CVE-2020-11102 - OpenCVE

hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:M/Au:N/C:P/I:P/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Qemu	Qemu

Configuration 1 [-]

cpe:2.3:a:qemu:qemu:4.2.0:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2020/04/06/1
https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg08322.html
https://nvd.nist.gov/vuln/detail/CVE-2020-11102
https://security.gentoo.org/glsa/202005-02
https://www.cve.org/CVERecord?id=CVE-2020-11102

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-04-06T15:39:56

Updated: 2024-08-04T11:21:14.677Z

Reserved: 2020-03-30T00:00:00

Link: CVE-2020-11102

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-04-06T16:15:13.347

Modified: 2020-05-13T01:15:12.020

Link: CVE-2020-11102

Redhat

Severity : Important

Publid Date: 2020-02-11T00:00:00Z

Links: CVE-2020-11102 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-05-13T00:06:31", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg08322.html"}, {"name": "[oss-security] 20200406 CVE-2020-11102 QEMU: tulip: OOB access in tulip_copy_tx_buffers", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2020/04/06/1"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.openwall.com/lists/oss-security/2020/04/06/1"}, {"name": "GLSA-202005-02", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202005-02"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-11102", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg08322.html", "refsource": "MISC", "url": "https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg08322.html"}, {"name": "[oss-security] 20200406 CVE-2020-11102 QEMU: tulip: OOB access in tulip_copy_tx_buffers", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/04/06/1"}, {"name": "http://www.openwall.com/lists/oss-security/2020/04/06/1", "refsource": "CONFIRM", "url": "http://www.openwall.com/lists/oss-security/2020/04/06/1"}, {"name": "GLSA-202005-02", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202005-02"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:21:14.677Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg08322.html"}, {"name": "[oss-security] 20200406 CVE-2020-11102 QEMU: tulip: OOB access in tulip_copy_tx_buffers", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/04/06/1"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/04/06/1"}, {"name": "GLSA-202005-02", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202005-02"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-11102", "datePublished": "2020-04-06T15:39:56", "dateReserved": "2020-03-30T00:00:00", "dateUpdated": "2024-08-04T11:21:14.677Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "B224F3C1-3F8B-4178-82B1-4264C1811A0C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length."}, {"lang": "es", "value": "El archivo hw/net/tulip.c en QEMU versi\u00f3n 4.2.0, presenta un desbordamiento de b\u00fafer durante la copia de los b\u00faferes tx/rx porque el tama\u00f1o de trama no est\u00e1 validado con respecto a la longitud de datos r/w."}], "id": "CVE-2020-11102", "lastModified": "2020-05-13T01:15:12.020", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-06T16:15:13.347", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/04/06/1"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.gnu.org/archive/html/qemu-devel/2020-03/msg08322.html"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202005-02"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Li Qiang (Tianchen Security Lab of Ant Financial) and Ziming Zhang for reporting this issue.", "bugzilla": {"description": "QEMU: tulip: OOB access in tulip_copy_tx_buffers", "id": "1821180", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1821180"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-125->CWE-787", "details": ["hw/net/tulip.c in QEMU 4.2.0 has a buffer overflow during the copying of tx/rx buffers because the frame size is not validated against the r/w data length.", "An out-of-bounds access flaw was found in the Tulip NIC emulator built into QEMU. This flaw occurs while copying network data to and from its tx/rx frame buffers, as it does not check frame size against the data length. This flaw allows a remote user or process to crash the QEMU process, resulting in a denial of service or the potential execution of arbitrary code with the privileges of the QEMU process on the host."], "name": "CVE-2020-11102", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "kvm", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2020-02-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-11102\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11102"], "statement": "This issue does not affect the versions of the qemu-kvm package as shipped with Red Hat Enterprise Linux 6, 7 and 8.", "threat_severity": "Important", "upstream_fix": "qemu 5.0.0"}