CVE-2023-6683 – Qemu: vnc: null pointer dereference in qemu_clipboard_request()
https://notcve.org/view.php?id=CVE-2023-6683
A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service. Se encontró una falla en el servidor QEMU built-in VNC al procesar mensajes ClientCutText. Se puede acceder a la función qemu_clipboard_request() antes de que se llamara a vnc_server_cut_text_caps() y tuviera la oportunidad de inicializar el par del portapapeles, lo que lleva a una desreferencia del puntero NULL. • https://access.redhat.com/errata/RHSA-2024:2135 https://access.redhat.com/errata/RHSA-2024:2962 https://access.redhat.com/security/cve/CVE-2023-6683 https://bugzilla.redhat.com/show_bug.cgi?id=2254825 https://security.netapp.com/advisory/ntap-20240223-0001 • CWE-476: NULL Pointer Dereference •
CVE-2023-6693 – Qemu: virtio-net: stack buffer overflow in virtio_net_flush_tx()
https://notcve.org/view.php?id=CVE-2023-6693
A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak. Se encontró un desbordamiento de búfer en la región stack de la memoria en el dispositivo virtio-net de QEMU. • https://access.redhat.com/errata/RHSA-2024:2962 https://access.redhat.com/security/cve/CVE-2023-6693 https://bugzilla.redhat.com/show_bug.cgi?id=2254580 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OYGUN5HVOXESW7MSNM44E4AE2VNXQB6Y https://security.netapp.com/advisory/ntap-20240208-0004 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2023-2861 – Qemu: 9pfs: improper access control on special files
https://notcve.org/view.php?id=CVE-2023-2861
A flaw was found in the 9p passthrough filesystem (9pfs) implementation in QEMU. The 9pfs server did not prohibit opening special files on the host side, potentially allowing a malicious client to escape from the exported 9p tree by creating and opening a device file in the shared folder. Se encontró una falla en la implementación del sistema de archivos de paso 9p (9pfs) en QEMU. El servidor 9pfs no prohibía la apertura de archivos especiales en el lado del host, lo que potencialmente permitía que un cliente malicioso escapara del árbol 9p exportado creando y abriendo un archivo de dispositivo en la carpeta compartida. • https://access.redhat.com/security/cve/CVE-2023-2861 https://bugzilla.redhat.com/show_bug.cgi?id=2219266 https://lists.debian.org/debian-lts-announce/2024/03/msg00012.html https://security.netapp.com/advisory/ntap-20240125-0005 https://security.netapp.com/advisory/ntap-20240229-0002 • CWE-284: Improper Access Control •
CVE-2023-5088 – Qemu: improper ide controller reset can lead to mbr overwrite
https://notcve.org/view.php?id=CVE-2023-5088
A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot. Un error en QEMU podría causar que una operación de E/S de invitado que de otro modo estaría dirigida a un desplazamiento de disco arbitrario se dirija al desplazamiento 0 (potencialmente sobrescribiendo el código de arranque de la VM). Esto podría ser utilizado, por ejemplo, por invitados L2 con un disco virtual (vdiskL2) almacenado en un disco virtual de un hipervisor L1 (vdiskL1) para leer y/o escribir datos en el LBA 0 de vdiskL1, obteniendo potencialmente el control de L1 en su próximo reinicio. • https://access.redhat.com/errata/RHSA-2024:2135 https://access.redhat.com/errata/RHSA-2024:2962 https://access.redhat.com/security/cve/CVE-2023-5088 https://bugzilla.redhat.com/show_bug.cgi?id=2247283 https://lists.debian.org/debian-lts-announce/2024/03/msg00012.html https://lore.kernel.org/all/20230921160712.99521-1-simon.rowe@nutanix.com/T https://security.netapp.com/advisory/ntap-20231208-0005 • CWE-662: Improper Synchronization CWE-821: Incorrect Synchronization •
CVE-2023-3255 – Qemu: vnc: infinite loop in inflate_buffer() leads to denial of service
https://notcve.org/view.php?id=CVE-2023-3255
A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service. Se encontró una falla en el servidor VNC integrado de QEMU al procesar mensajes ClientCutText. Una condición de salida incorrecta puede provocar un bucle infinito al inflar un búfer zlib controlado por un atacante en la función `inflate_buffer`. • https://access.redhat.com/errata/RHSA-2024:2135 https://access.redhat.com/errata/RHSA-2024:2962 https://access.redhat.com/security/cve/CVE-2023-3255 https://bugzilla.redhat.com/show_bug.cgi?id=2218486 https://security.netapp.com/advisory/ntap-20231020-0008 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •