Vulnerabilities > CVE-2012-3515 - Improper Input Validation vulnerability in multiple products

Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a "device model's address space."

Vulnerable Configurations

Part	Description	Count
OS	Xen XEN XEN 4.0.0 XEN XEN 4.1.0	2
OS	Suse Suse Linux Enterprise Server 11 Suse Linux Enterprise Server 10 Suse Linux Enterprise Desktop 11 Suse Linux Enterprise Desktop 10 Suse Linux Enterprise Software Development KIT 11 Suse Linux Enterprise Software Development KIT 10	10
OS	Opensuse Opensuse Opensuse 11.4 Opensuse Opensuse 12.2 Opensuse Opensuse 12.1	3
OS	Redhat Redhat Enterprise Linux 6.0 Redhat Enterprise Linux Server 5.0 Redhat Enterprise Linux Server 6.0 Redhat Enterprise Linux Workstation 5.0 Redhat Enterprise Linux Workstation 6.0 Redhat Enterprise Linux Desktop 6.0 Redhat Enterprise Linux Desktop 5.0 Redhat Enterprise Linux EUS 6.3	8
OS	Debian Debian Debian Linux 7.0 Debian Debian Linux 6.0	2
OS	Canonical Canonical Ubuntu Linux 11.04 Canonical Ubuntu Linux 11.10 Canonical Ubuntu Linux 12.04 Canonical Ubuntu Linux 10.04	4
Application	Qemu Qemu Qemu - Qemu Qemu 0.1 Qemu Qemu 0.1.0 Qemu Qemu 0.1.1 Qemu Qemu 0.1.2 Qemu Qemu 0.1.3 Qemu Qemu 0.1.4 Qemu Qemu 0.1.5 Qemu Qemu 0.1.6 Qemu Qemu 0.2 Qemu Qemu 0.2.0 Qemu Qemu 0.3 Qemu Qemu 0.3.0 Qemu Qemu 0.4 Qemu Qemu 0.4.0 Qemu Qemu 0.4.1 Qemu Qemu 0.4.2 Qemu Qemu 0.4.3 Qemu Qemu 0.4.4 Qemu Qemu 0.5.0 Qemu Qemu 0.5.1 Qemu Qemu 0.5.2 Qemu Qemu 0.5.3 Qemu Qemu 0.5.4 Qemu Qemu 0.5.5 Qemu Qemu 0.6.0 Qemu Qemu 0.6.1 Qemu Qemu 0.7.0 Qemu Qemu 0.7.1 Qemu Qemu 0.7.2 Qemu Qemu 0.8.0 Qemu Qemu 0.8.1 Qemu Qemu 0.8.2 Qemu Qemu 0.9.0 Qemu Qemu 0.9.1 Qemu Qemu 0.9.1-5 Qemu Qemu 0.10.0 Qemu Qemu 0.10.1 Qemu Qemu 0.10.2 Qemu Qemu 0.10.3 Qemu Qemu 0.10.4 Qemu Qemu 0.10.5 Qemu Qemu 0.10.6 Qemu Qemu 0.11.0 Qemu Qemu 0.11.0-Rc0 Qemu Qemu 0.11.0-Rc1 Qemu Qemu 0.11.0-Rc2 Qemu Qemu 0.11.1 Qemu Qemu 0.12.0 Qemu Qemu 0.12.1 Qemu Qemu 0.12.2 Qemu Qemu 0.12.3 Qemu Qemu 0.12.4 Qemu Qemu 0.12.5 Qemu Qemu 0.13.0 Qemu Qemu 0.14.0 Qemu Qemu 0.14.1 Qemu Qemu 0.15.0 Qemu Qemu 0.15.1 Qemu Qemu 0.15.2 Qemu Qemu 1.0 Qemu Qemu 1.0.1 Qemu Qemu 1.1 Qemu Qemu 1.1.0 Qemu Qemu 1.1.1 Qemu Qemu 1.1.2 Qemu Qemu 1.1.2\+Dfsg	104
Application	Redhat Redhat Virtualization 3.0 Redhat Virtualization 6.0 Redhat Virtualization 5.0	3

Common Weakness Enumeration (CWE)

CWE-20 - Improper Input Validation

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Server Side Include (SSI) Injection
An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
Cross Zone Scripting
An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
Cross Site Scripting through Log Files
An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
Command Line Execution through SQL Injection
An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2012-1236.NASL
description	Updated xen packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of the Xen hypervisor implementation in Red Hat Enterprise Linux 5. This problem only affected fully-virtualized guests that have a serial or parallel device that uses a virtual console (vc) back-end. By default, the virtual console back-end is not used for such devices; only guests explicitly configured to use them in this way were affected. Red Hat would like to thank the Xen project for reporting this issue. All users of xen are advised to upgrade to these updated packages, which correct this issue. After installing the updated packages, all fully-virtualized guests must be restarted for this update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	61793
published	2012-09-06
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/61793
title	RHEL 5 : xen (RHSA-2012:1236)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2012:1236. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(61793); script_version ("1.17"); script_cvs_date("Date: 2019/10/24 15:35:36"); script_cve_id("CVE-2012-3515"); script_bugtraq_id(55413); script_xref(name:"RHSA", value:"2012:1236"); script_name(english:"RHEL 5 : xen (RHSA-2012:1236)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated xen packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of the Xen hypervisor implementation in Red Hat Enterprise Linux 5. This problem only affected fully-virtualized guests that have a serial or parallel device that uses a virtual console (vc) back-end. By default, the virtual console back-end is not used for such devices; only guests explicitly configured to use them in this way were affected. Red Hat would like to thank the Xen project for reporting this issue. All users of xen are advised to upgrade to these updated packages, which correct this issue. After installing the updated packages, all fully-virtualized guests must be restarted for this update to take effect." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2012:1236" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2012-3515" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xen-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:xen-libs"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"patch_publication_date", value:"2012/09/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = eregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! ereg(pattern:"^5([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2012:1236"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"xen-3.0.3-135.el5_8.5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"xen-3.0.3-135.el5_8.5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"xen-debuginfo-3.0.3-135.el5_8.5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"xen-debuginfo-3.0.3-135.el5_8.5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"xen-devel-3.0.3-135.el5_8.5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"xen-devel-3.0.3-135.el5_8.5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"xen-libs-3.0.3-135.el5_8.5")) flag++; if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"xen-libs-3.0.3-135.el5_8.5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-debuginfo / xen-devel / xen-libs"); } }

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_KVM-120831.NASL
description	The kvm qemu vt100 emulation was affected by a problem where specific vt100 sequences could have been used by guest users to affect the host. (CVE-2012-3515 aka XSA-17). Also the following non security bugs have been fixed : - permit qemu-kvm -device
last seen	2020-06-05
modified	2013-01-25
plugin id	64181
published	2013-01-25
reporter	This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/64181
title	SuSE 11.2 Security Update : kvm (SAT Patch Number 6755)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SuSE 11 update information. The text itself is # copyright (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(64181); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2012-3515"); script_name(english:"SuSE 11.2 Security Update : kvm (SAT Patch Number 6755)"); script_summary(english:"Checks rpm output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 11 host is missing a security update." ); script_set_attribute( attribute:"description", value: "The kvm qemu vt100 emulation was affected by a problem where specific vt100 sequences could have been used by guest users to affect the host. (CVE-2012-3515 aka XSA-17). Also the following non security bugs have been fixed : - permit qemu-kvm -device '?' even when no /dev/kvm. (bnc#772586) - SLES11SP2 KVM Virtio: on kvm guest, scsi inquiry was still ok on the disabled subpaths. (bnc#770153)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=770153" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=772586" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=777084" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2012-3515.html" ); script_set_attribute(attribute:"solution", value:"Apply SAT patch number 6755."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:kvm"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11"); script_set_attribute(attribute:"patch_publication_date", value:"2012/08/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/01/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) \|\| release !~ "^(SLED\|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11"); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu); pl = get_kb_item("Host/SuSE/patchlevel"); if (isnull(pl) \|\| int(pl) != 2) audit(AUDIT_OS_NOT, "SuSE 11.2"); flag = 0; if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"kvm-0.15.1-0.23.1")) flag++; if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"kvm-0.15.1-0.23.1")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"i586", reference:"kvm-0.15.1-0.23.1")) flag++; if (rpm_check(release:"SLES11", sp:2, cpu:"x86_64", reference:"kvm-0.15.1-0.23.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2012-1235.NASL
description	Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of KVM. Affected configurations were : * When guests were started from the command line (
last seen	2020-06-01
modified	2020-06-02
plugin id	61790
published	2012-09-06
reporter	This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/61790
title	CentOS 5 : kvm (CESA-2012:1235)
code	# # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2012:1235 and # CentOS Errata and Security Advisory 2012:1235 respectively. # include("compat.inc"); if (description) { script_id(61790); script_version("1.10"); script_cvs_date("Date: 2020/01/07"); script_cve_id("CVE-2012-3515"); script_bugtraq_id(55413); script_xref(name:"RHSA", value:"2012:1235"); script_name(english:"CentOS 5 : kvm (CESA-2012:1235)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of KVM. Affected configurations were : * When guests were started from the command line ('/usr/libexec/qemu-kvm'), and without specifying a serial or parallel device that specifically does not use a virtual console (vc) back-end. (Note that Red Hat does not support invoking 'qemu-kvm' from the command line on Red Hat Enterprise Linux 5.) * Guests that were managed via libvirt, such as when using Virtual Machine Manager (virt-manager), but that have a serial or parallel device that uses a virtual console back-end. By default, guests managed via libvirt will not use a virtual console back-end for such devices. Red Hat would like to thank the Xen project for reporting this issue. All KVM users should upgrade to these updated packages, which correct this issue. Note: The procedure in the Solution section must be performed before this update will take effect." ); # https://lists.centos.org/pipermail/centos-announce/2012-September/018847.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7801d73f" ); script_set_attribute(attribute:"solution", value:"Update the affected kvm packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-3515"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kmod-kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kmod-kvm-debug"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kvm-qemu-img"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:kvm-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/23"); script_set_attribute(attribute:"patch_publication_date", value:"2012/09/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) \|\| "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^5([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 5.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-5", cpu:"x86_64", reference:"kmod-kvm-83-249.el5.centos.5")) flag++; if (rpm_check(release:"CentOS-5", cpu:"x86_64", reference:"kmod-kvm-debug-83-249.el5.centos.5")) flag++; if (rpm_check(release:"CentOS-5", cpu:"x86_64", reference:"kvm-83-249.el5.centos.5")) flag++; if (rpm_check(release:"CentOS-5", cpu:"x86_64", reference:"kvm-qemu-img-83-249.el5.centos.5")) flag++; if (rpm_check(release:"CentOS-5", cpu:"x86_64", reference:"kvm-tools-83-249.el5.centos.5")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kmod-kvm / kmod-kvm-debug / kvm / kvm-qemu-img / kvm-tools"); }

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2012-0039.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - console: bounds check whenever changing the cursor due to an escape code The device model used by fully virtualised (HVM) domains, qemu, does not properly handle escape VT100 sequences when emulating certain devices with a virtual console backend. (CVE-2012-3515) - x86/pvhvm: properly range-check PHYSDEVOP_map_pirq/MAP_PIRQ_TYPE_GSI PHYSDEVOP_map_pirq with MAP_PIRQ_TYPE_GSI does not range check map->index. This is being used as a array index, and hence must be validated before use. A malicious HVM guest kernel can crash the host. It might also be able to read hypervisor or guest memory. (CVE-2012-3496) - xen: Don
last seen	2020-06-01
modified	2020-06-02
plugin id	79482
published	2014-11-26
reporter	This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/79482
title	OracleVM 3.1 : xen (OVMSA-2012-0039)
code	# # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2012-0039. # include("compat.inc"); if (description) { script_id(79482); script_version("1.6"); script_cvs_date("Date: 2019/09/27 13:00:34"); script_cve_id("CVE-2012-3494", "CVE-2012-3495", "CVE-2012-3496", "CVE-2012-3515"); script_bugtraq_id(55400, 55406, 55412, 55413); script_name(english:"OracleVM 3.1 : xen (OVMSA-2012-0039)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : - console: bounds check whenever changing the cursor due to an escape code The device model used by fully virtualised (HVM) domains, qemu, does not properly handle escape VT100 sequences when emulating certain devices with a virtual console backend. (CVE-2012-3515) - x86/pvhvm: properly range-check PHYSDEVOP_map_pirq/MAP_PIRQ_TYPE_GSI PHYSDEVOP_map_pirq with MAP_PIRQ_TYPE_GSI does not range check map->index. This is being used as a array index, and hence must be validated before use. A malicious HVM guest kernel can crash the host. It might also be able to read hypervisor or guest memory. (CVE-2012-3496) - xen: Don't BUG_ON PoD operations on a non-translated guest. XENMEM_populate_physmap can be called with invalid flags. By calling it with MEMF_populate_on_demand flag set, a BUG can be triggered if a translating paging mode is not being used. (CVE-2012-3496) - xen: handle out-of-pirq condition correctly in PHYSDEVOP_get_free_pirq PHYSDEVOP_get_free_pirq does not check that its call to get_free_pirq succeeded, and if it fails will use the error code as an array index. (CVE-2012-3495) - xen: prevent a 64 bit guest setting reserved bits in DR7 The upper 32 bits of this register are reserved and should be written as zero. (CVE-2012-3494)" ); # https://oss.oracle.com/pipermail/oraclevm-errata/2012-September/000099.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?f046f12a" ); script_set_attribute( attribute:"solution", value:"Update the affected xen / xen-devel / xen-tools packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/23"); script_set_attribute(attribute:"patch_publication_date", value:"2012/09/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) \|\| "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "3\.1" + "(\.[0-9]\|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.1", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"OVS3.1", reference:"xen-4.1.2-18.el5.14")) flag++; if (rpm_check(release:"OVS3.1", reference:"xen-devel-4.1.2-18.el5.14")) flag++; if (rpm_check(release:"OVS3.1", reference:"xen-tools-4.1.2-18.el5.14")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-devel / xen-tools"); }

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2012-0048.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - XSA-12: prevent a 64 bit guest setting reserved bits in DR7 [orabug 14554090] (CVE-2012-3494) - XSA-14: Don
last seen	2020-06-01
modified	2020-06-02
plugin id	79486
published	2014-11-26
reporter	This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/79486
title	OracleVM 2.2 : xen (OVMSA-2012-0048)
code	# # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2012-0048. # include("compat.inc"); if (description) { script_id(79486); script_version("1.6"); script_cvs_date("Date: 2019/09/27 13:00:34"); script_cve_id("CVE-2012-3494", "CVE-2012-3496", "CVE-2012-3515"); script_bugtraq_id(55400, 55412, 55413); script_name(english:"OracleVM 2.2 : xen (OVMSA-2012-0048)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : - XSA-12: prevent a 64 bit guest setting reserved bits in DR7 [orabug 14554090] (CVE-2012-3494) - XSA-14: Don't BUG_ON PoD operations on a non-translated guest [orabug 14554272] (CVE-2012-3496) - XSA-17: console: bounds check whenever changing the cursor due to an escape code [orabug 14554401] (CVE-2012-3515)" ); # https://oss.oracle.com/pipermail/oraclevm-errata/2012-November/000108.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e181bb31" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-64"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-debugger"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-pvhvm-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:2.2"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/11/23"); script_set_attribute(attribute:"patch_publication_date", value:"2012/11/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) \|\| "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "2\.2" + "(\.[0-9]\|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 2.2", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); flag = 0; if (rpm_check(release:"OVS2.2", reference:"xen-3.4.0-0.1.41.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"xen-64-3.4.0-0.1.41.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"xen-debugger-3.4.0-0.1.41.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"xen-devel-3.4.0-0.1.41.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"xen-pvhvm-devel-3.4.0-0.1.41.el5")) flag++; if (rpm_check(release:"OVS2.2", reference:"xen-tools-3.4.0-0.1.41.el5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-64 / xen-debugger / xen-devel / xen-pvhvm-devel / etc"); }

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20120905_QEMU_KVM_ON_SL6_X.NASL
description	KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of KVM. Affected configurations were : - When guests were started from the command line (
last seen	2020-03-18
modified	2012-09-06
plugin id	61795
published	2012-09-06
reporter	This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/61795
title	Scientific Linux Security Update : qemu-kvm on SL6.x x86_64 (20120905)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2012-1234.NASL
description	From Red Hat Security Advisory 2012:1234 : Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of KVM. Affected configurations were : * When guests were started from the command line (
last seen	2020-06-01
modified	2020-06-02
plugin id	68612
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/68612
title	Oracle Linux 6 : qemu-kvm (ELSA-2012-1234)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-2545.NASL
description	Multiple vulnerabilities have been discovered in QEMU, a fast processor emulator. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2012-2652 : The snapshot mode of QEMU (-snapshot) incorrectly handles temporary files used to store the current state, making it vulnerable to symlink attacks (including arbitrary file overwriting and guest information disclosure) due to a race condition. - CVE-2012-3515 : QEMU does not properly handle VT100 escape sequences when emulating certain devices with a virtual console backend. An attacker within a guest with access to the vulnerable virtual console could overwrite memory of QEMU and escalate privileges to that of the qemu process.
last seen	2020-03-17
modified	2012-09-10
plugin id	62016
published	2012-09-10
reporter	This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/62016
title	Debian DSA-2545-1 : qemu - multiple vulnerabilities

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2012-599.NASL
description	qemu was fixed to add bounds checking for VT100 escape code parsing and cursor placement. Also qemu was updated on 12.2 and 11.4 to the latest stable release (v1.1.1 and v0.14.1 respectively).
last seen	2020-06-05
modified	2014-06-13
plugin id	74752
published	2014-06-13
reporter	This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/74752
title	openSUSE Security Update : qemu (openSUSE-SU-2012:1170-1)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2012-1234.NASL
description	Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of KVM. Affected configurations were : * When guests were started from the command line (
last seen	2020-06-01
modified	2020-06-02
plugin id	61999
published	2012-09-07
reporter	This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/61999
title	CentOS 6 : qemu-kvm (CESA-2012:1234)

NASL family	SuSE Local Security Checks
NASL id	SUSE_XEN-201209-8268.NASL
description	XEN was updated to fix multiple bugs and security issues. The following security issues have been fixed : - xen: hypercall set_debugreg vulnerability (XSA-12). (CVE-2012-3494) - xen: Qemu VT100 emulation vulnerability (XSA-17). (CVE-2012-3515) - xen: pv bootloader doesn
last seen	2020-06-05
modified	2012-09-10
plugin id	62025
published	2012-09-10
reporter	This script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/62025
title	SuSE 10 Security Update : Xen (ZYPP Patch Number 8268)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2012-15740.NASL
description	- Remove comma from 1.0.1 version number - CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz #851252) - Fix slirp crash (bz #845795) - Fix KVM module permissions after install (bz #863374) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-17
modified	2012-10-15
plugin id	62535
published	2012-10-15
reporter	This script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/62535
title	Fedora 17 : qemu-1.0.1-2.fc17 (2012-15740)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2012-1325.NASL
description	An updated rhev-hypervisor6 package that fixes multiple security issues and one bug is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of Red Hat Enterprise Virtualization Hypervisor: it is not possible to add a device that uses a virtual console back-end via Red Hat Enterprise Virtualization Manager. To specify a virtual console back-end for a device and therefore be vulnerable to this issue, the device would have to be created another way, for example, by using a VDSM hook. Note that at this time hooks can only be used on Red Hat Enterprise Linux hosts, not Red Hat Enterprise Virtualization Hypervisor. Multiple integer overflow flaws, leading to stack-based buffer overflows, were found in glibc
last seen	2020-06-01
modified	2020-06-02
plugin id	78935
published	2014-11-08
reporter	This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/78935
title	RHEL 6 : rhev-hypervisor6 (RHSA-2012:1325)

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2015-0068.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0068 for details.
last seen	2020-06-01
modified	2020-06-02
plugin id	84140
published	2015-06-12
reporter	This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/84140
title	OracleVM 3.2 : xen (OVMSA-2015-0068) (POODLE) (Venom)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201309-24.NASL
description	The remote host is affected by the vulnerability described in GLSA-201309-24 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : Guest domains could possibly gain privileges, execute arbitrary code, or cause a Denial of Service on the host domain (Dom0). Additionally, guest domains could gain information about other virtual machines running on the same host or read arbitrary files on the host. Workaround : The CVEs listed below do not currently have fixes, but only apply to Xen setups which have “tmem” specified on the hypervisor command line. TMEM is not currently supported for use in production systems, and administrators using tmem should disable it. Relevant CVEs: * CVE-2012-2497 * CVE-2012-6030 * CVE-2012-6031 * CVE-2012-6032 * CVE-2012-6033 * CVE-2012-6034 * CVE-2012-6035 * CVE-2012-6036
last seen	2020-06-01
modified	2020-06-02
plugin id	70184
published	2013-09-28
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/70184
title	GLSA-201309-24 : Xen: Multiple vulnerabilities

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2012-1233.NASL
description	Updated qemu-kvm-rhev packages that fix one security issue and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev packages form the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) When using qemu-kvm-rhev on a Red Hat Enterprise Linux 6 host not managed by Red Hat Enterprise Virtualization : * This flaw did not affect the default use of KVM. Affected configurations were : * When guests were started from the command line (
last seen	2020-06-01
modified	2020-06-02
plugin id	78932
published	2014-11-08
reporter	This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/78932
title	RHEL 6 : qemu-kvm-rhev (RHSA-2012:1233)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2012-1236.NASL
description	Updated xen packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of the Xen hypervisor implementation in Red Hat Enterprise Linux 5. This problem only affected fully-virtualized guests that have a serial or parallel device that uses a virtual console (vc) back-end. By default, the virtual console back-end is not used for such devices; only guests explicitly configured to use them in this way were affected. Red Hat would like to thank the Xen project for reporting this issue. All users of xen are advised to upgrade to these updated packages, which correct this issue. After installing the updated packages, all fully-virtualized guests must be restarted for this update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	61791
published	2012-09-06
reporter	This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/61791
title	CentOS 5 : xen (CESA-2012:1236)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2012-596.NASL
description	Security Update for Xen Following fixes were done : - bnc#776995 - attaching scsi control luns with pvscsi - xend/pvscsi: fix passing of SCSI control LUNs xen-bug776995-pvscsi-no-devname.patch - xend/pvscsi: fix usage of persistant device names for SCSI devices xen-bug776995-pvscsi-persistent-names.patch - xend/pvscsi: update sysfs parser for Linux 3.0 xen-bug776995-pvscsi-sysfs-parser.patch - bnc#777090 - VUL-0: CVE-2012-3494: xen: hypercall set_debugreg vulnerability (XSA-12) CVE-2012-3494-xsa12.patch - bnc#777091 - VUL-0: CVE-2012-3496: xen: XENMEM_populate_physmap DoS vulnerability (XSA-14) CVE-2012-3496-xsa14.patch - bnc#777084 - VUL-0: CVE-2012-3515: xen: Qemu VT100 emulation vulnerability (XSA-17) CVE-2012-3515-xsa17.patch - bnc#744771 - VM with passed through PCI card fails to reboot under dom0 load 24888-pci-release-devices.patch - Upstream patches from Jan 25431-x86-EDD-MBR-sig-check.patch 25459-page-list-splice.patch 25478-x86-unknown-NMI-deadlock.patch 25480-x86_64-sysret-canonical.patch 25481-x86_64-AMD-erratum-121.patch 25485-x86_64-canonical-checks.patch 25587-param-parse-limit.patch 25617-vtd-qinval-addr.patch 25688-x86-nr_irqs_gsi.patch - bnc#773393 - VUL-0: CVE-2012-3433: xen: HVM guest destroy p2m teardown host DoS vulnerability CVE-2012-3433-xsa11.patch - bnc#773401 - VUL-1: CVE-2012-3432: xen: HVM guest user mode MMIO emulation DoS 25682-x86-inconsistent-io-state.patch - bnc#762484 - VUL-1: CVE-2012-2625: xen: pv bootloader doesn
last seen	2020-06-05
modified	2014-06-13
plugin id	74749
published	2014-06-13
reporter	This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/74749
title	openSUSE Security Update : Xen (openSUSE-SU-2012:1174-1)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2012-597.NASL
description	Security Update for Xen Following bug and security fixes were applied : - bnc#776995 - attaching scsi control luns with pvscsi - xend/pvscsi: fix passing of SCSI control LUNs xen-bug776995-pvscsi-no-devname.patch - xend/pvscsi: fix usage of persistant device names for SCSI devices xen-bug776995-pvscsi-persistent-names.patch - xend/pvscsi: update sysfs parser for Linux 3.0 xen-bug776995-pvscsi-sysfs-parser.patch - bnc#777090 - CVE-2012-3494: xen: hypercall set_debugreg vulnerability (XSA-12) CVE-2012-3494-xsa12.patch - bnc#777088 - CVE-2012-3495: xen: hypercall physdev_get_free_pirq vulnerability (XSA-13) CVE-2012-3495-xsa13.patch - bnc#777091 - CVE-2012-3496: xen: XENMEM_populate_physmap DoS vulnerability (XSA-14) CVE-2012-3496-xsa14.patch - bnc#777086 - CVE-2012-3498: xen: PHYSDEVOP_map_pirq index vulnerability (XSA-16) CVE-2012-3498-xsa16.patch - bnc#777084 - CVE-2012-3515: xen: Qemu VT100 emulation vulnerability (XSA-17) CVE-2012-3515-xsa17.patch - Upstream patches from Jan 25734-x86-MCG_CTL-default.patch 25735-x86-cpuid-masking-XeonE5.patch 25744-hypercall-return-long.patch - Update to Xen 4.1.3 c/s 23336 - Upstream or pending upstream patches from Jan 25587-fix-off-by-one-parsing-error.patch 25616-x86-MCi_CTL-default.patch 25617-vtd-qinval-addr.patch 25688-x86-nr_irqs_gsi.patch - bnc#773393 - VUL-0: CVE-2012-3433: xen: HVM guest destroy p2m teardown host DoS vulnerability CVE-2012-3433-xsa11.patch - bnc#773401 - VUL-1: CVE-2012-3432: xen: HVM guest user mode MMIO emulation DoS 25682-x86-inconsistent-io-state.patch - bnc#762484 - VUL-1: CVE-2012-2625: xen: pv bootloader doesn
last seen	2020-06-05
modified	2014-06-13
plugin id	74750
published	2014-06-13
reporter	This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/74750
title	openSUSE Security Update : Xen (openSUSE-SU-2012:1172-1)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2012-812.NASL
description	This security update of XEN fixes various bugs and security issues. - Upstream patch 26088-xend-xml-filesize-check.patch - bnc#787163 - CVE-2012-4544: xen: Domain builder Out-of- memory due to malicious kernel/ramdisk (XSA 25) CVE-2012-4544-xsa25.patch - bnc#779212 - CVE-2012-4411: XEN / qemu: guest administrator can access qemu monitor console (XSA-19) CVE-2012-4411-xsa19.patch - bnc#786516 - CVE-2012-4535: xen: Timer overflow DoS vulnerability CVE-2012-4535-xsa20.patch - bnc#786518 - CVE-2012-4536: xen: pirq range check DoS vulnerability CVE-2012-4536-xsa21.patch - bnc#786517 - CVE-2012-4537: xen: Memory mapping failure DoS vulnerability CVE-2012-4537-xsa22.patch - bnc#786519 - CVE-2012-4538: xen: Unhooking empty PAE entries DoS vulnerability CVE-2012-4538-xsa23.patch - bnc#786520 - CVE-2012-4539: xen: Grant table hypercall infinite loop DoS vulnerability CVE-2012-4539-xsa24.patch - bnc#784087 - L3: Xen BUG at io_apic.c:129 26102-x86-IOAPIC-legacy-not-first.patch - Upstream patches from Jan 26054-x86-AMD-perf-ctr-init.patch 26055-x86-oprof-hvm-mode.patch 26056-page-alloc-flush-filter.patch 26061-x86-oprof-counter-range.patch 26062-ACPI-ERST-move-data.patch 26063-x86-HPET-affinity-lock.patch 26093-HVM-PoD-grant-mem-type.patch - Upstream patches from Jan 25931-x86-domctl-iomem-mapping-checks.patch 25952-x86-MMIO-remap-permissions.patch ------------------------------------------------------------------- Mon Sep 24 16:41:58 CEST 2012 - [email protected] - use BuildRequires: gcc46 only in sles11sp2 or 12.1 to fix build in 11.4 ------------------------------------------------------------------- Thu Sep 20 10:03:40 MDT 2012 - [email protected] - Upstream patches from Jan 25808-domain_create-return-value.patch 25814-x86_64-set-debugreg-guest.patch 25815-x86-PoD-no-bug-in-non-translated.patch 25816-x86-hvm-map-pirq-range-check.patch 25833-32on64-bogus-pt_base-adjust.patch 25834-x86-S3-MSI-resume.patch 25835-adjust-rcu-lock-domain.patch 25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch 25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch 25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch 25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch 25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch 25859-tmem-missing-break.patch 25860-tmem-cleanup.patch 25883-pt-MSI-cleanup.patch 25927-x86-domctl-ioport-mapping-range.patch 25929-tmem-restore-pool-version.patch - bnc#778105 - first XEN-PV VM fails to spawn xend: Increase wait time for disk to appear in host bootloader Modified existing xen-domUloader.diff - Upstream patches from Jan 25752-ACPI-pm-op-valid-cpu.patch 25754-x86-PoD-early-access.patch 25755-x86-PoD-types.patch 25756-x86-MMIO-max-mapped-pfn.patch 25757-x86-EPT-PoD-1Gb-assert.patch 25764-x86-unknown-cpu-no-sysenter.patch 25765-x86_64-allow-unsafe-adjust.patch 25771-grant-copy-status-paged-out.patch 25773-x86-honor-no-real-mode.patch 25786-x86-prefer-multiboot-meminfo-over-e801.patch - bnc#777890 - CVE-2012-3497: xen: multiple TMEM hypercall vulnerabilities (XSA-15) CVE-2012-3497-tmem-xsa-15-1.patch CVE-2012-3497-tmem-xsa-15-2.patch CVE-2012-3497-tmem-xsa-15-3.patch CVE-2012-3497-tmem-xsa-15-4.patch CVE-2012-3497-tmem-xsa-15-5.patch CVE-2012-3497-tmem-xsa-15-6.patch CVE-2012-3497-tmem-xsa-15-7.patch CVE-2012-3497-tmem-xsa-15-8.patch CVE-2012-3497-tmem-xsa-15-9.patch tmem-missing-break.patch
last seen	2020-06-05
modified	2014-06-13
plugin id	74821
published	2014-06-13
reporter	This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/74821
title	openSUSE Security Update : XEN (openSUSE-SU-2012:1573-1)

NASL family	F5 Networks Local Security Checks
NASL id	F5_BIGIP_SOL13405416.NASL
description	Qemu, as used in Xen 4.0, 4.1 and possibly other products, when emulating certain devices with a virtual console backend, allows local OS guest users to gain privileges via a crafted escape VT100 sequence that triggers the overwrite of a
last seen	2020-06-01
modified	2020-06-02
plugin id	87743
published	2016-01-06
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/87743
title	F5 Networks BIG-IP : QEMU vulnerability (SOL13405416)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2012-1235.NASL
description	Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of KVM. Affected configurations were : * When guests were started from the command line (
last seen	2020-06-01
modified	2020-06-02
plugin id	64055
published	2013-01-24
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/64055
title	RHEL 5 : kvm (RHSA-2012:1235)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201604-03.NASL
description	The remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly cause a Denial of Service condition or obtain sensitive information. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	90380
published	2016-04-07
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90380
title	GLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2012-1234.NASL
description	Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of KVM. Affected configurations were : * When guests were started from the command line (
last seen	2020-06-01
modified	2020-06-02
plugin id	64054
published	2013-01-24
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/64054
title	RHEL 6 : qemu-kvm (RHSA-2012:1234)

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2012-0046.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - Xen Security Advisory CVE-2012-4411 / XSA-19 version 2 guest administrator can access qemu monitor console Disable qemu monitor by default. The qemu monitor is an overly powerful feature which must be protected from untrusted (guest) administrators. (CVE-2012-4411) - fix xm create vcpu_avail exceeds XMLRPC int limits If maxvcpus = vcpus = 40, (1<<40 -1) will exceed XMLRPC int limit. Change it to str will work. Then in the xend side, it will converted back to int. (CVE-2012-3515)
last seen	2020-06-01
modified	2020-06-02
plugin id	79485
published	2014-11-26
reporter	This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/79485
title	OracleVM 3.1 : xen (OVMSA-2012-0046)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2012-598.NASL
description	Security Update for Xen
last seen	2020-06-05
modified	2014-06-13
plugin id	74751
published	2014-06-13
reporter	This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/74751
title	openSUSE Security Update : Xen (openSUSE-SU-2012:1176-1)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2012-591.NASL
description	- Fix VT100 emulation vulnerability (bnc#777084) (CVE-2012-3515)
last seen	2020-06-05
modified	2014-06-13
plugin id	74747
published	2014-06-13
reporter	This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/74747
title	openSUSE Security Update : kvm (openSUSE-SU-2012:1153-1)

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_XEN-201209-120829.NASL
description	XEN was updated 4.1.3 to fix multiple bugs and security issues. The following security issues have been fixed : - xen: hypercall set_debugreg vulnerability (XSA-12). (CVE-2012-3494) - xen: hypercall physdev_get_free_pirq vulnerability (XSA-13). (CVE-2012-3495) - xen: XENMEM_populate_physmap DoS vulnerability (XSA-14). (CVE-2012-3496) - xen: PHYSDEVOP_map_pirq index vulnerability (XSA-16). (CVE-2012-3498) - xen: Qemu VT100 emulation vulnerability (XSA-17) Also the following bugs have been fixed:. (CVE-2012-3515) - pvscsi support of attaching Luns - (bnc#776995) The following related bugs in vm-install 0.5.12 have been fixed : - vm-install does not pass --extra-args in --upgrade. (bnc#776300) - Add for support Open Enterprise Server 11 - Add support for Windows 8 and Windows Server 2012 - Add support for Ubuntu 12 (Precise Pangolin)
last seen	2020-06-05
modified	2013-01-25
plugin id	64236
published	2013-01-25
reporter	This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/64236
title	SuSE 11.2 Security Update : Xen (SAT Patch Number 6748)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2012-1235.NASL
description	From Red Hat Security Advisory 2012:1235 : Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of KVM. Affected configurations were : * When guests were started from the command line (
last seen	2020-06-01
modified	2020-06-02
plugin id	68613
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/68613
title	Oracle Linux 5 : kvm (ELSA-2012-1235)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2012-1236.NASL
description	From Red Hat Security Advisory 2012:1236 : Updated xen packages that fix one security issue are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of the Xen hypervisor implementation in Red Hat Enterprise Linux 5. This problem only affected fully-virtualized guests that have a serial or parallel device that uses a virtual console (vc) back-end. By default, the virtual console back-end is not used for such devices; only guests explicitly configured to use them in this way were affected. Red Hat would like to thank the Xen project for reporting this issue. All users of xen are advised to upgrade to these updated packages, which correct this issue. After installing the updated packages, all fully-virtualized guests must be restarted for this update to take effect.
last seen	2020-06-01
modified	2020-06-02
plugin id	68614
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/68614
title	Oracle Linux 5 : xen (ELSA-2012-1236)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20120905_KVM_ON_SL5_X.NASL
description	KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of KVM. Affected configurations were : - When guests were started from the command line (
last seen	2020-03-18
modified	2012-09-06
plugin id	61794
published	2012-09-06
reporter	This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/61794
title	Scientific Linux Security Update : kvm on SL5.x x86_64 (20120905)

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2012-0040.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - console: bounds check whenever changing the cursor due to an escape code The device model used by fully virtualised (HVM) domains, qemu, does not properly handle escape VT100 sequences when emulating certain devices with a virtual console backend. (CVE-2012-3515) - xen: Don
last seen	2020-06-01
modified	2020-06-02
plugin id	79483
published	2014-11-26
reporter	This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/79483
title	OracleVM 3.0 : xen (OVMSA-2012-0040)

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_XEN-201209-120831.NASL
description	XEN was updated 4.1.3 to fix multiple bugs and security issues. The following security issues have been fixed : - xen: hypercall set_debugreg vulnerability (XSA-12). (CVE-2012-3494) - xen: hypercall physdev_get_free_pirq vulnerability (XSA-13). (CVE-2012-3495) - xen: XENMEM_populate_physmap DoS vulnerability (XSA-14). (CVE-2012-3496) - xen: PHYSDEVOP_map_pirq index vulnerability (XSA-16). (CVE-2012-3498) - xen: Qemu VT100 emulation vulnerability (XSA-17) Also the following bugs have been fixed:. (CVE-2012-3515) - pvscsi support of attaching Luns - (bnc#776995) The following related bugs in vm-install 0.5.12 have been fixed : - vm-install does not pass --extra-args in --upgrade. (bnc#776300) - Add for support Open Enterprise Server 11 - Add support for Windows 8 and Windows Server 2012 - Add support for Ubuntu 12 (Precise Pangolin)
last seen	2020-06-05
modified	2013-01-25
plugin id	64237
published	2013-01-25
reporter	This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/64237
title	SuSE 11.2 Security Update : Xen (SAT Patch Number 6748)

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2013-121.NASL
description	Updated qemu packages fix security vulnerability : A flaw was found in how qemu, in snapshot mode (-snapshot command line argument), handled the creation and opening of the temporary file used to store the difference of the virtualized guest
last seen	2020-06-01
modified	2020-06-02
plugin id	66133
published	2013-04-20
reporter	This script is Copyright (C) 2013-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/66133
title	Mandriva Linux Security Advisory : qemu (MDVSA-2013:121)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-2543.NASL
description	Multiple vulnerabilities have been discovered in xen-qemu-dm-4.0, the Xen QEMU Device Model virtual machine hardware emulator. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2012-3515 : The device model for HVM domains does not properly handle VT100 escape sequences when emulating certain devices with a virtual console backend. An attacker within a guest with access to the vulnerable virtual console could overwrite memory of the device model and escalate privileges to that of the device model process. - CVE-2012-4411 : The QEMU monitor was enabled by default, allowing administrators of a guest to access resources of the host, possibly escalate privileges or access resources belonging to another guest.
last seen	2020-03-17
modified	2012-09-10
plugin id	62014
published	2012-09-10
reporter	This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/62014
title	Debian DSA-2543-1 : xen-qemu-dm-4.0 - multiple vulnerabilities

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-2542.NASL
description	Multiple vulnerabilities have been discovered in KVM, a full virtualization solution on x86 hardware. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2012-2652 : The snapshot mode of QEMU (-snapshot) incorrectly handles temporary files used to store the current state, making it vulnerable to symlink attacks (including arbitrary file overwriting and guest information disclosure) due to a race condition. - CVE-2012-3515 : QEMU does not properly handle VT100 escape sequences when emulating certain devices with a virtual console backend. An attacker within a guest with access to the vulnerable virtual console could overwrite memory of QEMU and escalate privileges to that of the qemu process.
last seen	2020-03-17
modified	2012-09-10
plugin id	62013
published	2012-09-10
reporter	This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/62013
title	Debian DSA-2542-1 : qemu-kvm - multiple vulnerabilities

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2012-15606.NASL
description	- CVE-2012-3515 VT100 emulation vulnerability (bz #854600, bz #851252) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-17
modified	2012-10-17
plugin id	62568
published	2012-10-17
reporter	This script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/62568
title	Fedora 16 : qemu-0.15.1-8.fc16 (2012-15606)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2012-13443.NASL
description	a malicious 64-bit PV guest can crash the dom0 [XSA-12, CVE-2012-3494] (#854585) a malicious crash might be able to crash the dom0 or escalate privileges [XSA-13, CVE-2012-3495] (#854589) a malicious PV guest can crash the dom0 [XSA-14, CVE-2012-3496] (#854590) a malicious HVM guest can crash the dom0 and might be able to read hypervisor or guest memory [XSA-16, CVE-2012-3498] (#854593) an HVM guest could use VT100 escape sequences to escalate privileges to that of the qemu process [XSA-17, CVE-2012-3515] (#854599) disable qemu monitor by default [XSA-19, CVE-2012-4411] (#855141) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-17
modified	2012-09-18
plugin id	62155
published	2012-09-18
reporter	This script is Copyright (C) 2012-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/62155
title	Fedora 16 : xen-4.1.3-2.fc16 (2012-13443)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2012-1262.NASL
description	An updated rhev-hypervisor5 package that fixes multiple security issues and various bugs is now available. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor5 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu-kvm process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) Multiple integer overflow flaws, leading to stack-based buffer overflows, were found in glibc
last seen	2020-06-01
modified	2020-06-02
plugin id	78933
published	2014-11-08
reporter	This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/78933
title	RHEL 5 : rhev-hypervisor5 (RHSA-2012:1262)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2012-811.NASL
description	This security update of XEN fixes various bugs and security issues. - Upstream patch 26088-xend-xml-filesize-check.patch - bnc#787163 - CVE-2012-4544: xen: Domain builder Out-of- memory due to malicious kernel/ramdisk (XSA 25) CVE-2012-4544-xsa25.patch - bnc#779212 - CVE-2012-4411: XEN / qemu: guest administrator can access qemu monitor console (XSA-19) CVE-2012-4411-xsa19.patch - bnc#786516 - CVE-2012-4535: xen: Timer overflow DoS vulnerability CVE-2012-4535-xsa20.patch - bnc#786518 - CVE-2012-4536: xen: pirq range check DoS vulnerability CVE-2012-4536-xsa21.patch - bnc#786517 - CVE-2012-4537: xen: Memory mapping failure DoS vulnerability CVE-2012-4537-xsa22.patch - bnc#786519 - CVE-2012-4538: xen: Unhooking empty PAE entries DoS vulnerability CVE-2012-4538-xsa23.patch - bnc#786520 - CVE-2012-4539: xen: Grant table hypercall infinite loop DoS vulnerability CVE-2012-4539-xsa24.patch - bnc#784087 - L3: Xen BUG at io_apic.c:129 26102-x86-IOAPIC-legacy-not-first.patch - Upstream patches from Jan 26054-x86-AMD-perf-ctr-init.patch 26055-x86-oprof-hvm-mode.patch 26056-page-alloc-flush-filter.patch 26061-x86-oprof-counter-range.patch 26062-ACPI-ERST-move-data.patch 26063-x86-HPET-affinity-lock.patch 26093-HVM-PoD-grant-mem-type.patch - Upstream patches from Jan 25931-x86-domctl-iomem-mapping-checks.patch 25952-x86-MMIO-remap-permissions.patch - Upstream patches from Jan 25808-domain_create-return-value.patch 25814-x86_64-set-debugreg-guest.patch 25815-x86-PoD-no-bug-in-non-translated.patch 25816-x86-hvm-map-pirq-range-check.patch 25833-32on64-bogus-pt_base-adjust.patch 25834-x86-S3-MSI-resume.patch 25835-adjust-rcu-lock-domain.patch 25836-VT-d-S3-MSI-resume.patch 25850-tmem-xsa-15-1.patch 25851-tmem-xsa-15-2.patch 25852-tmem-xsa-15-3.patch 25853-tmem-xsa-15-4.patch 25854-tmem-xsa-15-5.patch 25855-tmem-xsa-15-6.patch 25856-tmem-xsa-15-7.patch 25857-tmem-xsa-15-8.patch 25858-tmem-xsa-15-9.patch 25859-tmem-missing-break.patch 25860-tmem-cleanup.patch 25883-pt-MSI-cleanup.patch 25927-x86-domctl-ioport-mapping-range.patch 25929-tmem-restore-pool-version.patch - bnc#778105 - first XEN-PV VM fails to spawn xend: Increase wait time for disk to appear in host bootloader Modified existing xen-domUloader.diff - Upstream patches from Jan 25752-ACPI-pm-op-valid-cpu.patch 25754-x86-PoD-early-access.patch 25755-x86-PoD-types.patch 25756-x86-MMIO-max-mapped-pfn.patch 25757-x86-EPT-PoD-1Gb-assert.patch 25764-x86-unknown-cpu-no-sysenter.patch 25765-x86_64-allow-unsafe-adjust.patch 25771-grant-copy-status-paged-out.patch 25773-x86-honor-no-real-mode.patch 25786-x86-prefer-multiboot-meminfo-over-e801.patch - bnc#777890 - CVE-2012-3497: xen: multiple TMEM hypercall vulnerabilities (XSA-15) CVE-2012-3497-tmem-xsa-15-1.patch CVE-2012-3497-tmem-xsa-15-2.patch CVE-2012-3497-tmem-xsa-15-3.patch CVE-2012-3497-tmem-xsa-15-4.patch CVE-2012-3497-tmem-xsa-15-5.patch CVE-2012-3497-tmem-xsa-15-6.patch CVE-2012-3497-tmem-xsa-15-7.patch CVE-2012-3497-tmem-xsa-15-8.patch CVE-2012-3497-tmem-xsa-15-9.patch tmem-missing-break.patch
last seen	2020-06-05
modified	2014-06-13
plugin id	74820
published	2014-06-13
reporter	This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/74820
title	openSUSE Security Update : XEN (openSUSE-SU-2012:1572-1)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-1590-1.NASL
description	It was discovered that QEMU incorrectly handled certain VT100 escape sequences. A guest user with access to an emulated character device could use this flaw to cause QEMU to crash, or possibly execute arbitrary code on the host. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	62408
published	2012-10-03
reporter	Ubuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/62408
title	Ubuntu 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : qemu-kvm vulnerability (USN-1590-1)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20120905_XEN_ON_SL5_X.NASL
description	The xen packages contain administration tools and the xend service for managing the kernel-xen kernel for virtualization on Red Hat Enterprise Linux. A flaw was found in the way QEMU handled VT100 terminal escape sequences when emulating certain character devices. A guest user with privileges to write to a character device that is emulated on the host using a virtual console back-end could use this flaw to crash the qemu process on the host or, possibly, escalate their privileges on the host. (CVE-2012-3515) This flaw did not affect the default use of the Xen hypervisor implementation in Red Hat Enterprise Linux 5. This problem only affected fully-virtualized guests that have a serial or parallel device that uses a virtual console (vc) back-end. By default, the virtual console back-end is not used for such devices; only guests explicitly configured to use them in this way were affected. All users of xen are advised to upgrade to these updated packages, which correct this issue. After installing the updated packages, all fully-virtualized guests must be restarted for this update to take effect.
last seen	2020-03-18
modified	2012-09-06
plugin id	61796
published	2012-09-06
reporter	This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/61796
title	Scientific Linux Security Update : xen on SL5.x i386/x86_64 (20120905)

Redhat

advisories

bugzilla

id	851252
title	CVE-2012-3515 qemu: VT100 emulation vulnerability

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 6 is installed
oval oval:com.redhat.rhba:tst:20111656003

AND

comment qemu-guest-agent is earlier than 2:0.12.1.2-2.295.el6_3.2
oval oval:com.redhat.rhsa:tst:20121234001
comment qemu-guest-agent is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20121234002

AND
comment qemu-kvm is earlier than 2:0.12.1.2-2.295.el6_3.2
oval oval:com.redhat.rhsa:tst:20121234003
comment qemu-kvm is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20110345004
AND
comment qemu-img is earlier than 2:0.12.1.2-2.295.el6_3.2
oval oval:com.redhat.rhsa:tst:20121234005
comment qemu-img is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20110345006

AND

comment qemu-kvm-tools is earlier than 2:0.12.1.2-2.295.el6_3.2
oval oval:com.redhat.rhsa:tst:20121234007
comment qemu-kvm-tools is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20110345002

rhsa

id	RHSA-2012:1234
released	2012-09-05
severity	Important
title	RHSA-2012:1234: qemu-kvm security update (Important)

bugzilla

id	851252
title	CVE-2012-3515 qemu: VT100 emulation vulnerability

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND
comment kvm-tools is earlier than 0:83-249.el5_8.5
oval oval:com.redhat.rhsa:tst:20121235001
comment kvm-tools is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20091465002
AND
comment kvm-qemu-img is earlier than 0:83-249.el5_8.5
oval oval:com.redhat.rhsa:tst:20121235003
comment kvm-qemu-img is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20091465008
AND
comment kmod-kvm-debug is earlier than 0:83-249.el5_8.5
oval oval:com.redhat.rhsa:tst:20121235005
comment kmod-kvm-debug is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20110028004
AND
comment kmod-kvm is earlier than 0:83-249.el5_8.5
oval oval:com.redhat.rhsa:tst:20121235007
comment kmod-kvm is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20091465004
AND
comment kvm is earlier than 0:83-249.el5_8.5
oval oval:com.redhat.rhsa:tst:20121235009
comment kvm is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20091465006

rhsa

id	RHSA-2012:1235
released	2012-09-05
severity	Important
title	RHSA-2012:1235: kvm security update (Important)

bugzilla

id	851252
title	CVE-2012-3515 qemu: VT100 emulation vulnerability

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND
comment xen is earlier than 0:3.0.3-135.el5_8.5
oval oval:com.redhat.rhsa:tst:20121236001
comment xen is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070114004
AND
comment xen-devel is earlier than 0:3.0.3-135.el5_8.5
oval oval:com.redhat.rhsa:tst:20121236003
comment xen-devel is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070114006
AND
comment xen-libs is earlier than 0:3.0.3-135.el5_8.5
oval oval:com.redhat.rhsa:tst:20121236005
comment xen-libs is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070114002

rhsa

id	RHSA-2012:1236
released	2012-09-05
severity	Important
title	RHSA-2012:1236: xen security update (Important)

rhsa
id RHSA-2012:1233
rhsa
id RHSA-2012:1262
rhsa
id RHSA-2012:1325

rpms

qemu-img-rhev-2:0.12.1.2-2.295.el6_3.2
qemu-kvm-rhev-2:0.12.1.2-2.295.el6_3.2
qemu-kvm-rhev-debuginfo-2:0.12.1.2-2.295.el6_3.2
qemu-kvm-rhev-tools-2:0.12.1.2-2.295.el6_3.2
qemu-guest-agent-2:0.12.1.2-2.295.el6_3.2
qemu-img-2:0.12.1.2-2.295.el6_3.2
qemu-kvm-2:0.12.1.2-2.295.el6_3.2
qemu-kvm-debuginfo-2:0.12.1.2-2.295.el6_3.2
qemu-kvm-tools-2:0.12.1.2-2.295.el6_3.2
kmod-kvm-0:83-249.el5_8.5
kmod-kvm-debug-0:83-249.el5_8.5
kvm-0:83-249.el5_8.5
kvm-debuginfo-0:83-249.el5_8.5
kvm-qemu-img-0:83-249.el5_8.5
kvm-tools-0:83-249.el5_8.5
xen-0:3.0.3-135.el5_8.5
xen-debuginfo-0:3.0.3-135.el5_8.5
xen-devel-0:3.0.3-135.el5_8.5
xen-libs-0:3.0.3-135.el5_8.5
rhev-hypervisor6-0:6.3-20120926.0.el6_3

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Redhat

References