CVE-2020-27617

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:L/Au:S/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions QEMU version 4.2.1

Description The issue is related to the eth get gso type function in the net/eth.c component of the QEMU hardware emulator, which is associated with incorrect accounting of external emulator resources. This can be exploited by a remote attacker to cause a denial of service. Specifically, a guest OS user can trigger an assertion failure, allowing a guest to crash the QEMU process via packet data that lacks a valid Layer 3 protocol.

Recommendations For QEMU version 4.2.1, consider disabling the eth get gso type function in the net/eth.c component as a temporary workaround until a patch is available. Restrict access to the net/eth.c component to minimize the risk of exploitation. Avoid using packet data that lacks a valid Layer 3 protocol in the affected QEMU process until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Assertion Failure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-617

Related Identifiers

ALSA-2021:3061

ALT-PU-2021-1880

ALT-PU-2021-1964

BDU:2021-05200

CESA-2021_3061

CVE-2020-27617

DLA-2469-1

DLA-3099-1

OPENSUSE-SU-2021:0600-1

OPENSUSE-SU-2021_0600-1

RHSA-2021:3061

RHSA-2021_3061

RLSA-2021:3061

SUSE-SU-2021:1240-1

SUSE-SU-2021:1241-1

SUSE-SU-2021:1242-1

SUSE-SU-2021:1243-1

SUSE-SU-2021:1244-1

SUSE-SU-2021:1245-1

SUSE-SU-2021:1305-1

USN-4650-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Qemu

Red Hat

Rocky Linux

Suse

Ubuntu

CVE-2020-27617

Weakness Enumeration

Related Identifiers

Affected Products

References · 130