CVE-2021-3713
Published: 25 August 2021
An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.
Notes
| Author | Note |
|---|---|
| sbeattie | Red Hat claims UAS (usb attached scsi) device emulation is not supported by libvirt |
| mdeslaur | introduced in 1.5.0 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
qemu Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(1:2.11+dfsg-1ubuntu7.37)
|
| focal |
Not vulnerable
(1:4.2-3ubuntu6.17)
|
|
| hirsute |
Ignored
(reached end-of-life)
|
|
| impish |
Released
(1:6.0+dfsg-2expubuntu1.2)
|
|
| jammy |
Released
(1:6.2+dfsg-2ubuntu5)
|
|
| trusty |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
|
|
|
Patches: upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=13b250b12ad3c59114a6a17d59caf073ce45b33a |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.4 |
| Attack vector | Physical |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Changed |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |