Prasad Pandit

**Nome do software vulnerável e versões afetadas** Versões 2.10.0 a 5.2.0 do QEMU **Descrição** Foi encontrada uma falha de uso após liberação (use-after-free) no emulador MegaRAID do QEMU. Esse problema ocorre durante o processamento de solicitações de E/S SCSI, no caso de um erro na função `mptsas free request()` que não retira o objeto de solicitação `req` da fila de solicitações pendentes. Essa falha permite que um usuário convidado com privilégios cause a falha do processo QEMU no host, resultando em uma negação de serviço. **Recomendações** Para as versões 2.10.0 a 5.2.0, considere desativar a função `mptsas free request()` como uma solução temporária até que um patch esteja disponível. Restrinja o acesso ao emulador MegaRAID para minimizar o risco de exploração. Evite usar o objeto `req` nas solicitações de E/S SCSI afetadas até que o problema seja resolvido. No momento, não há informações sobre uma versão mais recente que contenha uma correção para essa vulnerabilidade.

Name of the Vulnerable Software and Affected Versions: virt-manager version 2.2.0 Description: The virt-install utility has introduced an option '--unattended' to create virtual machines without user interaction. This option accepts the guest VM password as command line arguments, potentially leaking them to other users on the system via process listing. Recommendations: For virt-manager version 2.2.0, consider avoiding the use of the '--unattended' option until a secure alternative is available, or restrict access to process listings to minimize the risk of password exposure.

**Name of the Vulnerable Software and Affected Versions** Qemu (affected versions not specified) **Description** The issue is related to an improper access control problem in Qemu when built with VirtFS and 9pfs support. This could allow a privileged user inside a guest to access the host file system beyond the shared folder, potentially escalating their privileges on the host. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue is related to a memory leak in the `sdhci sdma transfer multi blocks` function in `hw/sd/sdhci.c` of the QEMU emulator. This can be exploited by a local attacker to cause a denial of service or execute arbitrary code on the QEMU host. The exploitation involves vectors related to the data transfer length, potentially leading to out-of-bounds heap access and crash. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU versions prior to 2.9 **Description** A heap buffer overflow issue was found in QEMU's Cirrus CLGD 54xx VGA emulator's VNC display driver support. The issue could occur when a VNC client attempted to update its display after a VGA operation is performed by a guest. This could allow a privileged user/process inside a guest to crash the QEMU process or potentially execute arbitrary code on the host with privileges of the QEMU process. **Recommendations** For QEMU versions prior to 2.9, update to version 2.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the VNC display driver support until a patch is available. Avoid using the VNC client to update its display after a VGA operation is performed by a guest until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** A heap-based buffer overflow issue exists in the iscsi aio ioctl function in block/iscsi.c, allowing local guest OS users to cause a denial of service, potentially leading to a QEMU process crash, or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** QEMU (affected versions not specified) **Description** The issue allows local guest OS users to cause a denial of service, resulting in a process crash. This occurs when an entropy request is made, triggering arbitrary stack-based allocation and memory corruption. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.2.4 **Description** The issue allows local users to bypass an intended container protection mechanism by renaming a directory, related to a "double-chroot attack." This occurs because the prepend path function in fs/dcache.c does not properly handle rename actions inside a bind mount. **Recommendations** For Linux kernel versions prior to 4.2.4, update to version 4.2.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the rename functionality inside bind mounts to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.19.3 **Description** The issue is related to the ` driver rfc4106 decrypt` function in the Linux kernel, which does not properly determine the memory locations used for encrypted data. This allows attackers to cause a denial of service, such as a buffer overflow and system crash, or possibly execute arbitrary code by triggering a crypto API call. **Recommendations** For Linux kernel versions prior to 3.19.3, update to version 3.19.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the crypto API to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 4.5.3 **Description** The issue is related to the `usbip recv xbuff` function in the Linux kernel, which can be exploited by remote attackers to cause a denial of service (out-of-bounds write) or possibly have other unspecified impacts. This is achieved by sending a crafted length value in a USB/IP packet. **Recommendations** For Linux kernel versions prior to 4.5.3, update to version 4.5.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the `usbip recv xbuff` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.5.1 **Description** The issue is related to the `futex wait requeue pi` function in the Linux kernel, which does not properly validate futex addresses. This can be exploited by local users to cause a denial of service, resulting in a NULL pointer dereference and system crash, or potentially have other unspecified impacts through a crafted FUTEX WAIT REQUEUE PI command. **Recommendations** For Linux kernel versions prior to 3.5.1, update to version 3.5.1 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.11.5 **Description** The issue is related to the fib6 add function in the Linux kernel, which does not properly implement error-code encoding. This allows local users with the CAP NET ADMIN capability to cause a denial of service, resulting in a NULL pointer dereference and system crash, by making an IPv6 SIOCADDRT ioctl call. **Recommendations** For Linux kernel versions prior to 3.11.5, update to version 3.11.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.11.8 **Description** The issue allows local users to bypass intended access restrictions via a crafted ioctl call due to the lack of privilege level checking in the `aac compat ioctl` function. This could potentially lead to privilege escalation. **Recommendations** For Linux kernel versions prior to 3.11.8, update to version 3.11.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the `aac compat ioctl` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 3.11.1 **Description** The issue is related to a use-after-free vulnerability in the Linux kernel, specifically in the drivers/net/tun.c file. This vulnerability can be exploited by local users to gain privileges, provided they have the CAP NET ADMIN capability. The exploitation involves providing an invalid tuntap interface name in a TUNSETIFF ioctl call. **Recommendations** For Linux kernel versions through 3.11.1, update to a version later than 3.11.1 to resolve the issue. At the moment, there is no information about additional mitigation measures for this specific vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.9.5 **Description** The issue allows local users to cause a denial of service, resulting in a system crash. This occurs via vectors involving an attempted register access that triggers an unexpected value in the Exception Syndrome Register (ESR), specifically through the bad mode function in arch/arm64/kernel/traps.c on the ARM64 platform. **Recommendations** For versions prior to 3.9.5, update to version 3.9.5 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.9 **Description** The issue concerns the key notify policy flush function in the Linux kernel, which fails to initialize a certain structure member. This allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify policy interface of an IPSec key socket. **Recommendations** For Linux kernel versions prior to 3.9, update to version 3.9 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.10 **Description** The issue affects the Linux kernel, where the `key notify sa flush` and `key notify policy flush` functions in `net/key/af key.c` do not properly initialize certain structure members. This allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key socket. **Recommendations** For Linux kernel versions prior to 3.10, update to version 3.10 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Red Hat Enterprise Linux (RHEL) 6 with Linux kernel 2.6.32 **Description** The issue allows local users to cause a denial of service, resulting in an invalid free operation and system crash, or possibly gain privileges. This is achieved via a sendmsg system call with the `IP RETOPTS` option. **Recommendations** For Red Hat Enterprise Linux (RHEL) 6 with Linux kernel 2.6.32, consider applying the correct patch to resolve the issue, as the existing patch is incorrect and introduces this problem.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 3.11 **Description** The issue allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive. This is due to a problem in the mmc ioctl cdrom read data function in drivers/cdrom/cdrom.c. **Recommendations** For Linux kernel versions prior to 3.11, update to version 3.11 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions through 3.9.4 **Description** The issue concerns the `fill event metadata` function in `fs/notify/fanotify/fanotify user.c`, which fails to initialize a certain structure member. This allows local users to obtain sensitive information from kernel memory via a read operation on the `fanotify` descriptor. **Recommendations** For Linux kernel versions through 3.9.4, update to a version that contains a fix for this issue.