Free and open-source vulnerability scanner
Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.
Install NowAvailable for macOS, Windows, and Linux
Debian LTS: Security Advisory for qemu (DLA-2623-1)
Information
Severity
Severity
Family
Family
CVSSv2 Base
CVSSv2 Base
CVSSv2 Vector
CVSSv2 Vector
Solution Type
Solution Type
Created
Created
Modified
Modified
Summary
The remote host is missing an update for the 'qemu' package(s) announced via the DLA-2623-1 advisory.
Insight
Insight
Several security vulnerabilities have been discovered in QEMU, a fast processor emulator. CVE-2021-20257 net: e1000: infinite loop while processing transmit descriptors CVE-2021-20255 A stack overflow via an infinite recursion vulnerability was found in the eepro100 i8255x device emulator of QEMU. This issue occurs while processing controller commands due to a DMA reentry issue. This flaw allows a guest user or process to consume CPU cycles or crash the QEMU process on the host, resulting in a denial of service. CVE-2021-20203 An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. CVE-2021-3416 A potential stack overflow via infinite loop issue was found in various NIC emulators of QEMU in versions up to and including 5.2.0. The issue occurs in loopback mode of a NIC wherein reentrant DMA checks get bypassed. A guest user/process may use this flaw to consume CPU cycles or crash the QEMU process on the host resulting in DoS scenario. CVE-2021-3416 The patch for CVE-2020-17380/CVE-2020-25085 was found to be ineffective, thus making QEMU vulnerable to the out-of-bounds read/write access issues previously found in the SDHCI controller emulation code. This flaw allows a malicious privileged guest to crash the QEMU process on the host, resulting in a denial of service or potential code execution.
Affected Software
Affected Software
'qemu' package(s) on Debian Linux.
Detection Method
Detection Method
Checks if a vulnerable package version is present on the target host.
Solution
Solution
For Debian 9 stretch, these problems have been fixed in version 1:2.8+dfsg-6+deb9u14. We recommend that you upgrade your qemu packages.
Common Vulnerabilities and Exposures (CVE)
References
- https://lists.debian.org/debian-lts-announce/2021/04/msg00009.html
- https://security-tracker.debian.org/tracker/DLA-2623-1
- https://bugs.debian.org/984450
- https://bugs.debian.org/984451
- https://bugs.debian.org/984452
- https://bugs.debian.org/984448
- https://bugs.debian.org/984449
- https://bugs.debian.org/970937