Main Vulnerability Database SB2022121225

SB2022121225 - Ubuntu update for qemu

Published: December 12, 2022

Security Bulletin ID SB2022121225

Severity

High

Patch available

YES

Number of vulnerabilities 6

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 6 secuirty vulnerabilities.

1) Release of invalid pointer or reference (CVE-ID: CVE-2021-3682)

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists in the USB redirector device emulation of QEMU when dropping packets during a bulk transfer from a SPICE client. A remote user can make QEMU call free() with faked heap chunk metadata to perform a denial of service or escalate privileges on the system.

2) Use-after-free (CVE-ID: CVE-2021-3750)

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the USB EHCI controller emulation of QEMU. A remote guest can trigger a use-after-free error and execute arbitrary code on the host OS.

3) Off-by-one (CVE-ID: CVE-2021-3930)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to an off-by-one error in the SCSI device emulation in QEMU. A remote user on the guest OS can can trigger an off-by-one error while processing MODE SELECT commands in mode_sense_page() if the 'page' argument is set to MODE_PAGE_ALLS (0x3f). Successful exploitation of the vulnerability may result in QEMU crash.

4) Use-after-free (CVE-ID: CVE-2022-0216)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU when processing repeated messages to cancel the current SCSI request via the lsi_do_msgout() function. A remote user on the guest OS can trigger a use-after-free error and perform a denial of service attack against the QEMU host.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

5) Out-of-bounds write (CVE-ID: CVE-2022-2962)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a boundary error in the Tulip device emulation in QEMU. A local user can trigger an out-of-bounds write and execute arbitrary code with elevated privileges on the host OS.

6) Integer underflow (CVE-ID: CVE-2022-3165)

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to integer underflow in the QEMU VNC server while processing ClientCutText messages in the extended format. A remote client can send a specially crafted payload message to the VNC server and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

https://ubuntu.com/security/notices/USN-5772-1

Vulnerable Software

Ubuntu: 14.04 - 22.10
qemu-system-aarch64 (Ubuntu package): before Ubuntu Pro (Infra-only)
qemu (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.41
qemu-system-x86-microvm (Ubuntu package): before 1:4.2-3ubuntu6.24
qemu-system-x86-xen (Ubuntu package): before 1:4.2-3ubuntu6.24
qemu-system-mips (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.41
qemu-system-ppc (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.41
qemu-system-arm (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.41
qemu-system-x86 (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.41
qemu-system-sparc (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.41
qemu-system (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.41
qemu-system-s390x (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.41
qemu-system-misc (Ubuntu package): before 1:2.11+dfsg-1ubuntu7.41

SB2022121225 - Ubuntu update for qemu

Breakdown by Severity

Description

Remediation

References

Please verify you're human