Shulou(Shulou.com)06/01 Report--

How to carry out QEMU USB module cross-boundary read and write vulnerability CVE-2020-14364 notice, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Brief introduction of 0x01 vulnerability

On August 25th, 2020, 360CERT Monitoring found that qemu issued a risk notice for an out-of-bounds vulnerability in qemu memory, the vulnerability number is CVE-2020-14364, vulnerability level: high risk, vulnerability score: 8.2.

Qemu has released security patches

By constructing special in-memory data, an attacker can cause the virtual machine to escape and execute arbitrary code.

The vulnerability was disclosed by the 360VulcanTeam team at ISC2020's eighth Internet Security Conference on August 13, 2020.

In this regard, 360CERT recommends that the majority of users apply the latest repair scheme to qemu in time. At the same time, please do a good job of asset self-examination and prevention to avoid hacker attacks.

0x02 risk rating

360CERT's assessment of the vulnerability is as follows

Assessment methods, threat levels, high risk impact surfaces, extensive 360CERT scores, 8.20x03 vulnerability details CVE-2020-14364: memory out of bounds vulnerabilities

The vulnerability lies in the Qemu USB module, which can cause out-of-bounds reading and writing, which can lead to virtual machine escape.

@ @-129 ep 6 + 129 ep 7 @ @ void usb_wakeup (USBEndpoint * ep, unsigned int stream)

Static void do_token_setup (USBDevice * s, USBPacket * p)

{

Int request, value, index

+ unsigned int setup_len

If (p-> iov.size! = 8) {

P-> status = USB_RET_STALL

@ @-138 USBPacket 14 + 139 USBPacket 15 @ @ static void do_token_setup (USBDevice * s, USBPacket * p)

Usb_packet_copy (p, s-> setup_buf, p-> iov.size)

S-> setup_index = 0

P-> actual_length = 0

-s-> setup_len = (s-> setup_buf [7] setup_buf [6])

-if (s-> setup_len > sizeof (s-> data_buf)) {

+ setup_len = (s-> setup_buf [7] setup_buf [6])

+ if (setup_len > sizeof (s-> data_buf)) {

Fprintf (stderr

"usb_generic_handle_packet: ctrl buffer too small (% d >% zu)\ n"

-s-> setup_len, sizeof (s-> data_buf))

+ setup_len, sizeof (s-> data_buf))

P-> status = USB_RET_STALL

Return

}

+ s-> setup_len = setup_len

Analyze the vulnerability according to the patch because:

When the value obtained by s-> setup_len is greater than sizeof (s-> data_buf), the value of s-> setup_len is not cleared to zero when returned. This results in an out-of-bounds read and write vulnerability when the function do_token_in or do_token_out uses s-> setup_len.

0x04 affects version

-qemu:qemu: full version

0x05 repair recommendation General repair recommendation

Install the repair patch in time, patch address:

XSA-335-Xen Security Advisories

Http://xenbits.xen.org/xsa/advisory-335.html

Red Hat:

Red Hat Customer Portal

Https://access.redhat.com/security/cve/CVE-2020-14364

Debain:

Debain CVE-2020-14364

Https://security-tracker.debian.org/tracker/CVE-2020-14364

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.