CVE-2024-3567 – Qemu-kvm: net: assertion failure in update_sctp_checksum()
https://notcve.org/view.php?id=CVE-2024-3567
A flaw was found in QEMU. An assertion failure was present in the update_sctp_checksum() function in hw/net/net_tx_pkt.c when trying to calculate the checksum of a short-sized fragmented packet. This flaw allows a malicious guest to crash QEMU and cause a denial of service condition. Se encontró una falla en QEMU. Se produjo un error de aserción en la función update_sctp_checksum() en hw/net/net_tx_pkt.c al intentar calcular la suma de comprobación de un paquete fragmentado de tamaño corto. • https://access.redhat.com/security/cve/CVE-2024-3567 https://bugzilla.redhat.com/show_bug.cgi?id=2274339 https://gitlab.com/qemu-project/qemu/-/issues/2273 • CWE-617: Reachable Assertion •
CVE-2023-6683 – Qemu: vnc: null pointer dereference in qemu_clipboard_request()
https://notcve.org/view.php?id=CVE-2023-6683
A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. The qemu_clipboard_request() function can be reached before vnc_server_cut_text_caps() was called and had the chance to initialize the clipboard peer, leading to a NULL pointer dereference. This could allow a malicious authenticated VNC client to crash QEMU and trigger a denial of service. Se encontró una falla en el servidor QEMU built-in VNC al procesar mensajes ClientCutText. Se puede acceder a la función qemu_clipboard_request() antes de que se llamara a vnc_server_cut_text_caps() y tuviera la oportunidad de inicializar el par del portapapeles, lo que lleva a una desreferencia del puntero NULL. • https://access.redhat.com/errata/RHSA-2024:2135 https://access.redhat.com/errata/RHSA-2024:2962 https://access.redhat.com/security/cve/CVE-2023-6683 https://bugzilla.redhat.com/show_bug.cgi?id=2254825 https://security.netapp.com/advisory/ntap-20240223-0001 • CWE-476: NULL Pointer Dereference •
CVE-2023-6693 – Qemu: virtio-net: stack buffer overflow in virtio_net_flush_tx()
https://notcve.org/view.php?id=CVE-2023-6693
A stack based buffer overflow was found in the virtio-net device of QEMU. This issue occurs when flushing TX in the virtio_net_flush_tx function if guest features VIRTIO_NET_F_HASH_REPORT, VIRTIO_F_VERSION_1 and VIRTIO_NET_F_MRG_RXBUF are enabled. This could allow a malicious user to overwrite local variables allocated on the stack. Specifically, the `out_sg` variable could be used to read a part of process memory and send it to the wire, causing an information leak. Se encontró un desbordamiento de búfer en la región stack de la memoria en el dispositivo virtio-net de QEMU. • https://access.redhat.com/errata/RHSA-2024:2962 https://access.redhat.com/security/cve/CVE-2023-6693 https://bugzilla.redhat.com/show_bug.cgi?id=2254580 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OYGUN5HVOXESW7MSNM44E4AE2VNXQB6Y https://security.netapp.com/advisory/ntap-20240208-0004 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2023-5088 – Qemu: improper ide controller reset can lead to mbr overwrite
https://notcve.org/view.php?id=CVE-2023-5088
A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot. Un error en QEMU podría causar que una operación de E/S de invitado que de otro modo estaría dirigida a un desplazamiento de disco arbitrario se dirija al desplazamiento 0 (potencialmente sobrescribiendo el código de arranque de la VM). Esto podría ser utilizado, por ejemplo, por invitados L2 con un disco virtual (vdiskL2) almacenado en un disco virtual de un hipervisor L1 (vdiskL1) para leer y/o escribir datos en el LBA 0 de vdiskL1, obteniendo potencialmente el control de L1 en su próximo reinicio. • https://access.redhat.com/errata/RHSA-2024:2135 https://access.redhat.com/errata/RHSA-2024:2962 https://access.redhat.com/security/cve/CVE-2023-5088 https://bugzilla.redhat.com/show_bug.cgi?id=2247283 https://lists.debian.org/debian-lts-announce/2024/03/msg00012.html https://lore.kernel.org/all/20230921160712.99521-1-simon.rowe@nutanix.com/T https://security.netapp.com/advisory/ntap-20231208-0005 • CWE-662: Improper Synchronization CWE-821: Incorrect Synchronization •
CVE-2023-4135 – Out-of-bounds read information disclosure vulnerability
https://notcve.org/view.php?id=CVE-2023-4135
A heap out-of-bounds memory read flaw was found in the virtual nvme device in QEMU. The QEMU process does not validate an offset provided by the guest before computing a host heap pointer, which is used for copying data back to the guest. Arbitrary heap memory relative to an allocated buffer can be disclosed. Se encontró una falla de lectura de memoria fuera de los límites en el dispositivo nvme virtual en QEMU. El proceso QEMU no valida un desplazamiento proporcionado por el invitado antes de calcular un puntero de la memoria del host, que se utiliza para copiar datos al invitado. • https://access.redhat.com/security/cve/CVE-2023-4135 https://bugzilla.redhat.com/show_bug.cgi?id=2229101 https://security.netapp.com/advisory/ntap-20230915-0012 https://www.zerodayinitiative.com/advisories/ZDI-CAN-21521 • CWE-125: Out-of-bounds Read •