Headline
Ubuntu Security Notice USN-5772-1
Ubuntu Security Notice 5772-1 - It was discovered that QEMU incorrectly handled bulk transfers from SPICE clients. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. It was discovered that QEMU did not properly manage memory when it transfers the USB packets. A malicious guest attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS.
=========================================================================
Ubuntu Security Notice USN-5772-1
December 12, 2022
qemu vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.10
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
Summary:
Several security issues were fixed in QEMU.
Software Description:
- qemu: Machine emulator and virtualizer
Details:
It was discovered that QEMU incorrectly handled bulk transfers from SPICE
clients. A remote attacker could use this issue to cause QEMU to crash,
resulting in a denial of service, or possibly execute arbitrary code. This
issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM. (CVE-2021-3682)
It was discovered that QEMU did not properly manage memory when it
transfers the USB packets. A malicious guest attacker could use this issue
to cause QEMU to crash, resulting in a denial of service, or possibly
execute arbitrary code. This issue only affected Ubuntu 18.04 LTS, Ubuntu
20.04 LTS and Ubuntu 22.04 LTS. (CVE-2021-3750)
It was discovered that the QEMU SCSI device emulation incorrectly handled
certain MODE SELECT commands. An attacker inside the guest could possibly
use this issue to cause QEMU to crash, resulting in a denial of service.
This issue only affected Ubuntu 14.04 ESM and Ubuntu 16.04 ESM.
(CVE-2021-3930)
It was discovered that QEMU did not properly manage memory when it
processing repeated messages to cancel the current SCSI request. A
malicious privileged guest attacker could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2022-0216)
It was discovered that QEMU did not properly manage memory when it
using Tulip device emulation. A malicious guest attacker could use this
issue to cause QEMU to crash, resulting in a denial of service. This issue
only affected Ubuntu 22.10. (CVE-2022-2962)
It was discovered that QEMU did not properly manage memory when processing
ClientCutText messages. A attacker could use this issue to cause QEMU to
crash, resulting in a denial of service. This issue only affected Ubuntu
22.04 LTS and Ubuntu 22.10. (CVE-2022-3165)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 22.10:
qemu-system 1:7.0+dfsg-7ubuntu2.1
qemu-system-arm 1:7.0+dfsg-7ubuntu2.1
qemu-system-mips 1:7.0+dfsg-7ubuntu2.1
qemu-system-misc 1:7.0+dfsg-7ubuntu2.1
qemu-system-ppc 1:7.0+dfsg-7ubuntu2.1
qemu-system-s390x 1:7.0+dfsg-7ubuntu2.1
qemu-system-sparc 1:7.0+dfsg-7ubuntu2.1
qemu-system-x86 1:7.0+dfsg-7ubuntu2.1
qemu-system-x86-xen 1:7.0+dfsg-7ubuntu2.1
Ubuntu 22.04 LTS:
qemu 1:6.2+dfsg-2ubuntu6.6
qemu-system 1:6.2+dfsg-2ubuntu6.6
qemu-system-arm 1:6.2+dfsg-2ubuntu6.6
qemu-system-mips 1:6.2+dfsg-2ubuntu6.6
qemu-system-misc 1:6.2+dfsg-2ubuntu6.6
qemu-system-ppc 1:6.2+dfsg-2ubuntu6.6
qemu-system-s390x 1:6.2+dfsg-2ubuntu6.6
qemu-system-sparc 1:6.2+dfsg-2ubuntu6.6
qemu-system-x86 1:6.2+dfsg-2ubuntu6.6
qemu-system-x86-microvm 1:6.2+dfsg-2ubuntu6.6
qemu-system-x86-xen 1:6.2+dfsg-2ubuntu6.6
Ubuntu 20.04 LTS:
qemu 1:4.2-3ubuntu6.24
qemu-system 1:4.2-3ubuntu6.24
qemu-system-arm 1:4.2-3ubuntu6.24
qemu-system-mips 1:4.2-3ubuntu6.24
qemu-system-misc 1:4.2-3ubuntu6.24
qemu-system-ppc 1:4.2-3ubuntu6.24
qemu-system-s390x 1:4.2-3ubuntu6.24
qemu-system-sparc 1:4.2-3ubuntu6.24
qemu-system-x86 1:4.2-3ubuntu6.24
qemu-system-x86-microvm 1:4.2-3ubuntu6.24
qemu-system-x86-xen 1:4.2-3ubuntu6.24
Ubuntu 18.04 LTS:
qemu 1:2.11+dfsg-1ubuntu7.41
qemu-system 1:2.11+dfsg-1ubuntu7.41
qemu-system-arm 1:2.11+dfsg-1ubuntu7.41
qemu-system-mips 1:2.11+dfsg-1ubuntu7.41
qemu-system-misc 1:2.11+dfsg-1ubuntu7.41
qemu-system-ppc 1:2.11+dfsg-1ubuntu7.41
qemu-system-s390x 1:2.11+dfsg-1ubuntu7.41
qemu-system-sparc 1:2.11+dfsg-1ubuntu7.41
qemu-system-x86 1:2.11+dfsg-1ubuntu7.41
Ubuntu 16.04 ESM:
qemu 1:2.5+dfsg-5ubuntu10.51+esm1
qemu-system 1:2.5+dfsg-5ubuntu10.51+esm1
qemu-system-aarch64 1:2.5+dfsg-5ubuntu10.51+esm1
qemu-system-arm 1:2.5+dfsg-5ubuntu10.51+esm1
qemu-system-mips 1:2.5+dfsg-5ubuntu10.51+esm1
qemu-system-misc 1:2.5+dfsg-5ubuntu10.51+esm1
qemu-system-ppc 1:2.5+dfsg-5ubuntu10.51+esm1
qemu-system-s390x 1:2.5+dfsg-5ubuntu10.51+esm1
qemu-system-sparc 1:2.5+dfsg-5ubuntu10.51+esm1
qemu-system-x86 1:2.5+dfsg-5ubuntu10.51+esm1
Ubuntu 14.04 ESM:
qemu 2.0.0+dfsg-2ubuntu1.47+esm2
qemu-system 2.0.0+dfsg-2ubuntu1.47+esm2
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.47+esm2
qemu-system-arm 2.0.0+dfsg-2ubuntu1.47+esm2
qemu-system-mips 2.0.0+dfsg-2ubuntu1.47+esm2
qemu-system-misc 2.0.0+dfsg-2ubuntu1.47+esm2
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.47+esm2
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.47+esm2
qemu-system-x86 2.0.0+dfsg-2ubuntu1.47+esm2
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-5772-1
CVE-2021-3682, CVE-2021-3750, CVE-2021-3930, CVE-2022-0216,
CVE-2022-2962, CVE-2022-3165
Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:7.0+dfsg-7ubuntu2.1
https://launchpad.net/ubuntu/+source/qemu/1:6.2+dfsg-2ubuntu6.6
https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.24
https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg-1ubuntu7.41
Related news
Gentoo Linux Security Advisory 202408-18 - Multiple vulnerabilities have been discovered in QEMU, the worst of which could lead to a denial of service. Versions greater than or equal to 8.0.0 are affected.
An update for the virt:rhel and virt-devel:rhel modules is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46790: A vulnerability was found in NTFS-3G, specifically in the ntfsck utility. Incorrect validation of NTFS metadata can result in a heap-based buffer overflow when processing a crafted NTFS image file or partition. * CVE-2022-3165: An integer underflow issue was found in the QEMU VNC server while processing ClientCut...
An update for qemu-kvm is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-3165: An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service. * CVE-2022-4172: An integer overflow and buffer overflow issues were found in...
Red Hat Security Advisory 2022-7967-01 - Kernel-based Virtual Machine is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Issues addressed include buffer overflow, bypass, null pointer, and use-after-free vulnerabilities.
An integer underflow issue was found in the QEMU VNC server while processing ClientCutText messages in the extended format. A malicious client could use this flaw to make QEMU unresponsive by sending a specially crafted payload message, resulting in a denial of service.
A DMA reentrancy issue was found in the Tulip device emulation in QEMU. When Tulip reads or writes to the rx/tx descriptor or copies the rx/tx frame, it doesn't check whether the destination address is its own MMIO address. This can cause the device to trigger MMIO handlers multiple times, possibly leading to a stack or heap overflow. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition.
A use-after-free vulnerability was found in the LSI53C895A SCSI Host Bus Adapter emulation of QEMU. The flaw occurs while processing repeated messages to cancel the current SCSI request via the lsi_do_msgout function. This flaw allows a malicious privileged user within the guest to crash the QEMU process on the host, resulting in a denial of service.
Gentoo Linux Security Advisory 202208-27 - Multiple vulnerabilities have been discovered in QEMU, the worst of which could result in remote code execution (guest sandbox escape). Versions less than 7.0.0 are affected.
Gentoo Linux Security Advisory 202208-27 - Multiple vulnerabilities have been discovered in QEMU, the worst of which could result in remote code execution (guest sandbox escape). Versions less than 7.0.0 are affected.
Gentoo Linux Security Advisory 202208-27 - Multiple vulnerabilities have been discovered in QEMU, the worst of which could result in remote code execution (guest sandbox escape). Versions less than 7.0.0 are affected.
A DMA reentrancy issue was found in the USB EHCI controller emulation of QEMU. EHCI does not verify if the Buffer Pointer overlaps with its MMIO region when it transfers the USB packets. Crafted content may be written to the controller's registers and trigger undesirable actions (such as reset) while the device is still transferring packets. This can ultimately lead to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition, or potentially execute arbitrary code within the context of the QEMU process on the host. This flaw affects QEMU versions before 7.0.0.
An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
A flaw was found in the USB redirector device emulation of QEMU in versions prior to 6.1.0-rc2. It occurs when dropping packets during a bulk transfer from a SPICE client due to the packet queue being full. A malicious SPICE client could use this flaw to make QEMU call free() with faked heap chunk metadata, resulting in a crash of QEMU or potential code execution with the privileges of the QEMU process on the host.