Sicherheit: Mehrere Probleme in QEMU

Lesezeichen hinzufügen

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============1249603817496396496==
Content-Type: multipart/signed; micalg=pgp-sha256;
protocol="application/pgp-signature";
boundary="joozWiD9nTqJ7nAJwqrujiFOKKeiGG93g"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--joozWiD9nTqJ7nAJwqrujiFOKKeiGG93g
Content-Type: multipart/mixed;
boundary="wbLXQodaJOlD4RkafHF5KEoQWWF6A3DAI";
protected-headers="v1"
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: "ubuntu-security-announce@lists.ubuntu.com"
<ubuntu-security-announce@lists.ubuntu.com>
Message-ID: <5ca6b0b9-cd57-1093-0b6f-3df02ae08f68@canonical.com>
Subject: [USN-5010-1] QEMU vulnerabilities

--wbLXQodaJOlD4RkafHF5KEoQWWF6A3DAI
Content-Type: text/plain; charset=utf-8
Content-Language: en-C
Content-Transfer-Encoding: quoted-printable

==========================================================================
Ubuntu Security Notice USN-5010-1
July 15, 2021

qemu vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 21.04
- Ubuntu 20.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description:
- qemu: Machine emulator and virtualizer

Details:

Lei Sun discovered that QEMU incorrectly handled certain MMIO operations.
An attacker inside the guest could possibly use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2020-15469)

Wenxiang Qian discovered that QEMU incorrectly handled certain ATAPI
commands. An attacker inside the guest could possibly use this issue to
cause QEMU to crash, resulting in a denial of service. This issue only
affected Ubuntu 21.04. (CVE-2020-29443)

Cheolwoo Myung discovered that QEMU incorrectly handled SCSI device
emulation. An attacker inside the guest could possibly use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2020-35504,
CVE-2020-35505, CVE-2021-3392)

Alex Xu discovered that QEMU incorrectly handled the virtio-fs shared file
system daemon. An attacker inside the guest could possibly use this issue
to read and write to host devices. This issue only affected Ubuntu 20.10.
(CVE-2020-35517)

It was discovered that QEMU incorrectly handled ARM Generic Interrupt
Controller emulation. An attacker inside the guest could possibly use this
issue to cause QEMU to crash, resulting in a denial of service. This issue
only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 20.10.
(CVE-2021-20221)

Alexander Bulekov, Cheolwoo Myung, Sergej Schumilo, Cornelius Aschermann,
and Simon Werner discovered that QEMU incorrectly handled e1000 device
emulation. An attacker inside the guest could possibly use this issue to
cause QEMU to hang, resulting in a denial of service. This issue only
affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 20.10.
(CVE-2021-20257)

It was discovered that QEMU incorrectly handled SDHCI controller emulation.
An attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service, or possibly execute arbitrary code. In
the default installation, when QEMU is used in combination with libvirt,
attackers would be isolated by the libvirt AppArmor profile.
(CVE-2021-3409)

It was discovered that QEMU incorrectly handled certain NIC emulation
devices. An attacker inside the guest could possibly use this issue to
cause QEMU to hang or crash, resulting in a denial of service. This issue
only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 20.10.
(CVE-2021-3416)

Remy Noel discovered that QEMU incorrectly handled the USB redirector
device. An attacker inside the guest could possibly use this issue to
cause QEMU to consume resources, resulting in a denial of service.
(CVE-2021-3527)

It was discovered that QEMU incorrectly handled the virtio vhost-user GPU
device. An attacker inside the guest could possibly use this issue to cause
QEMU to consume resources, leading to a denial of service. This issue only
affected Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-3544)

It was discovered that QEMU incorrectly handled the virtio vhost-user GPU
device. An attacker inside the guest could possibly use this issue to
obtain sensitive host information. This issue only affected Ubuntu 20.04
LTS, Ubuntu 20.10, and Ubuntu 21.04. (CVE-2021-3545)

It was discovered that QEMU incorrectly handled the virtio vhost-user GPU
device. An attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service, or possibly execute arbitrary
code. In the default installation, when QEMU is used in combination with
libvirt, attackers would be isolated by the libvirt AppArmor profile. This
issue only affected Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04.
(CVE-2021-3546)

It was discovered that QEMU incorrectly handled the PVRDMA device. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service, or possibly execute arbitrary code. In
the default installation, when QEMU is used in combination with libvirt,
attackers would be isolated by the libvirt AppArmor profile. This issue
only affected Ubuntu 20.04 LTS, Ubuntu 20.10, and Ubuntu 21.04.
(CVE-2021-3582, CVE-2021-3607, CVE-2021-3608)

It was discovered that QEMU SLiRP networking incorrectly handled certain
udp packets. An attacker inside a guest could possibly use this issue to
leak sensitive information from the host. (CVE-2021-3592, CVE-2021-3593,
CVE-2021-3594, CVE-2021-3595)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 21.04:
qemu-system 1:5.2+dfsg-9ubuntu3.1
qemu-system-arm 1:5.2+dfsg-9ubuntu3.1
qemu-system-mips 1:5.2+dfsg-9ubuntu3.1
qemu-system-misc 1:5.2+dfsg-9ubuntu3.1
qemu-system-ppc 1:5.2+dfsg-9ubuntu3.1
qemu-system-s390x 1:5.2+dfsg-9ubuntu3.1
qemu-system-sparc 1:5.2+dfsg-9ubuntu3.1
qemu-system-x86 1:5.2+dfsg-9ubuntu3.1
qemu-system-x86-microvm 1:5.2+dfsg-9ubuntu3.1
qemu-system-x86-xen 1:5.2+dfsg-9ubuntu3.1

Ubuntu 20.10:
qemu-system 1:5.0-5ubuntu9.9
qemu-system-arm 1:5.0-5ubuntu9.9
qemu-system-mips 1:5.0-5ubuntu9.9
qemu-system-misc 1:5.0-5ubuntu9.9
qemu-system-ppc 1:5.0-5ubuntu9.9
qemu-system-s390x 1:5.0-5ubuntu9.9
qemu-system-sparc 1:5.0-5ubuntu9.9
qemu-system-x86 1:5.0-5ubuntu9.9
qemu-system-x86-microvm 1:5.0-5ubuntu9.9
qemu-system-x86-xen 1:5.0-5ubuntu9.9

Ubuntu 20.04 LTS:
qemu-system 1:4.2-3ubuntu6.17
qemu-system-arm 1:4.2-3ubuntu6.17
qemu-system-mips 1:4.2-3ubuntu6.17
qemu-system-misc 1:4.2-3ubuntu6.17
qemu-system-ppc 1:4.2-3ubuntu6.17
qemu-system-s390x 1:4.2-3ubuntu6.17
qemu-system-sparc 1:4.2-3ubuntu6.17
qemu-system-x86 1:4.2-3ubuntu6.17
qemu-system-x86-microvm 1:4.2-3ubuntu6.17
qemu-system-x86-xen 1:4.2-3ubuntu6.17

Ubuntu 18.04 LTS:
qemu-system 1:2.11+dfsg-1ubuntu7.37
qemu-system-arm 1:2.11+dfsg-1ubuntu7.37
qemu-system-mips 1:2.11+dfsg-1ubuntu7.37
qemu-system-misc 1:2.11+dfsg-1ubuntu7.37
qemu-system-ppc 1:2.11+dfsg-1ubuntu7.37
qemu-system-s390x 1:2.11+dfsg-1ubuntu7.37
qemu-system-sparc 1:2.11+dfsg-1ubuntu7.37
qemu-system-x86 1:2.11+dfsg-1ubuntu7.37

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References:
https://ubuntu.com/security/notices/USN-5010-1
CVE-2020-15469, CVE-2020-29443, CVE-2020-35504, CVE-2020-35505,
CVE-2020-35517, CVE-2021-20221, CVE-2021-20257, CVE-2021-3392,
CVE-2021-3409, CVE-2021-3416, CVE-2021-3527, CVE-2021-3544,
CVE-2021-3545, CVE-2021-3546, CVE-2021-3582, CVE-2021-3592,
CVE-2021-3593, CVE-2021-3594, CVE-2021-3595, CVE-2021-3607,
CVE-2021-3608

Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:5.2+dfsg-9ubuntu3.1
https://launchpad.net/ubuntu/+source/qemu/1:5.0-5ubuntu9.9
https://launchpad.net/ubuntu/+source/qemu/1:4.2-3ubuntu6.17
https://launchpad.net/ubuntu/+source/qemu/1:2.11+dfsg-1ubuntu7.37

--wbLXQodaJOlD4RkafHF5KEoQWWF6A3DAI--

--joozWiD9nTqJ7nAJwqrujiFOKKeiGG93g
Content-Type: application/pgp-signature; name="OpenPGP_signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="OpenPGP_signature"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEUMSg3c8x5FLOsZtRZWnYVadEvpMFAmDwhEgACgkQZWnYVadE
vpMzTQ//XGkAGXMQKLZgMPHEaErZ7NfBPmoFKHnCWe/TdlzbQr4rhOhlOYxq92Ab
0ZoX3ACEFeT7BC5cfuSgtZvPvLHpmg9gpbZrVRz9k8g9cNLobdFL3cXrA7EiKdta
CFA2pZjpgsawcWEKUTa8WqtMpOvGl9c726iNWK2SY3TkRFxmkIPmhKG2lK0Q+sci
IqJp0JZ4X8YplPAP1JcgmYiTzat06AlXdJYKCCUWGPka23+HrPVzQ+f2QMsXG9x7
66QIktB/cIikBf4grGRpy8oS7KyRc9W+TzxOiGpoO4PU7B/dE7CDfq+LWolXIDXC
b/cJ03hzZvPRUMd/pyOaNFqG58DypbjU38z9kZ1BFssGNjthwZsjtqUkQm3WUFd2
0VpKIUAB+nvob3jLWHjK6B2fSHHNRjjuxEklk5ZVY4BU0se1vzT9KfzA6pCJwIT/
yzx4EkLMlggnADYItI7AClw0LGeZIVK8KbUYr/aMnaGge5nQoiPywE1+9sFIH9Ue
VZ7z9sPZAqjfxJc4WvUTaYcbJmv1qJwitXaySU+sURvegnAk7Ynek3Yrkz7WAuAA
whUZavCkXjvYxtMrQGvOmZtElbysAyKso6jMMtRblOLezUUa+ovsTGI46shO/A+D
ERGvhqMGCSxmjXGNanjKJkFzm9YHNAw9PP0O4ZEOv6uYM93ACxs=
=Z+oz
-----END PGP SIGNATURE-----

--joozWiD9nTqJ7nAJwqrujiFOKKeiGG93g--

--===============1249603817496396496==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Content-Disposition: inline

LS0gCnVidW50dS1zZWN1cml0eS1hbm5vdW5jZSBtYWlsaW5nIGxpc3QKdWJ1bnR1LXNlY3VyaXR5
LWFubm91bmNlQGxpc3RzLnVidW50dS5jb20KTW9kaWZ5IHNldHRpbmdzIG9yIHVuc3Vic2NyaWJl
IGF0OiBodHRwczovL2xpc3RzLnVidW50dS5jb20vbWFpbG1hbi9saXN0aW5mby91YnVudHUtc2Vj
dXJpdHktYW5ub3VuY2UK

--===============1249603817496396496==--