This security advisory describes one low risk vulnerability.
1) Improper Verification of Cryptographic Signature
Severity: Low
CVSSv3: 3.9 [CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-10702
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
Exploit availability: No
Description
The vulnerability allows a local user to bypass authentication.
The vulnerability exists due to usage of a weak signature algorithm within the /arm/pauth_helper.c in Pointer Authentication support for ARM. A local user can bypass PAuth and gain unauthorized access to resources on the system.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
QEMU: 4.0.0, 4.0.1, 4.1.0, 4.2.0
CPE
External links
https://usn.ubuntu.com/4372-1/https://security-tracker.debian.org/tracker/CVE-2020-10702https://bugs.launchpad.net/qemu/+bug/1859713 authentication bypass