Bug 1835986 (CVE-2020-10756) - CVE-2020-10756 QEMU: slirp: networking out-of-bounds read information disclosure vulnerability
Summary: CVE-2020-10756 QEMU: slirp: networking out-of-bounds read information disclos...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10756
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1836437 1838172 1838177 1842565 1836436 1837584 1837585 1837586 1837587 1837588 1837589 1837778 1838092 1842566 1842567 1862093 1867075 1870421
Blocks: 1826859
TreeView+ depends on / blocked
 
Reported: 2020-05-14 20:43 UTC by Mauro Matteo Cascella
Modified: 2020-11-04 03:05 UTC (History)
41 users (show)

Fixed In Version: libslirp 4.3.1
Doc Type: If docs needed, set a value
Doc Text:
An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure.
Clone Of:
Environment:
Last Closed: 2020-09-01 13:17:28 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3586 None None None 2020-09-01 09:39:00 UTC
Red Hat Product Errata RHSA-2020:4059 None None None 2020-09-29 08:54:16 UTC
Red Hat Product Errata RHSA-2020:4694 None None None 2020-11-04 03:05:06 UTC

Description Mauro Matteo Cascella 2020-05-14 20:43:55 UTC
An out-of-bounds read vulnerability in function icmp6_send_echoreply() in ip6_icmp.c of libslirp could allow a guest user/process to leak contents of the host memory, leading to possible information disclosure.

Comment 4 Mark Cooper 2020-05-20 00:28:42 UTC
OpenShift 4 packages slirp4netns which vendors in libslirp v4.1.0. 

Additionally have checked that the code, ip6_icmp.c, does contain the vulnerable memcpy.

Comment 11 Mauro Matteo Cascella 2020-05-20 16:05:47 UTC
While processing an incoming ICMPv6 echo request, function icmp6_send_echoreply() does not validate the IPv6 payload length (ip->ip_pl) which is then used as the size of memcpy() to create the destination packet. A malicious user could be able to trick memcpy() into copying more data than allowed, thus potentially leaking the contents of the host memory.

Comment 12 Mark Cooper 2020-05-22 01:45:46 UTC
Lowering impact for OpenShift to Low. 

The library slirp4netns is a dependency of podman, however podman doesn't set the --enable-ipv6 flag, leaving the affected state tho as we still ship the code and don't know if it will be enabled in future.

Comment 13 Mark Cooper 2020-05-25 06:09:45 UTC
Statement:

This flaw did not affect the versions of SLiRP embedded in `qemu-kvm` as shipped with Red Hat Enterprise Linux 6 and 7, as they did not include support for ICMPv6, which was introduced in a later version of the package.

OpenShift 4.x packages slirp4netns  as a dependency of podman however podman doesn't set the --enable-ipv6 flag. Hence the impact has been reduced to low, as the code is still being packaged and podman might decide to enable IPv6 in future.

Comment 20 Mauro Matteo Cascella 2020-05-27 16:17:43 UTC
Acknowledgments:

Name: Ziming Zhang (Qi An Xin Group), VictorV (360 Vulcan Team)

Comment 22 Mauro Matteo Cascella 2020-06-01 14:37:58 UTC
Created libslirp tracking bugs for this issue:

Affects: epel-8 [bug 1842567]
Affects: fedora-all [bug 1842566]


Created qemu tracking bugs for this issue:

Affects: fedora-all [bug 1842565]

Comment 40 Quan Wenli 2020-08-20 04:20:25 UTC
hello, Mauro Matteo Cascella

Do we have this CVE's reproducer?  Thanks,

Comment 42 Mauro Matteo Cascella 2020-08-27 12:53:16 UTC
In reply to comment #40:
> hello, Mauro Matteo Cascella
> 
> Do we have this CVE's reproducer?  Thanks,

Yes, we do have a private reproducer for this issue. Please contact me directly via IRC or email.

Comment 44 Mauro Matteo Cascella 2020-08-27 13:22:52 UTC
External References:

https://www.zerodayinitiative.com/advisories/ZDI-20-1005/

Comment 45 errata-xmlrpc 2020-09-01 09:38:54 UTC
This issue has been addressed in the following products:

  Advanced Virtualization for RHEL 8.2.1

Via RHSA-2020:3586 https://access.redhat.com/errata/RHSA-2020:3586

Comment 46 Product Security DevOps Team 2020-09-01 13:17:28 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10756

Comment 52 errata-xmlrpc 2020-09-29 08:54:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4059 https://access.redhat.com/errata/RHSA-2020:4059

Comment 53 errata-xmlrpc 2020-11-04 03:05:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4694 https://access.redhat.com/errata/RHSA-2020:4694


Note You need to log in before you can comment on or make changes to this bug.