Bug 1835986 (CVE-2020-10756)
Summary: | CVE-2020-10756 QEMU: slirp: networking out-of-bounds read information disclosure vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ajia, amit, bbennett, berrange, bmontgom, cfergeau, dbecker, ddepaula, dwmw2, eparis, gscrivan, itamar, jburrell, jen, jferlan, jjoyce, jmaloy, jnovy, jokerman, jschluet, knoel, lhh, lpeer, lsm5, marcandre.lureau, mburns, mkenneth, mpatel, mrezanin, mst, nstielau, pbonzini, ribarry, rjones, sclewis, security-response-team, slinaber, sponnaga, virt-maint, virt-maint, wquan |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | libslirp 4.3.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-09-01 13:17:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1836436, 1836437, 1837584, 1837585, 1837586, 1837587, 1837588, 1837589, 1837778, 1838092, 1838172, 1838177, 1842565, 1842566, 1842567, 1862093, 1867075, 1870421, 1910691, 1918054, 1918061 | ||
Bug Blocks: | 1826859 |
Description
Mauro Matteo Cascella
2020-05-14 20:43:55 UTC
OpenShift 4 packages slirp4netns which vendors in libslirp v4.1.0. Additionally have checked that the code, ip6_icmp.c, does contain the vulnerable memcpy. While processing an incoming ICMPv6 echo request, function icmp6_send_echoreply() does not validate the IPv6 payload length (ip->ip_pl) which is then used as the size of memcpy() to create the destination packet. A malicious user could be able to trick memcpy() into copying more data than allowed, thus potentially leaking the contents of the host memory. Lowering impact for OpenShift to Low. The library slirp4netns is a dependency of podman, however podman doesn't set the --enable-ipv6 flag, leaving the affected state tho as we still ship the code and don't know if it will be enabled in future. Acknowledgments: Name: Ziming Zhang (Qi An Xin Group), VictorV (360 Vulcan Team) Created libslirp tracking bugs for this issue: Affects: epel-8 [bug 1842567] Affects: fedora-all [bug 1842566] Created qemu tracking bugs for this issue: Affects: fedora-all [bug 1842565] Upstream fix: https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0 hello, Mauro Matteo Cascella Do we have this CVE's reproducer? Thanks, In reply to comment #40: > hello, Mauro Matteo Cascella > > Do we have this CVE's reproducer? Thanks, Yes, we do have a private reproducer for this issue. Please contact me directly via IRC or email. External References: https://www.zerodayinitiative.com/advisories/ZDI-20-1005/ This issue has been addressed in the following products: Advanced Virtualization for RHEL 8.2.1 Via RHSA-2020:3586 https://access.redhat.com/errata/RHSA-2020:3586 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-10756 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4059 https://access.redhat.com/errata/RHSA-2020:4059 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4694 https://access.redhat.com/errata/RHSA-2020:4694 Statement: This flaw did not affect the versions of SLiRP embedded in `qemu-kvm` as shipped with Red Hat Enterprise Linux 6 and 7, as they did not include support for ICMPv6, which was introduced in a later version of the package. OpenShift 4.x packages slirp4netns as a dependency of podman however podman doesn't set the --enable-ipv6 flag. Hence the impact has been reduced to low, as the code is still being packaged and podman might decide to enable IPv6 in future. In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP qemu-kvm-rhev package. |