Описание
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.
A heap buffer overflow issue was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the ip_reass() routine while reassembling incoming packets if the first fragment is bigger than the m->m_dat[] buffer. An attacker could use this flaw to crash the QEMU process on the host, resulting in a Denial of Service or potentially executing arbitrary code with privileges of the QEMU process.
Отчет
Red Hat OpenStack Platform:
- This flaw impacts KVM user-mode or SLIRP networking, which is not used in Red Hat OpenStack Platform. Although updating is recommended for affected versions (see below), Red Hat OpenStack Platform environments are not vulnerable.
- Because the flaw's impact is Low, it will not be fixed in Red Hat OpenStack Platform 9 which is retiring within a few weeks of the flaw's public date.
Меры по смягчению последствий
There is no external mitigation to prevent this out-of-bounds heap memory access.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | kvm | Out of support scope | ||
| Red Hat Enterprise Linux 5 | xen | Not affected | ||
| Red Hat Enterprise Linux 8 Advanced Virtualization | qemu-kvm | Affected | ||
| Red Hat OpenShift Container Platform 4 | slirp4netns | Not affected | ||
| Red Hat OpenStack Platform 9 (Mitaka) | qemu-kvm-rhev | Will not fix | ||
| Advanced Virtualization for RHEL 8.1.0 | virt | Fixed | RHBA-2019:3723 | 06.11.2019 |
| Advanced Virtualization for RHEL 8.1.0 | virt-devel | Fixed | RHBA-2019:3723 | 06.11.2019 |
| Red Hat Enterprise Linux 6 | qemu-kvm | Fixed | RHSA-2020:0775 | 10.03.2020 |
| Red Hat Enterprise Linux 7 | qemu-kvm-ma | Fixed | RHSA-2019:3968 | 26.11.2019 |
| Red Hat Enterprise Linux 7 | qemu-kvm | Fixed | RHSA-2020:0366 | 04.02.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
7 High
CVSS3
Связанные уязвимости
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overf ...
ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.
Уязвимость функции ip_reass из ip_input.c библиотеки TCP-IP эмулятора Libslirp, позволяющая нарушителю получить несанкционированный доступ к информации, вызвать отказ в обслуживании или оказать воздействие на доступность информации
EPSS
7 High
CVSS3