Security Vulnerabilities in QEMU Affect Multiple Ubuntu Versions
/ 3 min read
Quick take - On November 8, 2024, security vulnerabilities in QEMU affecting multiple versions of Ubuntu were addressed, with users advised to update their systems and restart QEMU virtual machines to mitigate risks.
Fast Facts
- On November 8, 2024, multiple security vulnerabilities in QEMU were addressed, affecting various Ubuntu LTS versions (14.04 to 24.10).
- Critical vulnerabilities include improper memory handling, memory copy issues, and networking problems, with potential impacts like denial of service and arbitrary code execution.
- Ubuntu Pro offers ten years of security coverage for over 25,000 packages, free for up to five machines.
- Users are advised to update their systems and restart all QEMU virtual machines to mitigate these vulnerabilities.
- Specific CVEs related to the vulnerabilities have been documented for further reference, including CVE-2023-3019 and CVE-2024-4693.
Security Vulnerabilities in QEMU Addressed
On November 8, 2024, a series of security vulnerabilities affecting QEMU, a widely used open-source machine emulator and virtualizer, were addressed. These vulnerabilities impact various versions of Ubuntu, specifically versions 14.04 LTS, 16.04 LTS, 18.04 LTS, 20.04 LTS, 22.04 LTS, 24.04 LTS, and 24.10.
Ubuntu Pro Security Coverage
Ubuntu Pro offers ten years of security coverage for over 25,000 packages found in the Main and Universe repositories. This coverage is available for free for up to five machines.
Identified Vulnerabilities
Several critical vulnerabilities have been identified, primarily affecting Ubuntu 14.04 LTS:
- CVE-2019-20382: Involved improper memory handling during certain VNC operations, potentially allowing a remote attacker to cause a denial of service.
- CVE-2020-13765: Related to memory copy operations when loading ROM contents, which could lead to arbitrary code execution if an untrusted kernel image was executed.
- CVE-2020-1983: Problems in QEMU’s handling of Slirp networking could result in crashes or arbitrary code execution.
- CVE-2020-7039: Memory management issues in SLiRP networking could lead to denial of service or arbitrary code execution.
- CVE-2020-8608: Mismanagement of snprintf return values in SLiRP networking could enable denial of service or arbitrary code execution.
- CVE-2021-3592 and CVE-2021-3594: Incorrect handling of specific UDP packets could allow information leakage from the host, affecting both Ubuntu 14.04 LTS and 16.04 LTS.
Additionally, vulnerabilities affecting newer versions have been identified:
- CVE-2023-3019: A DMA reentrancy issue resulting in a use-after-free vulnerability, potentially causing denial of service. It affects Ubuntu versions 18.04 LTS, 20.04 LTS, and 22.04 LTS.
- CVE-2024-4693: A flaw in Virtio PCI Bindings that could lead to crashes through vhost_net_stop, impacting Ubuntu 24.04 LTS and 24.10.
- CVE-2024-7730: A heap-based buffer overflow in virtio-sound that could result in denial of service or arbitrary code execution, also affecting Ubuntu 24.04 LTS and 24.10.
Recommended Actions
Users are strongly advised to update their systems to the specified package versions to mitigate these vulnerabilities. Following the updates, it is necessary to restart all QEMU virtual machines to ensure that the changes take effect. References to the related CVEs and multiple Ubuntu Security Notices (USNs) have been provided, addressing various QEMU components and vulnerabilities for further reading.
Original Source: Read the Full Article Here
