Bug 1835986 (CVE-2020-10756) - CVE-2020-10756 QEMU: slirp: networking out-of-bounds read information disclosure vulnerability
Summary: CVE-2020-10756 QEMU: slirp: networking out-of-bounds read information disclos...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10756
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat1836436 Red Hat1836437 Engineering1837584 Engineering1837585 Engineering1837586 Engineering1837587 Engineering1837588 Engineering1837589 Embargoed1837778 Engineering1838092 Engineering1838172 Engineering1838177 1842565 1842566 1842567 Red Hat1862093 Red Hat1867075 Red Hat1870421 Red Hat1910691 Engineering1918054 Engineering1918061
Blocks: Embargoed1826859
TreeView+ depends on / blocked
 
Reported: 2020-05-14 20:43 UTC by Mauro Matteo Cascella
Modified: 2022-04-17 20:56 UTC (History)
41 users (show)

Fixed In Version: libslirp 4.3.1
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure.
Clone Of:
Environment:
Last Closed: 2020-09-01 13:17:28 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3586 0 None None None 2020-09-01 09:39:00 UTC
Red Hat Product Errata RHSA-2020:4059 0 None None None 2020-09-29 08:54:16 UTC
Red Hat Product Errata RHSA-2020:4694 0 None None None 2020-11-04 03:05:06 UTC

Description Mauro Matteo Cascella 2020-05-14 20:43:55 UTC 
An out-of-bounds read vulnerability in function icmp6_send_echoreply() in ip6_icmp.c of libslirp could allow a guest user/process to leak contents of the host memory, leading to possible information disclosure.
Comment 4 Mark Cooper 2020-05-20 00:28:42 UTC 
OpenShift 4 packages slirp4netns which vendors in libslirp v4.1.0. 

Additionally have checked that the code, ip6_icmp.c, does contain the vulnerable memcpy.
Comment 11 Mauro Matteo Cascella 2020-05-20 16:05:47 UTC 
While processing an incoming ICMPv6 echo request, function icmp6_send_echoreply() does not validate the IPv6 payload length (ip->ip_pl) which is then used as the size of memcpy() to create the destination packet. A malicious user could be able to trick memcpy() into copying more data than allowed, thus potentially leaking the contents of the host memory.
Comment 12 Mark Cooper 2020-05-22 01:45:46 UTC 
Lowering impact for OpenShift to Low. 

The library slirp4netns is a dependency of podman, however podman doesn't set the --enable-ipv6 flag, leaving the affected state tho as we still ship the code and don't know if it will be enabled in future.
Comment 20 Mauro Matteo Cascella 2020-05-27 16:17:43 UTC 
Acknowledgments:

Name: Ziming Zhang (Qi An Xin Group), VictorV (360 Vulcan Team)
Comment 22 Mauro Matteo Cascella 2020-06-01 14:37:58 UTC 
Created libslirp tracking bugs for this issue:

Affects: epel-8 [bug 1842567]
Affects: fedora-all [bug 1842566]


Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1842565]
Comment 27 Mauro Matteo Cascella 2020-07-08 08:03:57 UTC 
Upstream fix:
https://gitlab.freedesktop.org/slirp/libslirp/-/commit/c7ede54cbd2e2b25385325600958ba0124e31cc0
Comment 40 Quan Wenli 2020-08-20 04:20:25 UTC 
hello, Mauro Matteo Cascella

Do we have this CVE's reproducer?  Thanks,
Comment 42 Mauro Matteo Cascella 2020-08-27 12:53:16 UTC 
In reply to comment #40:
> hello, Mauro Matteo Cascella
> 
> Do we have this CVE's reproducer?  Thanks,

Yes, we do have a private reproducer for this issue. Please contact me directly via IRC or email.
Comment 44 Mauro Matteo Cascella 2020-08-27 13:22:52 UTC 
External References:

https://www.zerodayinitiative.com/advisories/ZDI-20-1005/
Comment 45 errata-xmlrpc 2020-09-01 09:38:54 UTC 
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2020:3586 https://access.redhat.com/errata/RHSA-2020:3586
Comment 46 Product Security DevOps Team 2020-09-01 13:17:28 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10756
Comment 52 errata-xmlrpc 2020-09-29 08:54:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4059 https://access.redhat.com/errata/RHSA-2020:4059
Comment 53 errata-xmlrpc 2020-11-04 03:05:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4694 https://access.redhat.com/errata/RHSA-2020:4694
Comment 55 Nick Tait 2021-03-02 19:49:00 UTC 
Statement:

This flaw did not affect the versions of SLiRP embedded in `qemu-kvm` as shipped with Red Hat Enterprise Linux 6 and 7, as they did not include support for ICMPv6, which was introduced in a later version of the package.

OpenShift 4.x packages slirp4netns  as a dependency of podman however podman doesn't set the --enable-ipv6 flag. Hence the impact has been reduced to low, as the code is still being packaged and podman might decide to enable IPv6 in future.

In Red Hat OpenStack Platform, because the flaw has a lower impact and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP qemu-kvm-rhev package.
Note You need to log in before you can comment on or make changes to this bug.