CVE-2020-1711: 
NixOS vulnerability analysis and mitigation

CVE-2020-1711 is an out-of-bounds heap buffer access vulnerability discovered in QEMU's iSCSI Block driver. The vulnerability affects QEMU versions 2.12.0 before 4.2.1, disclosed in January 2020. The flaw occurs when handling responses from an iSCSI server while checking the status of a Logical Address Block (LBA) in the iscsi_co_block_status() routine (NVD, QEMU Patch).

The vulnerability stems from QEMU only validating that the response descriptor zero's LBA matches the requested one, without properly validating the block count from GET LBA STATUS. Since the SCSI specification allows servers to respond with the status of blocks beyond the end of the LUN, QEMU's heap could be corrupted by clearing/setting too many bits at the end of its allocmap for the LUN. The issue has a CVSS v3.1 base score of 6.0 (Medium) according to NVD, though Red Hat assessed it at 7.7 (High) (NVD, Red Hat).

A remote attacker in control of the iSCSI server could exploit this vulnerability to crash the QEMU process, resulting in a denial of service. More critically, it could potentially lead to the execution of arbitrary code with the privileges of the QEMU process on the host system. The vulnerability could allow an attacker to carefully program QEMU's heap by selectively setting the bitmap and then corrupting it (Ubuntu Notice, OpenWall).

The vulnerability was patched in QEMU version 4.2.1 by implementing a fix that caps the number of bits that iscsi_co_block_status() will try to update in the allocmap to prevent bitmap overflow. Users are advised to upgrade to QEMU version 4.2.1 or later. Various Linux distributions have also released security updates to address this vulnerability, including Red Hat, Ubuntu, Debian, and OpenSUSE (Red Hat, Ubuntu Notice).