CVE-2022-0358 – QEMU: virtiofsd: potential privilege escalation via CVE-2018-13405
https://notcve.org/view.php?id=CVE-2022-0358
A flaw was found in the QEMU virtio-fs shared file system daemon (virtiofsd) implementation. This flaw is strictly related to CVE-2018-13405. A local guest user can create files in the directories shared by virtio-fs with unintended group ownership in a scenario where a directory is SGID to a certain group and is writable by a user who is not a member of the group. This could allow a malicious unprivileged user inside the guest to gain access to resources accessible to the root group, potentially escalating their privileges within the guest. A malicious local user in the host might also leverage this unexpected executable file created by the guest to escalate their privileges on the host system. • https://access.redhat.com/security/cve/CVE-2022-0358 https://bugzilla.redhat.com/show_bug.cgi?id=2044863 https://gitlab.com/qemu-project/qemu/-/commit/449e8171f96a6a944d1f3b7d3627ae059eae21ca https://security.netapp.com/advisory/ntap-20221007-0008 • CWE-273: Improper Check for Dropped Privileges •
CVE-2021-4158 – QEMU: NULL pointer dereference in pci_write() in hw/acpi/pcihp.c
https://notcve.org/view.php?id=CVE-2021-4158
A NULL pointer dereference issue was found in the ACPI code of QEMU. A malicious, privileged user within the guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition. Se ha encontrado un problema de desreferencia de puntero NULL en el código ACPI de QEMU. Un usuario malicioso y con privilegios dentro del huésped podía usar este fallo para bloquear el proceso de QEMU en el host, resultando en una situación de denegación de servicio. • https://access.redhat.com/security/cve/CVE-2021-4158 https://bugzilla.redhat.com/show_bug.cgi?id=2035002 https://gitlab.com/qemu-project/qemu/-/commit/9bd6565ccee68f72d5012e24646e12a1c662827e https://gitlab.com/qemu-project/qemu/-/issues/770 https://www.mail-archive.com/qemu-devel%40nongnu.org/msg857944.html • CWE-476: NULL Pointer Dereference •
CVE-2021-3607
https://notcve.org/view.php?id=CVE-2021-3607
An integer overflow was found in the QEMU implementation of VMWare's paravirtual RDMA device in versions prior to 6.1.0. The issue occurs while handling a "PVRDMA_REG_DSRHIGH" write from the guest due to improper input validation. This flaw allows a privileged guest user to make QEMU allocate a large amount of memory, resulting in a denial of service. The highest threat from this vulnerability is to system availability. Se encontró un desbordamiento de enteros en la implementación de QEMU del dispositivo RDMA paravirtual de VMWare en versiones anteriores a 6.1.0. • https://bugzilla.redhat.com/show_bug.cgi?id=1973349 https://lists.debian.org/debian-lts-announce/2022/09/msg00008.html https://lists.gnu.org/archive/html/qemu-devel/2021-06/msg07925.html https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20220318-0002 • CWE-190: Integer Overflow or Wraparound •
CVE-2021-3947
https://notcve.org/view.php?id=CVE-2021-3947
A stack-buffer-overflow was found in QEMU in the NVME component. The flaw lies in nvme_changed_nslist() where a malicious guest controlling certain input can read out of bounds memory. A malicious user could use this flaw leading to disclosure of sensitive information. Se ha encontrado un desbordamiento de pila en QEMU en el componente NVME. El fallo es encontrado en nvme_changed_nslist(), donde un huésped malicioso que controle determinadas entradas puede leer memoria fuera de límites. • https://bugzilla.redhat.com/show_bug.cgi?id=2021869 https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20220318-0003 • CWE-125: Out-of-bounds Read •
CVE-2021-4145 – QEMU: NULL pointer dereference in mirror_wait_on_conflicts() in block/mirror.c
https://notcve.org/view.php?id=CVE-2021-4145
A NULL pointer dereference issue was found in the block mirror layer of QEMU in versions prior to 6.2.0. The `self` pointer is dereferenced in mirror_wait_on_conflicts() without ensuring that it's not NULL. A malicious unprivileged user within the guest could use this flaw to crash the QEMU process on the host when writing data reaches the threshold of mirroring node. Se encontró un problema de desreferencia de puntero NULL en la capa de réplica de bloques de QEMU en versiones anteriores a 6.2.0. El puntero "self" es dereferenciado en mirror_wait_on_conflicts() sin asegurar que no sea NULL. • https://bugzilla.redhat.com/show_bug.cgi?id=2034602 https://gitlab.com/qemu-project/qemu/-/commit/66fed30c9cd11854fc878a4eceb507e915d7c9cd https://security.gentoo.org/glsa/202208-27 https://security.netapp.com/advisory/ntap-20220311-0004 https://access.redhat.com/security/cve/CVE-2021-4145 • CWE-476: NULL Pointer Dereference •