Vulnerabilities > CVE-2019-15890 - Use After Free vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
libslirp-project
qemu
CWE-416
nessus

Summary

libslirp 4.0.0, as used in QEMU 4.1.0, has a use-after-free in ip_reass in ip_input.c.

Vulnerable Configurations

Part Description Count
Application
Libslirp_Project
1
Application
Qemu
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2020-0010.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - kvm-Fix-heap-overflow-in-ip_reass-on-big-packet-input.pa tch [bz#1734747] - kvm-Using-ip_deq-after-m_free-might-read-pointers-from-a .patch - kvm-tcp_emu-Fix-oob-access.patch [bz#1791558] - kvm-slirp-use-correct-size-while-emulating-IRC-commands. patch [bz#1791558] - kvm-slirp-use-correct-size-while-emulating-commands.patc h [bz#1791558] - Resolves: bz#1734747 (CVE-2019-14378 qemu-kvm: QEMU: slirp: heap buffer overflow during packet reassembly [rhel-6.10.z]) - Resolves: bz#1749731 (CVE-2019-15890 qemu-kvm: QEMU: Slirp: use-after-free during packet reassembly [rhel-6]) - Resolves: bz#1791558 (CVE-2020-7039 qemu-kvm: QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu [rhel-6.10.z])
    last seen2020-03-19
    modified2020-03-16
    plugin id134611
    published2020-03-16
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134611
    titleOracleVM 3.4 : qemu-kvm (OVMSA-2020-0010)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2510.NASL
    descriptionThis update for qemu fixes the following issues : qemu was updated to v3.1.1.1, a stable, bug-fix-only release, which includes 2 fixes we already carry, as well as one additional use- after-free fix in slirp. (CVE-2018-20126 bsc#1119991, CVE-2019-14378 bsc#1143794, and CVE-2019-15890 bsc#1149811 respectively) Security issues fixed : - CVE-2019-12068: Fixed potential DOS in lsi scsi controller emulation (bsc#1146873) - CVE-2019-11135: Expose taa-no
    last seen2020-06-01
    modified2020-06-02
    plugin id131064
    published2019-11-15
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131064
    titleopenSUSE Security Update : qemu (openSUSE-2019-2510)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2955-1.NASL
    descriptionThis update for qemu fixes the following issues : qemu was updated to v3.1.1.1, a stable, bug-fix-only release, which includes 2 fixes we already carry, as well as one additional use- after-free fix in slirp. (CVE-2018-20126 bsc#1119991, CVE-2019-14378 bsc#1143794, and CVE-2019-15890 bsc#1149811 respectively) Security issues fixed : CVE-2019-12068: Fixed potential DOS in lsi scsi controller emulation (bsc#1146873) CVE-2019-11135: Expose taa-no
    last seen2020-06-01
    modified2020-06-02
    plugin id130953
    published2019-11-13
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130953
    titleSUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2019:2955-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2753-1.NASL
    descriptionThis update for xen to version 4.11.2 fixes the following issues : Security issues fixed : CVE-2019-15890: Fixed a use-after-free in SLiRP networking implementation of QEMU emulator which could have led to Denial of Service (bsc#1149813). CVE-2019-12068: Fixed an issue in lsi which could lead to an infinite loop and denial of service (bsc#1146874). CVE-2019-14378: Fixed a heap buffer overflow in SLiRp networking implementation of QEMU emulator which could have led to execution of arbitrary code with privileges of the QEMU process (bsc#1143797). Other issues fixed: Fixed an HPS bug which did not allow to install Windows Server 2016 with 2 CPUs setting or above (bsc#1137717). Fixed a segmentation fault in Libvrtd during live migration to a VM (bsc#1145774). Fixed an issue where libxenlight could not create new domain (bsc#1131811). Fixed an issue where attached pci devices were lost after reboot (bsc#1129642). Fixed an issue where Xen could not pre-allocate 1 shadow page (bsc#1145240). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130197
    published2019-10-24
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130197
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2019:2753-1) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4616.NASL
    descriptionTwo security issues have been found in the SLiRP networking implementation of QEMU, a fast processor emulator, which could result in the execution of arbitrary code or denial of service.
    last seen2020-06-01
    modified2020-06-02
    plugin id133419
    published2020-02-03
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133419
    titleDebian DSA-4616-1 : qemu - security update
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2020-0775.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: slirp: heap buffer overflow during packet reassembly (CVE-2019-14378) * QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() (CVE-2020-7039) * QEMU: Slirp: use-after-free during packet reassembly (CVE-2019-15890) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-03-17
    modified2020-03-11
    plugin id134386
    published2020-03-11
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134386
    titleCentOS 6 : qemu-kvm (CESA-2020:0775)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0388-1.NASL
    descriptionThis update for xen fixes the following issues : CVE-2018-12207: Fixed a race condition where untrusted virtual machines could have been using the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional (bsc#1155945 XSA-304). CVE-2018-19965: Fixed a DoS from attempting to use INVPCID with a non-canonical addresses (bsc#1115045 XSA-279). CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate side-channel information leaks out of microarchitectural buffers, similar to the previously described
    last seen2020-03-18
    modified2020-02-18
    plugin id133763
    published2020-02-18
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/133763
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2020:0388-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2769-1.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : CVE-2019-15890: Fixed a use-after-free in SLiRP networking implementation of QEMU emulator which could have led to Denial of Service (bsc#1149813). CVE-2019-12068: Fixed an issue in lsi which could lead to an infinite loop and denial of service (bsc#1146874). CVE-2019-14378: Fixed a heap buffer overflow in SLiRp networking implementation of QEMU emulator which could have led to execution of arbitrary code with privileges of the QEMU process (bsc#1143797). Other issue fixed: Fixed an issue where libxenlight could not restore domain vsa6535522 on live migration (bsc#1133818). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130253
    published2019-10-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130253
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2019:2769-1) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20200310_QEMU_KVM_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - QEMU: slirp: heap buffer overflow during packet reassembly (CVE-2019-14378) - QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() (CVE-2020-7039) - QEMU: Slirp: use-after-free during packet reassembly (CVE-2019-15890)
    last seen2020-03-18
    modified2020-03-11
    plugin id134395
    published2020-03-11
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134395
    titleScientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64 (20200310)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-4191-1.NASL
    descriptionIt was discovered that the LSI SCSI adapter emulator implementation in QEMU did not properly validate executed scripts. A local attacker could use this to cause a denial of service. (CVE-2019-12068) Sergej Schumilo, Cornelius Aschermann and Simon Worner discovered that the qxl paravirtual graphics driver implementation in QEMU contained a NULL pointer dereference. A local attacker in a guest could use this to cause a denial of service. (CVE-2019-12155) Riccardo Schirone discovered that the QEMU bridge helper did not properly validate network interface names. A local attacker could possibly use this to bypass ACL restrictions. (CVE-2019-13164) It was discovered that a heap-based buffer overflow existed in the SLiRP networking implementation of QEMU. A local attacker in a guest could use this to cause a denial of service or possibly execute arbitrary code in the host. (CVE-2019-14378) It was discovered that a use-after-free vulnerability existed in the SLiRP networking implementation of QEMU. A local attacker in a guest could use this to cause a denial of service. (CVE-2019-15890). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id131017
    published2019-11-14
    reporterUbuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131017
    titleUbuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : qemu vulnerabilities (USN-4191-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1927.NASL
    descriptionSeveral vulnerabilities were found in QEMU, a fast processor emulator (notably used in KVM and Xen HVM virtualization). CVE-2016-5126 Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call. CVE-2016-5403 The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion. CVE-2017-9375 QEMU, when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing. CVE-2019-12068 QEMU scsi disk backend: lsi: exit infinite loop while executing script CVE-2019-12155 interface_release_resource in hw/display/qxl.c in QEMU has a NULL pointer dereference. CVE-2019-13164 qemu-bridge-helper.c in QEMU does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass. CVE-2019-14378 ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment. CVE-2019-15890 libslirp 4.0.0, as used in QEMU, has a use-after-free in ip_reass in ip_input.c. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id129105
    published2019-09-23
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129105
    titleDebian DLA-1927-1 : qemu security update
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2020-0775.NASL
    descriptionFrom Red Hat Security Advisory 2020:0775 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: slirp: heap buffer overflow during packet reassembly (CVE-2019-14378) * QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() (CVE-2020-7039) * QEMU: Slirp: use-after-free during packet reassembly (CVE-2019-15890) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-03-18
    modified2020-03-11
    plugin id134388
    published2020-03-11
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134388
    titleOracle Linux 6 : qemu-kvm (ELSA-2020-0775)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2783-1.NASL
    descriptionThis update for xen fixes the following issues : CVE-2019-15890: Fixed a use-after-free in SLiRP networking implementation of QEMU emulator which could have led to Denial of Service (bsc#1149813). CVE-2019-12068: Fixed an issue in lsi which could lead to an infinite loop and denial of service (bsc#1146874). CVE-2019-14378: Fixed a heap buffer overflow in SLiRp networking implementation of QEMU emulator which could have led to execution of arbitrary code with privileges of the QEMU process (bsc#1143797). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id130343
    published2019-10-28
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130343
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2019:2783-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2020-0775.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: slirp: heap buffer overflow during packet reassembly (CVE-2019-14378) * QEMU: slirp: OOB buffer access while emulating tcp protocols in tcp_emu() (CVE-2020-7039) * QEMU: Slirp: use-after-free during packet reassembly (CVE-2019-15890) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-03-18
    modified2020-03-11
    plugin id134393
    published2020-03-11
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134393
    titleRHEL 6 : qemu-kvm (RHSA-2020:0775)

Redhat

advisories
rhsa
idRHSA-2020:0775
rpms
  • buildah-0:1.11.6-4.module+el8.1.1+5259+bcdd613a
  • buildah-debuginfo-0:1.11.6-4.module+el8.1.1+5259+bcdd613a
  • buildah-debugsource-0:1.11.6-4.module+el8.1.1+5259+bcdd613a
  • buildah-tests-0:1.11.6-4.module+el8.1.1+5259+bcdd613a
  • buildah-tests-debuginfo-0:1.11.6-4.module+el8.1.1+5259+bcdd613a
  • cockpit-podman-0:11-1.module+el8.1.1+5259+bcdd613a
  • conmon-2:2.0.6-1.module+el8.1.1+5259+bcdd613a
  • container-selinux-2:2.124.0-1.module+el8.1.1+5259+bcdd613a
  • containernetworking-plugins-0:0.8.3-4.module+el8.1.1+5259+bcdd613a
  • containernetworking-plugins-debuginfo-0:0.8.3-4.module+el8.1.1+5259+bcdd613a
  • containernetworking-plugins-debugsource-0:0.8.3-4.module+el8.1.1+5259+bcdd613a
  • containers-common-1:0.1.40-8.module+el8.1.1+5351+506397b0
  • fuse-overlayfs-0:0.7.2-1.module+el8.1.1+5259+bcdd613a
  • fuse-overlayfs-debuginfo-0:0.7.2-1.module+el8.1.1+5259+bcdd613a
  • fuse-overlayfs-debugsource-0:0.7.2-1.module+el8.1.1+5259+bcdd613a
  • podman-0:1.6.4-2.module+el8.1.1+5363+bf8ff1af
  • podman-debuginfo-0:1.6.4-2.module+el8.1.1+5363+bf8ff1af
  • podman-debugsource-0:1.6.4-2.module+el8.1.1+5363+bf8ff1af
  • podman-docker-0:1.6.4-2.module+el8.1.1+5363+bf8ff1af
  • podman-manpages-0:1.6.4-2.module+el8.1.1+5363+bf8ff1af
  • podman-remote-0:1.6.4-2.module+el8.1.1+5363+bf8ff1af
  • podman-remote-debuginfo-0:1.6.4-2.module+el8.1.1+5363+bf8ff1af
  • podman-tests-0:1.6.4-2.module+el8.1.1+5363+bf8ff1af
  • python-podman-api-0:1.2.0-0.2.gitd0a45fe.module+el8.1.1+5259+bcdd613a
  • runc-0:1.0.0-64.rc9.module+el8.1.1+5259+bcdd613a
  • runc-debuginfo-0:1.0.0-64.rc9.module+el8.1.1+5259+bcdd613a
  • runc-debugsource-0:1.0.0-64.rc9.module+el8.1.1+5259+bcdd613a
  • skopeo-1:0.1.40-8.module+el8.1.1+5351+506397b0
  • skopeo-debuginfo-1:0.1.40-8.module+el8.1.1+5351+506397b0
  • skopeo-debugsource-1:0.1.40-8.module+el8.1.1+5351+506397b0
  • skopeo-tests-1:0.1.40-8.module+el8.1.1+5351+506397b0
  • slirp4netns-0:0.4.2-2.git21fdece.module+el8.1.1+5460+3ac089c3
  • slirp4netns-debuginfo-0:0.4.2-2.git21fdece.module+el8.1.1+5460+3ac089c3
  • slirp4netns-debugsource-0:0.4.2-2.git21fdece.module+el8.1.1+5460+3ac089c3
  • toolbox-0:0.0.4-1.module+el8.1.1+4407+ac444e5d
  • udica-0:0.2.1-2.module+el8.1.1+4975+482d6f5d
  • qemu-guest-agent-2:0.12.1.2-2.506.el6_10.6
  • qemu-img-2:0.12.1.2-2.506.el6_10.6
  • qemu-kvm-2:0.12.1.2-2.506.el6_10.6
  • qemu-kvm-debuginfo-2:0.12.1.2-2.506.el6_10.6
  • qemu-kvm-tools-2:0.12.1.2-2.506.el6_10.6
  • slirp4netns-0:0.3.0-8.el7_7
  • slirp4netns-debuginfo-0:0.3.0-8.el7_7