The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of QEMU: denial of service via the MegaRAID SAS 8708EM device driver

Synthesis of the vulnerability 

An attacker can trigger a fatal error via MegaRAID SAS 8708EM of QEMU, in order to trigger a denial of service.
Vulnerable software: Debian, openSUSE Leap, QEMU, SLES.
Severity of this announce: 2/4.
Creation date: 28/05/2020.
Références of this computer vulnerability: CVE-2020-13362, DLA-2262-1, DLA-2288-1, DSA-4728-1, openSUSE-SU-2020:1108-1, SUSE-SU-2020:2015-1, VIGILANCE-VUL-32353.

Description of the vulnerability 

An attacker can trigger a fatal error via MegaRAID SAS 8708EM of QEMU, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity alert impacts software or systems such as Debian, openSUSE Leap, QEMU, SLES.

Our Vigil@nce team determined that the severity of this weakness is medium.

The trust level is of type confirmed by the editor, with an origin of user shell.

An attacker with a expert ability can exploit this security weakness.

Solutions for this threat 

QEMU: patch for megasas.
A patch is indicated in information sources.

Debian 10: new qemu packages.
New packages are available:
  Debian 10: qemu 1:3.1+dfsg-8+deb10u6

Debian 8: new qemu packages.
New packages are available:
  Debian 8: qemu 1:2.1+dfsg-12+deb8u15

Debian 9: new qemu packages.
New packages are available:
  Debian 9: qemu 1:2.8+dfsg-6+deb9u10

openSUSE Leap 15.2: new qemu packages.
New packages are available:
  openSUSE Leap 15.2: qemu 4.2.1-lp152.9.3.1

SUSE LE 15 SP2: new qemu packages.
New packages are available:
  SUSE LE 15 SP2: qemu 4.2.1-11.4.4

Wind River Linux: version 10.19.45.10.
The version 10.19.45.10 is fixed:
  https://support2.windriver.com/index.php?page=cve&on=list&show=50&product_id=1&product_version%5B0%5D=24&id_status%5B0%5D=4&cve_id_filter=&s=&submit=&order_by=cve_modified_date&order_way=desc#list
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an applications vulnerabilities alert. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.