CVE-2023-5088 – Qemu: improper ide controller reset can lead to mbr overwrite
https://notcve.org/view.php?id=CVE-2023-5088
A bug in QEMU could cause a guest I/O operation otherwise addressed to an arbitrary disk offset to be targeted to offset 0 instead (potentially overwriting the VM's boot code). This could be used, for example, by L2 guests with a virtual disk (vdiskL2) stored on a virtual disk of an L1 (vdiskL1) hypervisor to read and/or write data to LBA 0 of vdiskL1, potentially gaining control of L1 at its next reboot. Un error en QEMU podría causar que una operación de E/S de invitado que de otro modo estaría dirigida a un desplazamiento de disco arbitrario se dirija al desplazamiento 0 (potencialmente sobrescribiendo el código de arranque de la VM). Esto podría ser utilizado, por ejemplo, por invitados L2 con un disco virtual (vdiskL2) almacenado en un disco virtual de un hipervisor L1 (vdiskL1) para leer y/o escribir datos en el LBA 0 de vdiskL1, obteniendo potencialmente el control de L1 en su próximo reinicio. • https://access.redhat.com/errata/RHSA-2024:2135 https://access.redhat.com/errata/RHSA-2024:2962 https://access.redhat.com/security/cve/CVE-2023-5088 https://bugzilla.redhat.com/show_bug.cgi?id=2247283 https://lists.debian.org/debian-lts-announce/2024/03/msg00012.html https://lore.kernel.org/all/20230921160712.99521-1-simon.rowe@nutanix.com/T https://security.netapp.com/advisory/ntap-20231208-0005 • CWE-662: Improper Synchronization CWE-821: Incorrect Synchronization •
CVE-2023-2680 – Dma reentrancy issue (incomplete fix for cve-2021-3750)
https://notcve.org/view.php?id=CVE-2023-2680
This CVE exists because of an incomplete fix for CVE-2021-3750. More specifically, the qemu-kvm package as released for Red Hat Enterprise Linux 9.1 via RHSA-2022:7967 included a version of qemu-kvm that was actually missing the fix for CVE-2021-3750. Este CVE existe debido a una solución incompleta para CVE-2021-3750. Más específicamente, el paquete qemu-kvm lanzado para Red Hat Enterprise Linux 9.1 a través de RHSA-2022:7967 incluía una versión de qemu-kvm a la que en realidad le faltaba la solución para CVE-2021-3750. • https://access.redhat.com/security/cve/CVE-2023-2680 https://bugzilla.redhat.com/show_bug.cgi?id=2203387 https://security.netapp.com/advisory/ntap-20231116-0001 • CWE-416: Use After Free •
CVE-2023-3255 – Qemu: vnc: infinite loop in inflate_buffer() leads to denial of service
https://notcve.org/view.php?id=CVE-2023-3255
A flaw was found in the QEMU built-in VNC server while processing ClientCutText messages. A wrong exit condition may lead to an infinite loop when inflating an attacker controlled zlib buffer in the `inflate_buffer` function. This could allow a remote authenticated client who is able to send a clipboard to the VNC server to trigger a denial of service. Se encontró una falla en el servidor VNC integrado de QEMU al procesar mensajes ClientCutText. Una condición de salida incorrecta puede provocar un bucle infinito al inflar un búfer zlib controlado por un atacante en la función `inflate_buffer`. • https://access.redhat.com/errata/RHSA-2024:2135 https://access.redhat.com/errata/RHSA-2024:2962 https://access.redhat.com/security/cve/CVE-2023-3255 https://bugzilla.redhat.com/show_bug.cgi?id=2218486 https://security.netapp.com/advisory/ntap-20231020-0008 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2023-3301 – Triggerable assertion due to race condition in hot-unplug
https://notcve.org/view.php?id=CVE-2023-3301
A flaw was found in QEMU. The async nature of hot-unplug enables a race scenario where the net device backend is cleared before the virtio-net pci frontend has been unplugged. A malicious guest could use this time window to trigger an assertion and cause a denial of service. Se encontró una falla en QEMU. La naturaleza asíncrona de la desconexión en caliente permite un escenario de ejecución en el que el backend del dispositivo de red se borra antes de que se haya desconectado el frontend pci de virtio-net. • https://access.redhat.com/security/cve/CVE-2023-3301 https://bugzilla.redhat.com/show_bug.cgi?id=2215784 https://security.netapp.com/advisory/ntap-20231020-0008 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-617: Reachable Assertion •
CVE-2023-42467 – QEMU: am53c974: denial of service due to division by zero
https://notcve.org/view.php?id=CVE-2023-42467
QEMU through 8.0.0 could trigger a division by zero in scsi_disk_reset in hw/scsi/scsi-disk.c because scsi_disk_emulate_mode_select does not prevent s->qdev.blocksize from being 256. This stops QEMU and the guest immediately. QEMU hasta 8.0.0 podría desencadenar una división por cero en scsi_disk_reset en hw/scsi/scsi-disk.c porque scsi_disk_emulate_mode_select no impide que s->qdev.blocksize sea 256. Esto detiene QEMU y el invitado inmediatamente. A denial of service vulnerability was found in the qemu package. • https://gitlab.com/qemu-project/qemu/-/commit/7cfcc79b0ab800959716738aff9419f53fc68c9c https://gitlab.com/qemu-project/qemu/-/issues/1813 https://security.netapp.com/advisory/ntap-20231103-0005 https://access.redhat.com/security/cve/CVE-2023-42467 https://bugzilla.redhat.com/show_bug.cgi?id=2238291 • CWE-369: Divide By Zero •