Vulnerabilities > CVE-2012-0029 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in KVM Group Qemu-Kvm 0.12
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Heap-based buffer overflow in the process_tx_desc function in the e1000 emulation (hw/e1000.c) in qemu-kvm 0.12, and possibly other versions, allows guest OS users to cause a denial of service (QEMU crash) and possibly execute arbitrary code via crafted legacy mode packets.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2012-8604.NASL description - CVE-2011-1750 virtio-blk: heap buffer overflow (bz 698906, bz 698911) - CVE-2011-2527 set groups properly for -runas (bz 720773, bz 720784) - CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) - virtio-blk: refuse SG_IO requests with scsi=off (bz 770135) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-06-08 plugin id 59420 published 2012-06-08 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59420 title Fedora 15 : qemu-0.14.0-9.fc15 (2012-8604) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2012-8604. # include("compat.inc"); if (description) { script_id(59420); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2011-1750", "CVE-2011-2527", "CVE-2012-0029"); script_bugtraq_id(47546, 48659, 51642); script_xref(name:"FEDORA", value:"2012-8604"); script_name(english:"Fedora 15 : qemu-0.14.0-9.fc15 (2012-8604)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - CVE-2011-1750 virtio-blk: heap buffer overflow (bz 698906, bz 698911) - CVE-2011-2527 set groups properly for -runas (bz 720773, bz 720784) - CVE-2012-0029 e1000 buffer overflow (bz 783984, bz 772075) - virtio-blk: refuse SG_IO requests with scsi=off (bz 770135) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=698906" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=720773" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=772075" ); # https://lists.fedoraproject.org/pipermail/package-announce/2012-June/081972.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?059a8b74" ); script_set_attribute(attribute:"solution", value:"Update the affected qemu package."); script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:qemu"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:15"); script_set_attribute(attribute:"patch_publication_date", value:"2012/05/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/08"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^15([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 15.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC15", reference:"qemu-0.14.0-9.fc15")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu"); }NASL family SuSE Local Security Checks NASL id SUSE_11_XEN-201202-120210.NASL description This collective update 2012/02 for Xen provides fixes for the following reports : Xen : - 740165: Fix heap overflow in e1000 device emulation (applicable to Xen qemu - CVE-2012-0029) - 739585: Xen block-attach fails after repeated attach/detach - 727515: Fragmented packets hang network boot of HVM guest - 736824: Microcode patches for AMD last seen 2020-06-05 modified 2012-03-20 plugin id 58396 published 2012-03-20 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58396 title SuSE 11.1 Security Update : Xen and libvirt (SAT Patch Number 5796) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(58396); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2012-0029"); script_name(english:"SuSE 11.1 Security Update : Xen and libvirt (SAT Patch Number 5796)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This collective update 2012/02 for Xen provides fixes for the following reports : Xen : - 740165: Fix heap overflow in e1000 device emulation (applicable to Xen qemu - CVE-2012-0029) - 739585: Xen block-attach fails after repeated attach/detach - 727515: Fragmented packets hang network boot of HVM guest - 736824: Microcode patches for AMD's 15h processors panic the system - 732782: xm create hangs when maxmen value is enclosed in 'quotes' - 734826: xm rename doesn't work anymore - 694863: kexec fails in xen - 726332: Fix considerable performance hit by previous changeset - 649209: Fix slow Xen live migrations libvirt - 735403: Fix connection with virt-manager as normal user virt-utils - Add Support for creating images that can be run on Microsoft Hyper-V host (Fix vpc file format. Add support for fixed disks)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=649209" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=694863" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=725169" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=726332" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=727515" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=732782" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=734826" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=735403" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=736824" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=739585" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=740165" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2012-0029.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 5796."); script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:S/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libvirt"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libvirt-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:libvirt-python"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:virt-utils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:xen-doc-html"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:xen-doc-pdf"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:xen-kmp-default"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:xen-kmp-trace"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:xen-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:xen-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:xen-tools-domU"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2012/02/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/03/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (isnull(pl) || int(pl) != 1) audit(AUDIT_OS_NOT, "SuSE 11.1"); flag = 0; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"libvirt-0.7.6-1.29.2")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"libvirt-doc-0.7.6-1.29.2")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"libvirt-python-0.7.6-1.29.2")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"virt-utils-1.1.3-1.5.1")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"xen-4.0.3_21548_02-0.5.2")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"xen-kmp-default-4.0.3_21548_02_2.6.32.54_0.3-0.5.2")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"xen-libs-4.0.3_21548_02-0.5.2")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"xen-tools-4.0.3_21548_02-0.5.2")) flag++; if (rpm_check(release:"SLED11", sp:1, cpu:"x86_64", reference:"xen-tools-domU-4.0.3_21548_02-0.5.2")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"libvirt-0.7.6-1.29.2")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"libvirt-doc-0.7.6-1.29.2")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"libvirt-python-0.7.6-1.29.2")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"virt-utils-1.1.3-1.5.1")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"xen-4.0.3_21548_02-0.5.2")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"xen-doc-html-4.0.3_21548_02-0.5.2")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"xen-doc-pdf-4.0.3_21548_02-0.5.2")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"xen-kmp-default-4.0.3_21548_02_2.6.32.54_0.3-0.5.2")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"xen-kmp-trace-4.0.3_21548_02_2.6.32.54_0.3-0.5.2")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"xen-libs-4.0.3_21548_02-0.5.2")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"xen-tools-4.0.3_21548_02-0.5.2")) flag++; if (rpm_check(release:"SLES11", sp:1, cpu:"x86_64", reference:"xen-tools-domU-4.0.3_21548_02-0.5.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2012-0370.NASL description From Red Hat Security Advisory 2012:0370 : Updated xen packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A heap overflow flaw was found in the way QEMU emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash QEMU or, possibly, escalate their privileges on the host. (CVE-2012-0029) Red Hat would like to thank Nicolae Mogoreanu for reporting this issue. This update also fixes the following bugs : * Adding support for jumbo frames introduced incorrect network device expansion when a bridge is created. The expansion worked correctly with the default configuration, but could have caused network setup failures when a user-defined network script was used. This update changes the expansion so network setup will not fail, even when a user-defined network script is used. (BZ#797191) * A bug was found in xenconsoled, the Xen hypervisor console daemon. If timestamp logging for this daemon was enabled (using both the XENCONSOLED_TIMESTAMP_HYPERVISOR_LOG and XENCONSOLED_TIMESTAMP_GUEST_LOG options in last seen 2020-06-01 modified 2020-06-02 plugin id 68493 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68493 title Oracle Linux 5 : xen (ELSA-2012-0370) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1339-1.NASL description Nicolae Mogoreanu discovered that QEMU did not properly verify legacy mode packets in the e1000 network driver. A remote attacker could exploit this to cause a denial of service or possibly execute code with the privileges of the user invoking the program. When using QEMU with libvirt or virtualization management software based on libvirt such as Eucalyptus and OpenStack, QEMU guests are individually isolated by an AppArmor profile by default in Ubuntu. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 57663 published 2012-01-24 reporter Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57663 title Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : qemu-kvm vulnerability (USN-1339-1) NASL family Fedora Local Security Checks NASL id FEDORA_2012-1375.NASL description Fix buffer overflow in e1000 emulation for HVM guests [CVE-2012-0029], Start building xen last seen 2020-03-17 modified 2012-02-20 plugin id 58015 published 2012-02-20 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58015 title Fedora 16 : xen-4.1.2-6.fc16 (2012-1375) NASL family SuSE Local Security Checks NASL id SUSE_11_KVM-120116.NASL description The following vulnerabilities have been fixed in KVM : - buffer overflow in e1000 device emulation. (CVE-2012-0029) - missing initgroups() for -runas (CVE-2011-2527) last seen 2020-06-05 modified 2012-01-30 plugin id 57725 published 2012-01-30 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57725 title SuSE 11.1 Security Update : KVM (SAT Patch Number 5655) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0068.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0068 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 84140 published 2015-06-12 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84140 title OracleVM 3.2 : xen (OVMSA-2015-0068) (POODLE) (Venom) NASL family Scientific Linux Local Security Checks NASL id SL_20120123_KVM_ON_SL5_X.NASL description KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Scientific Linux kernel. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT (Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt controller set up. A malicious user in the kvm group on the host could force this situation to occur, resulting in the host crashing. (CVE-2011-4622) All KVM users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: The procedure in the Solution section must be performed before this update will take effect. last seen 2020-03-18 modified 2012-08-01 plugin id 61222 published 2012-08-01 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61222 title Scientific Linux Security Update : kvm on SL5.x x86_64 (20120123) NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-84.NASL description - avoid buffer overflow in e1000 device emulation (bnc#740165) - Fix dictzip with long file names. last seen 2020-06-05 modified 2014-06-13 plugin id 74841 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74841 title openSUSE Security Update : kvm (openSUSE-2012-84) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-0050.NASL description Updated qemu-kvm packages that fix one security issue, one bug, and add one enhancement are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) Red Hat would like to thank Nicolae Mogoreanu for reporting this issue. This update also fixes the following bug : * qemu-kvm has a last seen 2020-04-16 modified 2013-01-24 plugin id 64020 published 2013-01-24 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64020 title RHEL 6 : qemu-kvm (RHSA-2012:0050) NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-243.NASL description This is a XEN bugfix update fixing lots of bugs and one security issue. CVE-2012-0029: Heap-based buffer overflow in the process_tx_desc function in the e1000 emulation (hw/e1000.c) in qemu-kvm 0.12, and possibly other versions, allows guest OS users to cause a denial of service (QEMU crash) and possibly execute arbitrary code via crafted legacy mode packets. last seen 2020-06-05 modified 2014-06-13 plugin id 74606 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74606 title openSUSE Security Update : Xen (openSUSE-SU-2012:0548-1) NASL family Fedora Local Security Checks NASL id FEDORA_2012-1539.NASL description Fix buffer overflow in e1000 emulation for HVM guests [CVE-2012-0029], Start building xen last seen 2020-03-17 modified 2012-02-20 plugin id 58018 published 2012-02-20 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58018 title Fedora 15 : xen-4.1.2-6.fc15 (2012-1539) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-0370.NASL description Updated xen packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A heap overflow flaw was found in the way QEMU emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash QEMU or, possibly, escalate their privileges on the host. (CVE-2012-0029) Red Hat would like to thank Nicolae Mogoreanu for reporting this issue. This update also fixes the following bugs : * Adding support for jumbo frames introduced incorrect network device expansion when a bridge is created. The expansion worked correctly with the default configuration, but could have caused network setup failures when a user-defined network script was used. This update changes the expansion so network setup will not fail, even when a user-defined network script is used. (BZ#797191) * A bug was found in xenconsoled, the Xen hypervisor console daemon. If timestamp logging for this daemon was enabled (using both the XENCONSOLED_TIMESTAMP_HYPERVISOR_LOG and XENCONSOLED_TIMESTAMP_GUEST_LOG options in last seen 2020-04-16 modified 2012-03-08 plugin id 58285 published 2012-03-08 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/58285 title RHEL 5 : xen (RHSA-2012:0370) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-0168.NASL description An updated rhev-hypervisor5 package that fixes several security issues and various bugs is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor5 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) A divide-by-zero flaw was found in the Linux kernel last seen 2020-06-01 modified 2020-06-02 plugin id 79283 published 2014-11-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79283 title RHEL 5 : rhev-hypervisor5 (RHSA-2012:0168) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-0109.NASL description An updated rhev-hypervisor6 package that fixes multiple security issues and various bugs is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection. (CVE-2011-4576) A denial of service flaw was found in the RFC 3779 implementation in OpenSSL. A remote attacker could use this flaw to make an application using OpenSSL exit unexpectedly by providing a specially crafted X.509 certificate that has malformed RFC 3779 extension data. (CVE-2011-4577) It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake. (CVE-2011-4619) Red Hat would like to thank Nicolae Mogoreanu for reporting CVE-2012-0029. This updated package provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers : CVE-2009-5029 and CVE-2011-4609 (glibc issues) CVE-2012-0056 (kernel issue) CVE-2011-4108 and CVE-2012-0050 (openssl issues) This update also fixes the following bugs : * Previously, it was possible to begin a Hypervisor installation without any valid disks to install to. Now, if no valid disks are found for Hypervisor installation, a message is displayed informing the user that there are no valid disks for installation. (BZ#781471) * Previously, the user interface for the Hypervisor did not indicate whether the system was registered with Red Hat Network (RHN) Classic or RHN Satellite. As a result, customers could not easily determine the registration status of their Hypervisor installations. The TUI has been updated to display the registration status of the Hypervisor. (BZ#788223) * Previously, autoinstall would fail if the firstboot or reinstall options were passed but local_boot or upgrade were not passed. Now, neither the local_boot or upgrade parameters are required for autoinstall. (BZ#788225) Users of the Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which fixes these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 79282 published 2014-11-17 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79282 title RHEL 6 : rhev-hypervisor6 (RHSA-2012:0109) NASL family SuSE Local Security Checks NASL id SUSE_11_4_KVM-120124.NASL description A missing initgroups() call for the -runas option has been fixed in kvm (CVE-2011-2527) as well as a buffer overflow in the e1000 device emulation (CVE-2012-0029). last seen 2020-06-05 modified 2014-06-13 plugin id 75889 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75889 title openSUSE Security Update : kvm (openSUSE-SU-2012:0207-1) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2012-0051.NASL description From Red Hat Security Advisory 2012:0051 : Updated kvm packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT (Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt controller set up. A malicious user in the kvm group on the host could force this situation to occur, resulting in the host crashing. (CVE-2011-4622) Red Hat would like to thank Nicolae Mogoreanu for reporting CVE-2012-0029. All KVM users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: The procedure in the Solution section must be performed before this update will take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 68434 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68434 title Oracle Linux 5 : kvm (ELSA-2012-0051) NASL family Scientific Linux Local Security Checks NASL id SL_20120307_XEN_ON_SL5_X.NASL description The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Scientific Linux. A heap overflow flaw was found in the way QEMU emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash QEMU or, possibly, escalate their privileges on the host. (CVE-2012-0029) This update also fixes the following bugs : - Adding support for jumbo frames introduced incorrect network device expansion when a bridge is created. The expansion worked correctly with the default configuration, but could have caused network setup failures when a user-defined network script was used. This update changes the expansion so network setup will not fail, even when a user-defined network script is used. - A bug was found in xenconsoled, the Xen hypervisor console daemon. If timestamp logging for this daemon was enabled (using both the XENCONSOLED_TIMESTAMP_HYPERVISOR_LOG and XENCONSOLED_TIMESTAMP_GUEST_LOG options in last seen 2020-03-18 modified 2012-08-01 plugin id 61280 published 2012-08-01 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/61280 title Scientific Linux Security Update : xen on SL5.x i386/x86_64 (20120307) NASL family Fedora Local Security Checks NASL id FEDORA_2012-8592.NASL description - CVE-2012-0029 e1000 buffer overflow (bz 825895, bz 772075) - virtio-blk: refuse SG_IO requests with scsi=off (bz 826042) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2012-06-08 plugin id 59418 published 2012-06-08 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/59418 title Fedora 16 : qemu-0.15.1-5.fc16 (2012-8592) NASL family SuSE Local Security Checks NASL id SUSE_11_4_LIBVIRT-120208.NASL description This collective update 2012/02 for Xen provides fixes for the following reports : Xen === - 649209: Fix Xen live migrations being slow - 683580: Fix hangs during boot up after the message last seen 2020-06-05 modified 2014-06-13 plugin id 75931 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75931 title openSUSE Security Update : libvirt (openSUSE-SU-2012:0347-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2396.NASL description Nicolae Mogoreanu discovered a heap overflow in the emulated e1000e network interface card of KVM, a solution for full virtualization on x86 hardware, which could result in denial of service or privilege escalation. This update also fixes a guest-triggerable memory corruption in VNC handling. last seen 2020-03-17 modified 2012-01-31 plugin id 57736 published 2012-01-31 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57736 title Debian DSA-2396-1 : qemu-kvm - buffer underflow NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201210-04.NASL description The remote host is affected by the vulnerability described in GLSA-201210-04 (qemu-kvm: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in qemu-kvm. Please review the CVE identifiers referenced below for details. Impact : These vulnerabilities allow a remote attacker to cause a Denial of Service condition on the host server or qemu process, might allow for arbitrary code execution or a symlink attack when qemu-kvm is in snapshot mode. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 62634 published 2012-10-19 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62634 title GLSA-201210-04 : qemu-kvm: Multiple vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2012-0050.NASL description From Red Hat Security Advisory 2012:0050 : Updated qemu-kvm packages that fix one security issue, one bug, and add one enhancement are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) Red Hat would like to thank Nicolae Mogoreanu for reporting this issue. This update also fixes the following bug : * qemu-kvm has a last seen 2020-06-01 modified 2020-06-02 plugin id 68433 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68433 title Oracle Linux 6 : qemu-kvm (ELSA-2012-0050) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2404.NASL description Nicolae Mogoreanu discovered a heap overflow in the emulated e1000e network interface card of QEMU, which is used in the xen-qemu-dm-4.0 packages. This vulnerability might enable to malicious guest systems to crash the host system or escalate their privileges. last seen 2020-03-17 modified 2012-02-06 plugin id 57827 published 2012-02-06 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57827 title Debian DSA-2404-1 : xen-qemu-dm-4.0 - buffer overflow NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-404.NASL description This update of XEN fixed multiple security flaws that could be exploited by local attackers to cause a Denial of Service or potentially escalate privileges. Additionally, several other upstream changes were backported. last seen 2020-06-05 modified 2014-06-13 plugin id 74683 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74683 title openSUSE Security Update : xen (openSUSE-2012-404) NASL family SuSE Local Security Checks NASL id SUSE_11_XEN-201202-120209.NASL description This collective update 2012/02 for Xen provides fixes for the following reports : Xen : - 740165: Fix heap overflow in e1000 device emulation (applicable to Xen qemu - CVE-2012-0029) - 739585: Xen block-attach fails after repeated attach/detach - 727515: Fragmented packets hang network boot of HVM guest - 736824: Microcode patches for AMD last seen 2020-06-05 modified 2012-03-20 plugin id 58395 published 2012-03-20 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/58395 title SuSE 11.1 Security Update : Xen and libvirt (SAT Patch Number 5796) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2012-0050.NASL description Updated qemu-kvm packages that fix one security issue, one bug, and add one enhancement are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) Red Hat would like to thank Nicolae Mogoreanu for reporting this issue. This update also fixes the following bug : * qemu-kvm has a last seen 2020-06-01 modified 2020-06-02 plugin id 57667 published 2012-01-25 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57667 title CentOS 6 : qemu-kvm (CESA-2012:0050) NASL family SuSE Local Security Checks NASL id SUSE_11_4_QEMU-120207.NASL description A heap-based buffer overflow in the legacy mode of the e1000 driver device emulation was fixed (CVE-2012-0029). last seen 2020-06-05 modified 2014-06-13 plugin id 76005 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76005 title openSUSE Security Update : qemu (openSUSE-SU-2012:0267-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2012-0051.NASL description Updated kvm packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT (Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt controller set up. A malicious user in the kvm group on the host could force this situation to occur, resulting in the host crashing. (CVE-2011-4622) Red Hat would like to thank Nicolae Mogoreanu for reporting CVE-2012-0029. All KVM users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: The procedure in the Solution section must be performed before this update will take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 57668 published 2012-01-25 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57668 title CentOS 5 : kvm (CESA-2012:0051) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-0051.NASL description Updated kvm packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT (Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt controller set up. A malicious user in the kvm group on the host could force this situation to occur, resulting in the host crashing. (CVE-2011-4622) Red Hat would like to thank Nicolae Mogoreanu for reporting CVE-2012-0029. All KVM users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: The procedure in the Solution section must be performed before this update will take effect. last seen 2020-04-16 modified 2013-01-24 plugin id 64021 published 2013-01-24 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64021 title RHEL 5 : kvm (RHSA-2012:0051)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://secunia.com/advisories/47740
- https://bugzilla.redhat.com/show_bug.cgi?id=772075
- http://www.redhat.com/support/errata/RHSA-2012-0050.html
- http://secunia.com/advisories/47741
- http://www.securityfocus.com/bid/51642
- http://www.ubuntu.com/usn/USN-1339-1
- http://lists.fedoraproject.org/pipermail/package-announce/2012-June/081972.html
- http://lists.opensuse.org/opensuse-updates/2012-02/msg00009.html
- http://secunia.com/advisories/47992
- http://secunia.com/advisories/48318
- http://rhn.redhat.com/errata/RHSA-2012-0370.html
- http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00002.html
- http://secunia.com/advisories/50913
- https://exchange.xforce.ibmcloud.com/vulnerabilities/72656
- http://git.qemu.org/?p=qemu.git%3Ba=log%3Bh=refs/heads/stable-1.0