CVE-2020-13800 - OpenCVE

ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Complete

AV:L/AC:L/Au:N/C:N/I:N/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Opensuse	Leap
Qemu	Qemu

Configuration 1 [-]

cpe:2.3:a:qemu:qemu:4.2.0:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts:::

Configuration 3 [-]

cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00086.html
https://cve.openeuler.org/cve#/CVEInfo/CVE-2020-13800
https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00825.html
https://nvd.nist.gov/vuln/detail/CVE-2020-13800
https://security.gentoo.org/glsa/202011-09
https://security.netapp.com/advisory/ntap-20200717-0001/
https://usn.ubuntu.com/4467-1/
https://www.cve.org/CVERecord?id=CVE-2020-13800
https://www.openwall.com/lists/oss-security/2020/06/04/2

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-06-04T15:23:08

Updated: 2024-08-04T12:25:16.567Z

Reserved: 2020-06-03T00:00:00

Link: CVE-2020-13800

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2020-06-04T16:15:12.873

Modified: 2022-04-28T19:30:48.957

Link: CVE-2020-13800

Redhat

Severity : Low

Publid Date: 2020-06-03T00:00:00Z

Links: CVE-2020-13800 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-11-11T05:06:15", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00825.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.openwall.com/lists/oss-security/2020/06/04/2"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200717-0001/"}, {"name": "openSUSE-SU-2020:1108", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00086.html"}, {"name": "USN-4467-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4467-1/"}, {"tags": ["x_refsource_MISC"], "url": "https://cve.openeuler.org/cve#/CVEInfo/CVE-2020-13800"}, {"name": "GLSA-202011-09", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202011-09"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-13800", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00825.html", "refsource": "MISC", "url": "https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00825.html"}, {"name": "https://www.openwall.com/lists/oss-security/2020/06/04/2", "refsource": "CONFIRM", "url": "https://www.openwall.com/lists/oss-security/2020/06/04/2"}, {"name": "https://security.netapp.com/advisory/ntap-20200717-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200717-0001/"}, {"name": "openSUSE-SU-2020:1108", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00086.html"}, {"name": "USN-4467-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4467-1/"}, {"name": "https://cve.openeuler.org/cve#/CVEInfo/CVE-2020-13800", "refsource": "MISC", "url": "https://cve.openeuler.org/cve#/CVEInfo/CVE-2020-13800"}, {"name": "GLSA-202011-09", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202011-09"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:25:16.567Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00825.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.openwall.com/lists/oss-security/2020/06/04/2"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200717-0001/"}, {"name": "openSUSE-SU-2020:1108", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00086.html"}, {"name": "USN-4467-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4467-1/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cve.openeuler.org/cve#/CVEInfo/CVE-2020-13800"}, {"name": "GLSA-202011-09", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202011-09"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-13800", "datePublished": "2020-06-04T15:23:08", "dateReserved": "2020-06-03T00:00:00", "dateUpdated": "2024-08-04T12:25:16.567Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:qemu:qemu:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "B224F3C1-3F8B-4178-82B1-4264C1811A0C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call."}, {"lang": "es", "value": "ati-vga en el archivo hw/display/ati.c en QEMU versi\u00f3n 4.2.0, permite a usuarios invitados del Sistema Operativo desencadenar una recursividad infinita por medio de un valor mm_index dise\u00f1ado durante una llamada de ati_mm_read o ati_mm_write"}], "id": "CVE-2020-13800", "lastModified": "2022-04-28T19:30:48.957", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 4.9, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-06-04T16:15:12.873", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00086.html"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "https://cve.openeuler.org/cve#/CVEInfo/CVE-2020-13800"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.gnu.org/archive/html/qemu-devel/2020-06/msg00825.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202011-09"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200717-0001/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4467-1/"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://www.openwall.com/lists/oss-security/2020/06/04/2"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-674"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Hanqing Zhao (SSLab Georgia Tech), Ren Ding (SSLab Georgia Tech), and Yi Ren for reporting this issue.", "bugzilla": {"description": "QEMU: ati-vga: infinite recursion in ati_mm_read/write calls may lead to DoS", "id": "1843771", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1843771"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-835", "details": ["ati-vga in hw/display/ati.c in QEMU 4.2.0 allows guest OS users to trigger infinite recursion via a crafted mm_index value during an ati_mm_read or ati_mm_write call.", "An infinite recursion flaw was found in the ati-vga emulator of the QEMU. The issue occurs in ati_mm_read/write routines while accessing VGA registers, for certain values of the 'mm_index' variable. This flaw allows a guest user or process to crash the QEMU process, resulting in a denial of service."], "name": "CVE-2020-13800", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "kvm", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm-ma", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "virt:rhel/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:advanced_virtualization:8::el8", "fix_state": "Not affected", "package_name": "virt:8.2/qemu-kvm", "product_name": "Red Hat Enterprise Linux 8 Advanced Virtualization"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "qemu-kvm", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "qemu-kvm-rhev", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}], "public_date": "2020-06-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-13800\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-13800\nhttps://www.openwall.com/lists/oss-security/2020/06/04/2"], "threat_severity": "Low", "upstream_fix": "QEMU 5.0.1"}