TD) in ohci_service_iso_td routine, as it retires a TD if it has passed its time frame. While doing so it does not check if the TD was already processed ones and holds an error code in TD_CC. It may happen if the TD list has a loop.
A guest user/process may use this flaw to consume cpu cycles on the host resulting in a DoS scenario.
- CVE-2020-25723 (denial of service)
A reachable assertion issue was found in the USB EHCI emulation code of QEMU before version 5.2.0. It could occur while processing USB requests due to missing handling of DMA memory map failure. A malicious privileged user within the guest may abuse this flaw to send bogus USB requests and crash the QEMU process on the host, resulting in a denial of service.
- CVE-2020-28916 (denial of service)
An infinite loop issue was found in the e1000e device emulator in QEMU before version 5.2.0. The issue could occur while receiving packets via e1000e_write_packet_to_guest() routine, if the receive(RX) descriptor has NULL buffer address. A privileged guest user may use this flaw to induce a DoS scenario on the host.

Resolution

Upgrade to 5.2.0-1. # pacman -Syu "qemu>=5.2.0-1"
The problems have been fixed upstream in version 5.2.0.

References

https://bugs.archlinux.org/task/68356 https://www.openwall.com/lists/oss-security/2020/08/24/2 https://www.openwall.com/lists/oss-security/2020/08/24/3 https://gitlab.com/qemu-project/;a=commitdiff;h=b946434f2659a182afc17e155be6791ebfb302eb https://gitlab.com/qemu-project/;a=commitdiff;h=1328fe0c32d5474604105b8105310e944976b058 https://www.openwall.com/lists/oss-security/2020/09/17/1 https://gitlab.com/qemu-project/;a=commitdiff;h=1be90ebecc95b09a2ee5af3f60c412b45a766c4f https://gitlab.com/qemu-project/;a=commit;h=2fdb42d840400d58f2e706ecca82c142b97bcbd6 https://www.openwall.com/lists/oss-security/2020/12/01/2 https://gitlab.com/qemu-project/;a=commitdiff;h=c2cb511634012344e3d0fe49a037a33b12d8a98a https://security.archlinux.org/CVE-2020-14364 https://security.archlinux.org/CVE-2020-25624 https://security.archlinux.org/CVE-2020-25625 https://security.archlinux.org/CVE-2020-25723 https://security.archlinux.org/CVE-2020-28916

Severity
CVE-2020-28916
Package : qemu
Type : multiple issues
Remote : No
Link : https://security.archlinux.org/AVG-1300

Workaround

None.

Related News

24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
11.Locks IsometricPattern Esm H320
2 - 3 min read
Open Source maintainers and developers have been warned about the continued wave of attacks aimed at project maintainers similar to those recently
28.Lock Globe Esm H320
1 - 2 min read
A resurgence of cyberattacks targeting Linux systems in Asian campaigns through the utilization of the Pupy Remote Access Trojan (RAT) has been
27.Tablet Connections Blocks Lock Esm H320
2 - 4 min read
Canonical has recently announced the Beta release of Ubuntu Linux 24.04 LTS , codenamed "Noble Numbat." This release aims to continue Ubuntu's
21.Globe RadiatingCode Esm H320
2 - 3 min read
The open-source movement has come a long way, from its origins in the 1960s and 1970s to becoming an integral part of organizations worldwide.
13.Lock StylizedMotherboard Esm H320
2 - 3 min read
The Rust-based Edera project demonstrates a unique approach to container security that addresses cloud-native computing challenges. Let's examine
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved