EulerOS Virtualization 2.10.0 : qemu (EulerOS-SA-2022-1418) - Nessus

High   Plugin ID: 159876

---

This page contains detailed information about the EulerOS Virtualization 2.10.0 : qemu (EulerOS-SA-2022-1418) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Plugin Overview

---

ID: 159876
Name: EulerOS Virtualization 2.10.0 : qemu (EulerOS-SA-2022-1418)
Filename: EulerOS_SA-2022-1418.nasl
Vulnerability Published: 2020-07-21
This Plugin Published: 2022-04-18
Last Modification Time: 2022-04-18
Plugin Version: 1.2
Plugin Type: local
Plugin Family: Huawei Local Security Checks
Dependencies: ssh_get_info.nasl
Required KB Items [?]: Host/cpu, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/uvp_version, Host/local_checks_enabled

Vulnerability Information

---

Severity: High
Vulnerability Published: 2020-07-21
Patch Published: 2022-04-13
CVE [?]: CVE-2019-12067, CVE-2020-15859, CVE-2020-25084, CVE-2020-25742, CVE-2020-25743, CVE-2020-35504, CVE-2020-35505, CVE-2021-3544, CVE-2021-3545, CVE-2021-3546, CVE-2021-3682, CVE-2021-3748, CVE-2021-20196, CVE-2021-20203, CVE-2021-20221, CVE-2021-20255
CPE [?]: cpe:/o:huawei:euleros:uvp:2.10.0, p-cpe:/a:huawei:euleros:qemu, p-cpe:/a:huawei:euleros:qemu-img

Synopsis

The remote EulerOS Virtualization host is missing multiple security updates.

Description

According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

- The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL dereference) when the command header 'ad->cur_cmd' is null. (CVE-2019-12067)

- QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e packet with the data's address set to the e1000e's MMIO address. (CVE-2020-15859)

- QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not checked. (CVE-2020-25084)

- pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because pci_get_bus() might not return a valid pointer. (CVE-2020-25742)

- hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check before an ide_cancel_dma_sync call. (CVE-2020-25743)

- A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)

- A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2020-35505)

- A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while processing read/write ioport commands if the selected floppy drive is not initialized with a block device. This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)

- An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20203)

- An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said issue while updating controller state fields and their subsequent processing. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)

- A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20255)

- Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user- gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)

- An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost- user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit this issue to leak memory from the host. (CVE-2021-3545)

- An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command from the guest. It could allow a privileged guest user to crash the QEMU process on the host, resulting in a denial of service condition, or potential code execution with the privileges of the QEMU process. (CVE-2021-3546)

- A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host. (CVE-2021-3682)

- A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the descriptor's address belongs to the non direct access region, due to num_buffers being set after the virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a denial of service condition, or potentially execute code on the host with the privileges of the QEMU process. (CVE-2021-3748)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected qemu packages.

Public Exploits

---

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (GitHub)
Exploit Ease: Exploits (PoCs) are available

Here's the list of publicly known exploits and PoCs for verifying the EulerOS Virtualization 2.10.0 : qemu (EulerOS-SA-2022-1418) vulnerability:

1. GitHub: https://github.com/AlAIAL90/CVE-2021-3544
   [CVE-2021-3544: PoC for exploiting CVE-2021-3544 : Several memory leaks were found in the virtio ...]
2. GitHub: https://github.com/AlAIAL90/CVE-2021-3545
   [CVE-2021-3545: PoC for exploiting CVE-2021-3545 : An information disclosure vulnerability was found ...]
3. GitHub: https://github.com/AlAIAL90/CVE-2021-3546
   [CVE-2021-3546: PoC for exploiting CVE-2021-3546 : A flaw was found in vhost-user-gpu of QEMU in ...]
4. GitHub: https://github.com/AlAIAL90/CVE-2021-3682
   [CVE-2021-3682: PoC for exploiting CVE-2021-3682 : A flaw was found in the USB redirector device ...]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

---

CVSS Score Source [?]: CVE-2021-3748
CVSS V2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C

CVSS Base Score:	7.2 (High)
Impact Subscore:	10.0
Exploitability Subscore:	3.9
CVSS Temporal Score:	5.3 (Medium)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	5.3 (Medium)

CVSS V3 Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C

CVSS Base Score:	8.8 (High)
Impact Subscore:	6.0
Exploitability Subscore:	2.0
CVSS Temporal Score:	7.7 (High)
CVSS Environmental Score:	NA (None)
Modified Impact Subscore:	NA
Overall CVSS Score:	7.7 (High)

STIG Severity [?]: II
STIG Risk Rating: Medium

Go back to menu.

Plugin Source

---

This is the EulerOS_SA-2022-1418.nasl nessus plugin source code. This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.

#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(159876);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/18");

  script_cve_id(
    "CVE-2019-12067",
    "CVE-2020-15859",
    "CVE-2020-25084",
    "CVE-2020-25742",
    "CVE-2020-25743",
    "CVE-2020-35504",
    "CVE-2020-35505",
    "CVE-2021-3544",
    "CVE-2021-3545",
    "CVE-2021-3546",
    "CVE-2021-3682",
    "CVE-2021-3748",
    "CVE-2021-20196",
    "CVE-2021-20203",
    "CVE-2021-20221",
    "CVE-2021-20255"
  );
  script_xref(name:"IAVB", value:"2020-B-0041-S");
  script_xref(name:"IAVB", value:"2020-B-0063-S");
  script_xref(name:"IAVB", value:"2020-B-0075");

  script_name(english:"EulerOS Virtualization 2.10.0 : qemu (EulerOS-SA-2022-1418)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is
affected by the following vulnerabilities :

  - The ahci_commit_buf function in ide/ahci.c in QEMU allows attackers to cause a denial of service (NULL
    dereference) when the command header 'ad->cur_cmd' is null. (CVE-2019-12067)

  - QEMU 4.2.0 has a use-after-free in hw/net/e1000e_core.c because a guest OS user can trigger an e1000e
    packet with the data's address set to the e1000e's MMIO address. (CVE-2020-15859)

  - QEMU 5.0.0 has a use-after-free in hw/usb/hcd-xhci.c because the usb_packet_map return value is not
    checked. (CVE-2020-25084)

  - pci_change_irq_level in hw/pci/pci.c in QEMU before 5.1.1 has a NULL pointer dereference because
    pci_get_bus() might not return a valid pointer. (CVE-2020-25742)

  - hw/ide/pci.c in QEMU before 5.1.1 can trigger a NULL pointer dereference because it lacks a pointer check
    before an ide_cancel_dma_sync call. (CVE-2020-25743)

  - A NULL pointer dereference flaw was found in the SCSI emulation support of QEMU in versions before 6.0.0.
    This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of
    service. The highest threat from this vulnerability is to system availability. (CVE-2020-35504)

  - A NULL pointer dereference flaw was found in the am53c974 SCSI host bus adapter emulation of QEMU in
    versions before 6.0.0. This issue occurs while handling the 'Information Transfer' command. This flaw
    allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of service.
    The highest threat from this vulnerability is to system availability. (CVE-2020-35505)

  - A NULL pointer dereference flaw was found in the floppy disk emulator of QEMU. This issue occurs while
    processing read/write ioport commands if the selected floppy drive is not initialized with a block device.
    This flaw allows a privileged guest user to crash the QEMU process on the host, resulting in a denial of
    service. The highest threat from this vulnerability is to system availability. (CVE-2021-20196)

  - An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It
    may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A
    privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario.
    (CVE-2021-20203)

  - An out-of-bounds heap buffer access issue was found in the ARM Generic Interrupt Controller emulator of
    QEMU up to and including qemu 4.2.0on aarch64 platform. The issue occurs because while writing an
    interrupt ID to the controller memory area, it is not masked to be 4 bits wide. It may lead to the said
    issue while updating controller state fields and their subsequent processing. A privileged guest user may
    use this flaw to crash the QEMU process on the host resulting in DoS scenario. (CVE-2021-20221)

  - A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator
    of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw
    allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a
    denial of service. The highest threat from this vulnerability is to system availability. (CVE-2021-20255)

  - Several memory leaks were found in the virtio vhost-user GPU device (vhost-user-gpu) of QEMU in versions
    up to and including 6.0. They exist in contrib/vhost-user-gpu/vhost-user-gpu.c and contrib/vhost-user-
    gpu/virgl.c due to improper release of memory (i.e., free) after effective lifetime. (CVE-2021-3544)

  - An information disclosure vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of
    QEMU in versions up to and including 6.0. The flaw exists in virgl_cmd_get_capset_info() in contrib/vhost-
    user-gpu/virgl.c and could occur due to the read of uninitialized memory. A malicious guest could exploit
    this issue to leak memory from the host. (CVE-2021-3545)

  - An out-of-bounds write vulnerability was found in the virtio vhost-user GPU device (vhost-user-gpu) of
    QEMU in versions up to and including 6.0. The flaw occurs while processing the 'VIRTIO_GPU_CMD_GET_CAPSET'
    command from the guest. It could allow a privileged guest user to crash the QEMU process on the host,
    resulting in a denial of service condition, or potential code execution with the privileges of the QEMU
    process. (CVE-2021-3546)

  - A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs
    when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A
    malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata,
    resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the
    host. (CVE-2021-3682)

  - A use-after-free vulnerability was found in the virtio-net device of QEMU. It could occur when the
    descriptor's address belongs to the non direct access region, due to num_buffers being set after the
    virtqueue elem has been unmapped. A malicious guest could use this flaw to crash QEMU, resulting in a
    denial of service condition, or potentially execute code on the host with the privileges of the QEMU
    process. (CVE-2021-3748)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security
advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional
issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2022-1418
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0edfba8e");
  script_set_attribute(attribute:"solution", value:
"Update the affected qemu packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3748");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/04/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/04/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-img");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.10.0");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.10.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.10.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

var flag = 0;

var pkgs = [
  "qemu-4.1.0-2.10.0.3.427",
  "qemu-img-4.1.0-2.10.0.3.427"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu");
}

The latest version of this script can be found in these locations depending on your platform:

• Linux / Unix:
  /opt/nessus/lib/nessus/plugins/EulerOS_SA-2022-1418.nasl
• Windows:
  C:\ProgramData\Tenable\Nessus\nessus\plugins\EulerOS_SA-2022-1418.nasl
• Mac OS X:
  /Library/Nessus/run/lib/nessus/plugins/EulerOS_SA-2022-1418.nasl

Go back to menu.

How to Run

---

Here is how to run the EulerOS Virtualization 2.10.0 : qemu (EulerOS-SA-2022-1418) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

1. Click to start a New Scan.
2. Select Advanced Scan.
3. Navigate to the Plugins tab.
4. On the top right corner click to Disable All plugins.
5. On the left side table select Huawei Local Security Checks plugin family.
6. On the right side table select EulerOS Virtualization 2.10.0 : qemu (EulerOS-SA-2022-1418) plugin ID 159876.
7. Specify the target on the Settings tab and click to Save the scan.
8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl EulerOS_SA-2022-1418.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a EulerOS_SA-2022-1418.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - EulerOS_SA-2022-1418.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state EulerOS_SA-2022-1418.nasl -t <IP/HOST>

Go back to menu.

References

---

IAVB | Information Assurance Vulnerability Bulletin:

• 2020-B-0041-S, 2020-B-0063-S, 2020-B-0075

See also:

• https://www.tenable.com/plugins/nessus/159876
• http://www.nessus.org/u?0edfba8e
• https://vulners.com/nessus/EULEROS_SA-2022-1418.NASL

Similar and related Nessus plugins:

• 153804 - RHEL 8 : virt:8.2 and virt-devel:8.2 (RHSA-2021:3704)
• 153865 - Debian DSA-4980-1 : qemu - security update
• 153951 - SUSE SLES12 Security Update : xen (SUSE-SU-2021:3322-1)
• 154708 - SUSE SLES12 Security Update : qemu (SUSE-SU-2021:3575-1)
• 154922 - SUSE SLES15 Security Update : qemu (SUSE-SU-2021:3613-1)
• 154927 - SUSE SLES15 Security Update : qemu (SUSE-SU-2021:3614-1)
• 155004 - SUSE SLES12 Security Update : qemu (SUSE-SU-2021:3635-1)
• 155521 - EulerOS Virtualization 2.9.1 : qemu (EulerOS-SA-2021-2730)
• 155526 - EulerOS Virtualization 2.9.0 : qemu (EulerOS-SA-2021-2763)
• 155742 - Oracle Linux 8 : kvm_utils (ELSA-2021-9568)
• 155812 - SUSE SLES11 Security Update : xen (SUSE-SU-2021:14848-1)
• 156382 - EulerOS Virtualization 3.0.2.0 : qemu (EulerOS-SA-2021-2844)
• 157171 - EulerOS 2.0 SP9 : qemu (EulerOS-SA-2022-1014)
• 157200 - EulerOS 2.0 SP9 : qemu (EulerOS-SA-2022-1034)
• 158359 - Oracle Linux 8 : kvm_utils (ELSA-2022-9172)
• 158457 - Ubuntu 18.04 LTS / 20.04 LTS / 21.10 : QEMU vulnerabilities (USN-5307-1)
• 159867 - EulerOS Virtualization 2.10.1 : qemu (EulerOS-SA-2022-1392)

Version

---

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file EulerOS_SA-2022-1418.nasl version 1.2. For more plugins, visit the Nessus Plugin Library.

Go back to menu.