CVE-2021-20263
https://notcve.org/view.php?id=CVE-2021-20263
A flaw was found in the virtio-fs shared file system daemon (virtiofsd) of QEMU. The new 'xattrmap' option may cause the 'security.capability' xattr in the guest to not drop on file write, potentially leading to a modified, privileged executable in the guest. In rare circumstances, this flaw could be used by a malicious user to elevate their privileges within the guest. Se encontró un fallo en el demonio del sistema de archivos compartidos virtio-fs (virtiofsd) de QEMU. La nueva opción "xattrmap" puede causar que el xattr "security.capability" en el invitado no caiga en la escritura del archivo, potencialmente conllevando a un ejecutable privilegiado modificado en el invitado. • https://bugzilla.redhat.com/show_bug.cgi?id=1933668 https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20210507-0002 https://www.openwall.com/lists/oss-security/2021/03/08/1 • CWE-281: Improper Preservation of Permissions •
CVE-2021-20203
https://notcve.org/view.php?id=CVE-2021-20203
An integer overflow issue was found in the vmxnet3 NIC emulator of the QEMU for versions up to v5.2.0. It may occur if a guest was to supply invalid values for rx/tx queue size or other NIC parameters. A privileged guest user may use this flaw to crash the QEMU process on the host resulting in DoS scenario. Se encontró un problema de desbordamiento de enteros en el emulador de NIC vmxnet3 de QEMU para versiones hasta v5.2.0. Puede ocurrir si un invitado estaba suministrando valores no válidos para el tamaño de la cola rx/tx u otros parámetros de NIC. • https://bugs.launchpad.net/qemu/+bug/1913873 https://bugzilla.redhat.com/show_bug.cgi?id=1922441 https://lists.debian.org/debian-lts-announce/2021/04/msg00009.html https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html https://security.gentoo.org/glsa/202208-27 • CWE-190: Integer Overflow or Wraparound •
CVE-2021-20181 – QEMU Plan 9 File System Time-Of-Check Time-Of-Use Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2021-20181
A race condition flaw was found in the 9pfs server implementation of QEMU up to and including 5.2.0. This flaw allows a malicious 9p client to cause a use-after-free error, potentially escalating their privileges on the system. The highest threat from this vulnerability is to confidentiality, integrity as well as system availability. Se encontró un fallo de condición de carrera en la implementación del servidor 9pfs de QEMU versiones hasta 5.2.0 incluyéndola. Este fallo permite a un cliente 9p malicioso causar un error de uso de la memoria previamente liberada, escalando potencialmente sus privilegios en el sistema. • https://bugzilla.redhat.com/show_bug.cgi?id=1927007 https://lists.debian.org/debian-lts-announce/2021/02/msg00024.html https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html https://security.netapp.com/advisory/ntap-20210720-0009 https://www.zerodayinitiative.com/advisories/ZDI-21-159 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVE-2020-35517 – QEMU: virtiofsd: potential privileged host device access from guest
https://notcve.org/view.php?id=CVE-2020-35517
A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices. Se encontró un fallo en qemu. Se encontró un problema de escalada de privilegios del host en el demonio del sistema de archivos compartidos virtio-fs, donde un usuario invitado privilegiado puede crear un archivo especial de dispositivo en el directorio compartido y usarlo para dispositivos host de acceso de r/w A flaw was found in qemu. A host privilege escalation issue was found in the virtio-fs shared file system daemon where a privileged guest user is able to create a device special file in the shared directory and use it to r/w access host devices. • https://bugzilla.redhat.com/show_bug.cgi?id=1915823 https://github.com/qemu/qemu/commit/ebf101955ce8f8d72fba103b5151115a4335de2c https://lists.gnu.org/archive/html/qemu-devel/2021-01/msg05461.html https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20210312-0002 https://www.openwall.com/lists/oss-security/2021/01/22/1 https://access.redhat.com/security/cve/CVE-2020-35517 • CWE-269: Improper Privilege Management •
CVE-2020-29443 – QEMU: ide: atapi: OOB access while processing read commands
https://notcve.org/view.php?id=CVE-2020-29443
ide_atapi_cmd_reply_end in hw/ide/atapi.c in QEMU 5.1.0 allows out-of-bounds read access because a buffer index is not validated. La función ide_atapi_cmd_reply_end en el archivo hw/ide/atapi.c, en QEMU versión 5.1.0, permite un acceso de lectura fuera de límites porque un índice de búfer no está comprobado An out-of-bounds read-access flaw was found in the ATAPI Emulator of QEMU. This issue occurs while processing the ATAPI read command if the logical block address(LBA) is set to an invalid value. A guest user may use this flaw to crash the QEMU process on the host resulting in a denial of service. • http://www.openwall.com/lists/oss-security/2021/01/18/2 https://lists.debian.org/debian-lts-announce/2021/02/msg00024.html https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html https://lists.nongnu.org/archive/html/qemu-devel/2020-11/msg04685.html https://security.netapp.com/advisory/ntap-20210304-0003 https://access.redhat.com/security/cve/CVE-2020-29443 https://bugzilla.redhat.com/show_bug.cgi?id=1917446 • CWE-125: Out-of-bounds Read •