Bug 1835986 (CVE-2020-10756)

Summary: CVE-2020-10756 QEMU: slirp: networking out-of-bounds read information disclosure vulnerability
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ajia, amit, bbennett, berrange, bmontgom, cfergeau, dbecker, ddepaula, dwmw2, eparis, gscrivan, itamar, jburrell, jen, jferlan, jjoyce, jmaloy, jnovy, jokerman, jschluet, knoel, lhh, lpeer, lsm5, marcandre.lureau, mburns, mkenneth, mpatel, mrezanin, mst, nstielau, pbonzini, ribarry, rjones, sclewis, security-response-team, slinaber, sponnaga, virt-maint, virt-maint, wquan
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: libslirp 4.3.1 Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-01 13:17:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1836436, 1836437, 1837584, 1837585, 1837586, 1837587, 1837588, 1837589, 1837778, 1838092, 1838172, 1838177, 1842565, 1842566, 1842567, 1862093, 1867075, 1870421, 1910691, 1918054, 1918061    
Bug Blocks: 1826859    

Description Mauro Matteo Cascella 2020-05-14 20:43:55 UTC 
An out-of-bounds read vulnerability in function icmp6_send_echoreply() in ip6_icmp.c of libslirp could allow a guest user/process to leak contents of the host memory, leading to possible information disclosure.
Comment 4 Mark Cooper 2020-05-20 00:28:42 UTC 
OpenShift 4 packages slirp4netns which vendors in libslirp v4.1.0. 

Additionally have checked that the code, ip6_icmp.c, does contain the vulnerable memcpy.
Comment 11 Mauro Matteo Cascella 2020-05-20 16:05:47 UTC 
While processing an incoming ICMPv6 echo request, function icmp6_send_echoreply() does not validate the IPv6 payload length (ip->ip_pl) which is then used as the size of memcpy() to create the destination packet. A malicious user could be able to trick memcpy() into copying more data than allowed, thus potentially leaking the contents of the host memory.
Comment 12 Mark Cooper 2020-05-22 01:45:46 UTC 
Lowering impact for OpenShift to Low. 

The library slirp4netns is a dependency of podman, however podman doesn't set the --enable-ipv6 flag, leaving the affected state tho as we still ship the code and don't know if it will be enabled in future.
Comment 20 Mauro Matteo Cascella 2020-05-27 16:17:43 UTC 
Acknowledgments:

Name: Ziming Zhang (Qi An Xin Group), VictorV (360 Vulcan Team)
Comment 22 Mauro Matteo Cascella 2020-06-01 14:37:58 UTC 
Created libslirp tracking bugs for this issue:

Affects: epel-8 [bug 1842567]
Affects: fedora-all [bug 1842566]


Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1842565]
Comment 27 Mauro Matteo Cascella 2020-07-08 08:03:57 UTC 
Upstream fix:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0
Comment 40 Quan Wenli 2020-08-20 04:20:25 UTC 
hello, Mauro Matteo Cascella

Do we have this CVE's reproducer?  Thanks,
Comment 42 Mauro Matteo Cascella 2020-08-27 12:53:16 UTC 
In reply to comment #40:
> hello, Mauro Matteo Cascella
> 
> Do we have this CVE's reproducer?  Thanks,

Yes, we do have a private reproducer for this issue. Please contact me directly via IRC or email.
Comment 44 Mauro Matteo Cascella 2020-08-27 13:22:52 UTC 
External References:

https://www.zerodayinitiative.com/advisories/ZDI-20-1005/
Comment 45 errata-xmlrpc 2020-09-01 09:38:54 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2020:3586 https://access.redhat.com/errata/RHSA-2020:3586
Comment 46 Product Security DevOps Team 2020-09-01 13:17:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10756
Comment 52 errata-xmlrpc 2020-09-29 08:54:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4059 https://access.redhat.com/errata/RHSA-2020:4059
Comment 53 errata-xmlrpc 2020-11-04 03:05:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4694 https://access.redhat.com/errata/RHSA-2020:4694
Comment 55 Nick Tait 2021-03-02 19:49:00 UTC 
Statement:

This flaw did not affect the versions of SLiRP embedded in `qemu-kvm` as shipped with Red Hat Enterprise Linux 6 and 7, as they did not include support for ICMPv6, which was introduced in a later version of the package.

OpenShift 4.x packages slirp4netns  as a dependency of podman however podman doesn't set the --enable-ipv6 flag. Hence the impact has been reduced to low, as the code is still being packaged and podman might decide to enable IPv6 in future.

In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP qemu-kvm-rhev package.