CVE-2020-7039

QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu()

Severity Score

5.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code.

El archivo tcp_emu en tcp_subr.c en libslirp versión 4.1.0, como es usado en QEMU versión 4.2.0, administra inapropiadamente la memoria, como es demostrado por los comandos IRC DCC en EMU_IRC. Esto puede causar un desbordamiento del búfer en la región heap de la memoria u otro acceso fuera de límites que puede conllevar a una DoS o un código arbitrario de ejecución potencial.

A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the tcp_emu() routine while emulating IRC and other protocols. An attacker could use this flaw to crash the QEMU process on the host, resulting in a denial of service or potential execution of arbitrary code with privileges of the QEMU process.

It was discovered that the SLiRP networking implementation of the QEMU emulator did not properly manage memory under certain circumstances. An attacker could use this to cause a heap-based buffer overflow or other out- of-bounds access, which can lead to a denial of service or potentially execute arbitrary code. It was discovered that the SLiRP networking implementation of the QEMU emulator misuses snprintf return values. An attacker could use this to cause a denial of service or potentially execute arbitrary code. Various other issues were also addressed.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-01-14 CVE Reserved
2020-01-16 CVE Published
2024-08-04 CVE Updated
2025-04-08 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-122: Heap-based Buffer Overflow
CWE-787: Out-of-bounds Write

CAPEC

References (16)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2020/01/msg00022.html	Mailing List
https://lists.debian.org/debian-lts-announce/2020/01/msg00036.html	Mailing List
https://lists.debian.org/debian-lts-announce/2021/02/msg00012.html	Mailing List
https://seclists.org/bugtraq/2020/Feb/0	Mailing List

URL	Date	SRC

URL	Date	SRC
http://www.openwall.com/lists/oss-security/2020/01/16/2	2021-02-14
https://gitlab.freedesktop.org/slirp/libslirp/commit/2655fffed7a9e765bcb4701dd876e9dab975f289	2021-02-14
https://gitlab.freedesktop.org/slirp/libslirp/commit/82ebe9c370a0e2970fb5695aa19aa5214a6a1c80	2021-02-14
https://gitlab.freedesktop.org/slirp/libslirp/commit/ce131029d6d4a405cb7d3ac6716d03e58fb4a5d9	2021-02-14

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00007.html	2021-02-14
https://access.redhat.com/errata/RHSA-2020:0348	2021-02-14
https://access.redhat.com/errata/RHSA-2020:0775	2021-02-14
https://security.gentoo.org/glsa/202005-02	2021-02-14
https://usn.ubuntu.com/4283-1	2021-02-14
https://www.debian.org/security/2020/dsa-4616	2021-02-14
https://access.redhat.com/security/cve/CVE-2020-7039	2020-06-24
https://bugzilla.redhat.com/show_bug.cgi?id=1791551	2020-06-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Libslirp Project Search vendor "Libslirp Project"		Libslirp Search vendor "Libslirp Project" for product "Libslirp"				4.1.0 Search vendor "Libslirp Project" for product "Libslirp" and version "4.1.0"		-		Affected
Qemu Search vendor "Qemu"		Qemu Search vendor "Qemu" for product "Qemu"				4.2.0 Search vendor "Qemu" for product "Qemu" and version "4.2.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected