Operating System:

[Debian]

Published:

03 September 2021

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2021.2981 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2021.2981
                           qemu security update
                             3 September 2021

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           qemu
Publisher:         Debian
Operating System:  Debian GNU/Linux
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account
                   Denial of Service               -- Existing Account
                   Access Confidential Data        -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2021-3713 CVE-2021-3682 CVE-2021-3595
                   CVE-2021-3594 CVE-2021-3592 CVE-2021-3527

Reference:         ESB-2021.2918
                   ESB-2021.2596
                   ESB-2021.2415

Original Bulletin: 
   https://lists.debian.org/debian-lts-announce/2021/09/msg00000.html

- --------------------------BEGIN INCLUDED TEXT--------------------

- -------------------------------------------------------------------------
Debian LTS Advisory DLA-2753-1                debian-lts@lists.debian.org
https://www.debian.org/lts/security/                      Markus Koschany
September 02, 2021                            https://wiki.debian.org/LTS
- -------------------------------------------------------------------------

Package        : qemu
Version        : 1:2.8+dfsg-6+deb9u15
CVE ID         : CVE-2021-3527 CVE-2021-3592 CVE-2021-3594 CVE-2021-3595
                 CVE-2021-3682 CVE-2021-3713
Debian Bug     : 988157 989993 989995 989996 991911 992727

Several security vulnerabilities have been found in Qemu, a fast processor
emulator.

CVE-2021-3713

  An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device
  emulation of QEMU. The device uses the guest supplied stream number
  unchecked, which can lead to out-of-bounds access to the UASDevice->data3
  and UASDevice->status3 fields. A malicious guest user could use this flaw
  to crash QEMU or potentially achieve code execution with the privileges of
  the QEMU process on the host.

CVE-2021-3682

  A flaw was found in the USB redirector device emulation of QEMU. It occurs
  when dropping packets during a bulk transfer from a SPICE client due to the
  packet queue being full. A malicious SPICE client could use this flaw to
  make QEMU call free() with faked heap chunk metadata, resulting in a crash
  of QEMU or potential code execution with the privileges of the QEMU process
  on the host.

CVE-2021-3527

  A flaw was found in the USB redirector device (usb-redir) of QEMU. Small
  USB packets are combined into a single, large transfer request, to reduce
  the overhead and improve performance. The combined size of the bulk
  transfer is used to dynamically allocate a variable length array (VLA) on
  the stack without proper validation. Since the total size is not bounded,a
  malicious guest could use this flaw to influence the array length and cause
  the QEMU process to perform an excessive allocation on the stack, resulting
  in a denial of service.

CVE-2021-3594

  An invalid pointer initialization issue was found in the SLiRP networking
  implementation of QEMU. The flaw exists in the udp_input() function and
  could occur while processing a udp packet that is smaller than the size of
  the 'udphdr' structure. This issue may lead to out-of-bounds read access or
  indirect host memory disclosure to the guest. The highest threat from this
  vulnerability is to data confidentiality.

CVE-2021-3592

  An invalid pointer initialization issue was found in the SLiRP networking
  implementation of QEMU. The flaw exists in the bootp_input() function and
  could occur while processing a udp packet that is smaller than the size of
  the 'bootp_t' structure. A malicious guest could use this flaw to leak 10
  bytes of uninitialized heap memory from the host. The highest threat from
  this vulnerability is to data confidentiality.

CVE-2021-3595

  An invalid pointer initialization issue was found in the SLiRP networking
  implementation of QEMU. The flaw exists in the tftp_input() function and
  could occur while processing a udp packet that is smaller than the size of
  the 'tftp_t' structure. This issue may lead to out-of-bounds read access or
  indirect host memory disclosure to the guest. The highest threat from this
  vulnerability is to data confidentiality.

For Debian 9 stretch, these problems have been fixed in version
1:2.8+dfsg-6+deb9u15.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/qemu

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmExGolfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQ5ExAAt5JnXCkGqWn8NjNiWlogHgcH3UwmucQHXSMdrcTJ+mngL/qb4FWWaRhV
XUP3ujgy6/KuLyBihPvORu7gZd1LCbiC4zL98qKntA92VMNMvKy09wD5rBZ1+a4A
XF8A99N6yhey5cN+2uemXOWTv8fNQiUmUrtxY9Oto2/J3PKlgdWfV/oQE6MKLnFm
dQ8NNbUGQaWtdEocbKQdffZTgztZn6iAKOGbEYmrLPQvpp+3+bOEI7xNolBQxKPL
kA2MyyPWqX6WE7wz1F4G/7liIA/axhN07mHSJWMf4QxQhKYsa+mQf9NoLGi9HSSY
8ls7CTJATTBQNfCrSTZHlGjwwP+PT+ML2t9KEua+oTtLA52DTsu/5jxsfJ6ciw2f
qfDEYK2Cc5vdi5OtndL9Nfe2MBmy3fPwA0wqCjyh75YI5goEZzlz+/aU5DTIdP0a
/ka+S1I3LvlE2jGkNHDfx2I+Xhl7GCdEwoe7D1MKHAnNWNxltknt/wy1+HdX2z1B
VCDMLoldL/O7ybHiMdUobMBQH3QaURFkb++AyIgTOl9+XOYs/eqKULj++8Ohkeed
/qTmkJdXU3Jgh0oS6MNBJNOd4KRlT2tRIVFQAuBotkc+81A/xSwmDaWG9LpS7jzq
W6WfXzET+kRD979Zl/qEyyOCra2EeM9MFe9A2eAgqEIxjnyBQ2o=
=8zjO
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBYTF+5eNLKJtyKPYoAQgK/A/6Ato9tRU0U9LarKnla0Y3H+t+ucVxfS4Y
Tf4+MJ4n9pZP03l/Hf1ednuDfZlkcEg4tFn1iDPeJHgznaRGaTj5g/vgx+Em0ZBn
fQtSOcSp1kX4o98kfJKC7Mcva7RwBlk7RFWdgVqdu3hObDSXrjfLQ6NDWR/252oa
cbi2UZr1BmdiW6GDNqEPPNPHZP6HZmUwHQsTxIIaEXUzWmxg+FtQbsQL5pNSTdye
MtDkNkVthwIoUeVeagtYRs3OauNIBWMKosu3JOiMhGkhuHj9d1nC5In/fk9ZUOG7
rLdNOJsxrwj5+L0TnLE5NM+fcY3XoCuxviAIbS88HVRfutDhAiTyXO35qOfFm4lE
4tXmtEOVMZHUuQ0FnzIk+nBZ0vDOaEqafSO9qaqDdvFMU0okynUqQ1kPqjQckC9I
Ioig0k/zrBatrbtF4aGEQqh/iwtLX5eyMa+HjF8wJRPJMJDEk3yImx1XXRTVvqqh
J1+GaCKsxEYQ7bbE0Ch7sRaWVP52YQQounJNPYDdKJDLJjCqAyEJtedur2mW4Nc7
TYAmZ1BlolCGIcPbOIXxzQhCrJbi5gGU2ZKsBuTQ8erYKIoS+0bmnyJjbPKwd55x
aUI9bJmYuH0xXXqZtmhA6QoCB3abMwUzgAERx0DsBMviXItkmiLKNHab8tuWCWbd
qtO3+xZ3Goc=
=YuSr
-----END PGP SIGNATURE-----