Vulnerabilities > CVE-2019-6501 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
low complexity
qemu
fedoraproject
CWE-787
nessus

Summary

In QEMU 3.1, scsi_handle_inquiry_reply in hw/scsi/scsi-generic.c allows out-of-bounds write and read operations.

Vulnerable Configurations

Part Description Count
Application
Qemu
1
OS
Fedoraproject
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2166.NASL
    descriptionAn update for qemu-kvm-ma is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-ma packages provide the user-space component for running virtual machines that use KVM on the IBM z Systems, IBM Power, and 64-bit ARM architectures. Security Fix(es) : * QEMU: net: ignore packets with large size (CVE-2018-17963) * QEMU: scsi-generic: possible OOB access while handling inquiry request (CVE-2019-6501) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127689
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127689
    titleRHEL 7 : qemu-kvm-ma (RHSA-2019:2166)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2019:2166. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(127689);
      script_version("1.5");
      script_cvs_date("Date: 2020/01/06");
    
      script_cve_id("CVE-2018-17963", "CVE-2019-6501");
      script_xref(name:"RHSA", value:"2019:2166");
    
      script_name(english:"RHEL 7 : qemu-kvm-ma (RHSA-2019:2166)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for qemu-kvm-ma is now available for Red Hat Enterprise
    Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Kernel-based Virtual Machine (KVM) is a full virtualization solution
    for Linux on a variety of architectures. The qemu-kvm-ma packages
    provide the user-space component for running virtual machines that use
    KVM on the IBM z Systems, IBM Power, and 64-bit ARM architectures.
    
    Security Fix(es) :
    
    * QEMU: net: ignore packets with large size (CVE-2018-17963)
    
    * QEMU: scsi-generic: possible OOB access while handling inquiry
    request (CVE-2019-6501)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, acknowledgments, and other related information, refer to
    the CVE page(s) listed in the References section.
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.7 Release Notes linked from the References section."
      );
      # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3395ff0b"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2019:2166"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2018-17963"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2019-6501"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-img-ma");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-common-ma");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-ma");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-ma-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-tools-ma");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/08/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if ("s390x" >!< cpu) audit(AUDIT_ARCH_NOT, "s390x", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2019:2166";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"qemu-img-ma-2.12.0-33.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"qemu-kvm-common-ma-2.12.0-33.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"qemu-kvm-ma-2.12.0-33.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"qemu-kvm-ma-debuginfo-2.12.0-33.el7")) flag++;
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"qemu-kvm-tools-ma-2.12.0-33.el7")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-img-ma / qemu-kvm-common-ma / qemu-kvm-ma / etc");
      }
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-0664C7724D.NASL
    description - fix crash with virgl enabled (bz #1692323) - linux-user: make pwrite64/pread64(fd, NULL, 0, offset) return 0 (bz #1174267) - Fix build with latest gluster (bz #1684298) - CVE-2018-20123: pvrdma: memory leakage in device hotplug (bz #1658964) - CVE-2018-16872: usb-mtp: path traversal issue (bz #1659150) - CVE-2018-20191: pvrdma: uar_read leads to NULL deref (bz #1660315) - CVE-2019-6501: scsi-generic: possible OOB access (bz #1669005) - CVE-2019-6778: slirp: heap buffer overflow (bz #1669072) - CVE-2019-3812: Out-of-bounds read in hw/i2c/i2c-ddc.c allows for memory disclosure (bz #1678081) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124467
    published2019-05-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124467
    titleFedora 30 : 2:qemu (2019-0664c7724d)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2019-0664c7724d.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(124467);
      script_version("1.3");
      script_cvs_date("Date: 2020/01/21");
    
      script_cve_id("CVE-2018-16872", "CVE-2018-20123", "CVE-2018-20191", "CVE-2019-3812", "CVE-2019-6501", "CVE-2019-6778");
      script_xref(name:"FEDORA", value:"2019-0664c7724d");
    
      script_name(english:"Fedora 30 : 2:qemu (2019-0664c7724d)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - fix crash with virgl enabled (bz #1692323)
    
      - linux-user: make pwrite64/pread64(fd, NULL, 0, offset)
        return 0 (bz #1174267)
    
      - Fix build with latest gluster (bz #1684298)
    
      - CVE-2018-20123: pvrdma: memory leakage in device hotplug
        (bz #1658964)
    
      - CVE-2018-16872: usb-mtp: path traversal issue (bz
        #1659150)
    
      - CVE-2018-20191: pvrdma: uar_read leads to NULL deref (bz
        #1660315)
    
      - CVE-2019-6501: scsi-generic: possible OOB access (bz
        #1669005)
    
      - CVE-2019-6778: slirp: heap buffer overflow (bz #1669072)
    
      - CVE-2019-3812: Out-of-bounds read in hw/i2c/i2c-ddc.c
        allows for memory disclosure (bz #1678081)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-0664c7724d"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 2:qemu package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6778");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:2:qemu");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:30");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/03/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^30([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 30", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC30", reference:"qemu-3.1.0-6.fc30", epoch:"2")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "2:qemu");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2553.NASL
    descriptionAn update for qemu-kvm-rhev is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 and Red Hat Virtualization Engine 4.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Security Fix(es) : * A flaw was found in the implementation of the
    last seen2020-06-01
    modified2020-06-02
    plugin id128205
    published2019-08-27
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128205
    titleRHEL 7 : Virtualization Manager (RHSA-2019:2553) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)

Redhat

advisories
  • bugzilla
    id1678898
    titleRun iotests in rhel77 qemu-kvm-ma build %check phase
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentqemu-img-ma is earlier than 10:2.12.0-33.el7
            ovaloval:com.redhat.rhsa:tst:20192166001
          • commentqemu-img-ma is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20182762008
        • AND
          • commentqemu-kvm-common-ma is earlier than 10:2.12.0-33.el7
            ovaloval:com.redhat.rhsa:tst:20192166003
          • commentqemu-kvm-common-ma is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20182762004
        • AND
          • commentqemu-kvm-tools-ma is earlier than 10:2.12.0-33.el7
            ovaloval:com.redhat.rhsa:tst:20192166005
          • commentqemu-kvm-tools-ma is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20182762002
        • AND
          • commentqemu-kvm-ma is earlier than 10:2.12.0-33.el7
            ovaloval:com.redhat.rhsa:tst:20192166007
          • commentqemu-kvm-ma is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20182762006
    rhsa
    idRHSA-2019:2166
    released2019-08-06
    severityModerate
    titleRHSA-2019:2166: qemu-kvm-ma security and bug fix update (Moderate)
  • rhsa
    idRHSA-2019:2425
  • rhsa
    idRHSA-2019:2553
rpms
  • qemu-img-ma-10:2.12.0-33.el7
  • qemu-kvm-common-ma-10:2.12.0-33.el7
  • qemu-kvm-ma-10:2.12.0-33.el7
  • qemu-kvm-ma-debuginfo-10:2.12.0-33.el7
  • qemu-kvm-tools-ma-10:2.12.0-33.el7
  • qemu-img-rhev-10:2.12.0-33.el7
  • qemu-kvm-common-rhev-10:2.12.0-33.el7
  • qemu-kvm-rhev-10:2.12.0-33.el7
  • qemu-kvm-rhev-debuginfo-10:2.12.0-33.el7
  • qemu-kvm-tools-rhev-10:2.12.0-33.el7
  • qemu-img-rhev-10:2.12.0-33.el7
  • qemu-kvm-common-rhev-10:2.12.0-33.el7
  • qemu-kvm-rhev-10:2.12.0-33.el7
  • qemu-kvm-rhev-debuginfo-10:2.12.0-33.el7
  • qemu-kvm-tools-rhev-10:2.12.0-33.el7