CVE-2021-3713
Published: 25 August 2021
An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to out-of-bounds access to the UASDevice->data3 and UASDevice->status3 fields. A malicious guest user could use this flaw to crash QEMU or potentially achieve code execution with the privileges of the QEMU process on the host.
Notes
Author | Note |
---|---|
sbeattie | Red Hat claims UAS (usb attached scsi) device emulation is not supported by libvirt |
mdeslaur | introduced in 1.5.0 |
Priority
Status
Package | Release | Status |
---|---|---|
qemu Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(1:2.11+dfsg-1ubuntu7.37)
|
focal |
Not vulnerable
(1:4.2-3ubuntu6.17)
|
|
hirsute |
Ignored
(reached end-of-life)
|
|
impish |
Released
(1:6.0+dfsg-2expubuntu1.2)
|
|
jammy |
Released
(1:6.2+dfsg-2ubuntu5)
|
|
trusty |
Not vulnerable
|
|
upstream |
Needs triage
|
|
xenial |
Not vulnerable
|
|
Patches: upstream: https://git.qemu.org/?p=qemu.git;a=commit;h=13b250b12ad3c59114a6a17d59caf073ce45b33a |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.4 |
Attack vector | Physical |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Changed |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |