Vulnerabilities > CVE-2014-0223 - Numeric Errors vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Integer overflow in the qcow_open function in block/qcow.c in QEMU before 1.7.2 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2014-0927.NASL
    descriptionUpdated qemu-kvm packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way virtio, virtio-net, virtio-scsi, usb, and hpet drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) These issues were discovered by Michael S. Tsirkin, Anthony Liguori and Michael Roth of Red Hat: CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, and CVE-2014-3461. This update also fixes the following bugs : * Previously, QEMU did not free pre-allocated zero clusters correctly and the clusters under some circumstances leaked. With this update, pre-allocated zero clusters are freed appropriately and the cluster leaks no longer occur. (BZ#1110188) * Prior to this update, the QEMU command interface did not properly handle resizing of cache memory during guest migration, causing QEMU to terminate unexpectedly with a segmentation fault and QEMU to fail. This update fixes the related code and QEMU no longer crashes in the described situation. (BZ#1110191) * Previously, when a guest device was hot unplugged, QEMU correctly removed the corresponding file descriptor watch but did not re-create it after the device was re-connected. As a consequence, the guest became unable to receive any data from the host over this device. With this update, the file descriptor
    last seen2020-06-01
    modified2020-06-02
    plugin id76839
    published2014-07-26
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/76839
    titleCentOS 7 : qemu-kvm (CESA-2014:0927)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2014:0927 and 
    # CentOS Errata and Security Advisory 2014:0927 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(76839);
      script_version("1.10");
      script_cvs_date("Date: 2020/02/13");
    
      script_cve_id("CVE-2013-4148", "CVE-2013-4149", "CVE-2013-4150", "CVE-2013-4151", "CVE-2013-4527", "CVE-2013-4529", "CVE-2013-4535", "CVE-2013-4536", "CVE-2013-4541", "CVE-2013-4542", "CVE-2013-6399", "CVE-2014-0182", "CVE-2014-0222", "CVE-2014-0223", "CVE-2014-3461");
      script_xref(name:"RHSA", value:"2014:0927");
    
      script_name(english:"CentOS 7 : qemu-kvm (CESA-2014:0927)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated qemu-kvm packages that fix multiple security issues and
    various bugs are now available for Red Hat Enterprise Linux 7.
    
    The Red Hat Security Response Team has rated this update as having
    Moderate security impact. Common Vulnerability Scoring System (CVSS)
    base scores, which give detailed severity ratings, are available for
    each vulnerability from the CVE links in the References section.
    
    KVM (Kernel-based Virtual Machine) is a full virtualization solution
    for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides
    the user-space component for running virtual machines using KVM.
    
    Two integer overflow flaws were found in the QEMU block driver for
    QCOW version 1 disk images. A user able to alter the QEMU disk image
    files loaded by a guest could use either of these flaws to corrupt
    QEMU process memory on the host, which could potentially result in
    arbitrary code execution on the host with the privileges of the QEMU
    process. (CVE-2014-0222, CVE-2014-0223)
    
    Multiple buffer overflow, input validation, and out-of-bounds write
    flaws were found in the way virtio, virtio-net, virtio-scsi, usb, and
    hpet drivers of QEMU handled state loading after migration. A user
    able to alter the savevm data (either on the disk or over the wire
    during migration) could use either of these flaws to corrupt QEMU
    process memory on the (destination) host, which could potentially
    result in arbitrary code execution on the host with the privileges of
    the QEMU process. (CVE-2013-4148, CVE-2013-4149, CVE-2013-4150,
    CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535,
    CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399,
    CVE-2014-0182, CVE-2014-3461)
    
    These issues were discovered by Michael S. Tsirkin, Anthony Liguori
    and Michael Roth of Red Hat: CVE-2013-4148, CVE-2013-4149,
    CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529,
    CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542,
    CVE-2013-6399, CVE-2014-0182, and CVE-2014-3461.
    
    This update also fixes the following bugs :
    
    * Previously, QEMU did not free pre-allocated zero clusters correctly
    and the clusters under some circumstances leaked. With this update,
    pre-allocated zero clusters are freed appropriately and the cluster
    leaks no longer occur. (BZ#1110188)
    
    * Prior to this update, the QEMU command interface did not properly
    handle resizing of cache memory during guest migration, causing QEMU
    to terminate unexpectedly with a segmentation fault and QEMU to fail.
    This update fixes the related code and QEMU no longer crashes in the
    described situation. (BZ#1110191)
    
    * Previously, when a guest device was hot unplugged, QEMU correctly
    removed the corresponding file descriptor watch but did not re-create
    it after the device was re-connected. As a consequence, the guest
    became unable to receive any data from the host over this device. With
    this update, the file descriptor's watch is re-created and the guest
    in the above scenario can communicate with the host as expected.
    (BZ#1110219)
    
    * Previously, the QEMU migration code did not account for the gaps
    caused by hot unplugged devices and thus expected more memory to be
    transferred during migrations. As a consequence, guest migration
    failed to complete after multiple devices were hot unplugged. In
    addition, the migration info text displayed erroneous values for the
    'remaining ram' item. With this update, QEMU calculates memory after a
    device has been unplugged correctly, and any subsequent guest
    migrations proceed as expected. (BZ#1110189)
    
    All qemu-kvm users are advised to upgrade to these updated packages,
    which contain backported patches to correct these issues. After
    installing this update, shut down all running virtual machines. Once
    all virtual machines have shut down, start them again for this update
    to take effect."
      );
      # https://lists.centos.org/pipermail/centos-announce/2014-July/020447.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b27fa7f4"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected qemu-kvm packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-4148");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libcacard");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libcacard-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:libcacard-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-guest-agent");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-img");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-kvm-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-kvm-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/11/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2014/07/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2014/07/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libcacard-1.5.3-60.el7_0.5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libcacard-devel-1.5.3-60.el7_0.5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"libcacard-tools-1.5.3-60.el7_0.5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"qemu-guest-agent-1.5.3-60.el7_0.5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"qemu-img-1.5.3-60.el7_0.5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"qemu-kvm-1.5.3-60.el7_0.5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"qemu-kvm-common-1.5.3-60.el7_0.5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"qemu-kvm-tools-1.5.3-60.el7_0.5")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libcacard / libcacard-devel / libcacard-tools / qemu-guest-agent / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3044.NASL
    descriptionSeveral vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware : - Various security issues have been found in the block qemu drivers. Malformed disk images might result in the execution of arbitrary code. - A NULL pointer dereference in SLIRP may result in denial of service - An information leak was discovered in the VGA emulation
    last seen2020-03-17
    modified2014-10-06
    plugin id78045
    published2014-10-06
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78045
    titleDebian DSA-3044-1 : qemu-kvm - security update
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20140819_QEMU_KVM_ON_SL6_X.NASL
    descriptionTwo integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) This update also fixes the following bugs : - In certain scenarios, when performing live incremental migration, the disk size could be expanded considerably due to the transfer of unallocated sectors past the end of the base image. With this update, the bdrv_is_allocated() function has been fixed to no longer return
    last seen2020-03-18
    modified2014-08-20
    plugin id77272
    published2014-08-20
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77272
    titleScientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64 (20140819)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-1168.NASL
    descriptionAn updated rhev-hypervisor6 package that fixes three security issues and one bug is now available. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: a subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent. Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions. A NULL pointer dereference flaw was found in the way the Linux kernel
    last seen2020-06-01
    modified2020-06-02
    plugin id79048
    published2014-11-08
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79048
    titleRHEL 6 : rhev-hypervisor6 (RHSA-2014:1168)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2014-1075.NASL
    descriptionFrom Red Hat Security Advisory 2014:1075 : Updated qemu-kvm packages that fix two security issues and three bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Red Hat would like to thank NSA for reporting these issues. This update also fixes the following bugs : * In certain scenarios, when performing live incremental migration, the disk size could be expanded considerably due to the transfer of unallocated sectors past the end of the base image. With this update, the bdrv_is_allocated() function has been fixed to no longer return
    last seen2020-06-01
    modified2020-06-02
    plugin id77270
    published2014-08-20
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77270
    titleOracle Linux 6 : qemu-kvm (ELSA-2014-1075)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2342-1.NASL
    descriptionMichael S. Tsirkin, Anthony Liguori, and Michael Roth discovered multiple issues with QEMU state loading after migration. An attacker able to modify the state data could use these issues to cause a denial of service, or possibly execute arbitrary code. (CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4526, CVE-2013-4527, CVE-2013-4529, CVE-2013-4530, CVE-2013-4531, CVE-2013-4532, CVE-2013-4533, CVE-2013-4534, CVE-2013-4535, CVE-2013-4536, CVE-2013-4537, CVE-2013-4538, CVE-2013-4539, CVE-2013-4540, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) Kevin Wolf, Stefan Hajnoczi, Fam Zheng, Jeff Cody, Stefan Hajnoczi, and others discovered multiple issues in the QEMU block drivers. An attacker able to modify disk images could use these issues to cause a denial of service, or possibly execute arbitrary code. (CVE-2014-0142, CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0146, CVE-2014-0147, CVE-2014-0222, CVE-2014-0223) It was discovered that QEMU incorrectly handled certain PCIe bus hotplug operations. A malicious guest could use this issue to crash the QEMU host, resulting in a denial of service. (CVE-2014-3471). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id77570
    published2014-09-09
    reporterUbuntu Security Notice (C) 2014-2020 Canonical, Inc. / NASL script (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77570
    titleUbuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : qemu, qemu-kvm vulnerabilities (USN-2342-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2014-0927.NASL
    descriptionFrom Red Hat Security Advisory 2014:0927 : Updated qemu-kvm packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way virtio, virtio-net, virtio-scsi, usb, and hpet drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) These issues were discovered by Michael S. Tsirkin, Anthony Liguori and Michael Roth of Red Hat: CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, and CVE-2014-3461. This update also fixes the following bugs : * Previously, QEMU did not free pre-allocated zero clusters correctly and the clusters under some circumstances leaked. With this update, pre-allocated zero clusters are freed appropriately and the cluster leaks no longer occur. (BZ#1110188) * Prior to this update, the QEMU command interface did not properly handle resizing of cache memory during guest migration, causing QEMU to terminate unexpectedly with a segmentation fault and QEMU to fail. This update fixes the related code and QEMU no longer crashes in the described situation. (BZ#1110191) * Previously, when a guest device was hot unplugged, QEMU correctly removed the corresponding file descriptor watch but did not re-create it after the device was re-connected. As a consequence, the guest became unable to receive any data from the host over this device. With this update, the file descriptor
    last seen2020-06-01
    modified2020-06-02
    plugin id76748
    published2014-07-24
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/76748
    titleOracle Linux 7 : qemu-kvm (ELSA-2014-0927)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2014-220.NASL
    descriptionUpdated qemu packages fix security vulnerabilities : Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host (CVE-2013-4544). Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147). A buffer overflow flaw was found in the way the virtio_net_handle_mac() function of QEMU processed guest requests to update the table of MAC addresses. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0150). A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0142). A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0146). It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0148). An out-of-bounds memory access flaw was found in the way QEMU
    last seen2020-06-01
    modified2020-06-02
    plugin id79407
    published2014-11-23
    reporterThis script is Copyright (C) 2014-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/79407
    titleMandriva Linux Security Advisory : qemu (MDVSA-2014:220)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-1076.NASL
    descriptionUpdated qemu-kvm-rhev packages that fix two security issues and one bug are now available for Red Hat Enterprise Virtualization. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Red Hat would like to thank NSA for reporting these issues. This update also fixes the following bug : * In certain scenarios, when performing live incremental migration, the disk size could be expanded considerably due to the transfer of unallocated sectors past the end of the base image. With this update, the bdrv_is_allocated() function has been fixed to no longer return
    last seen2020-06-01
    modified2020-06-02
    plugin id79041
    published2014-11-08
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79041
    titleRHEL 6 : qemu-kvm-rhev (RHSA-2014:1076)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2014-1075.NASL
    descriptionUpdated qemu-kvm packages that fix two security issues and three bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Red Hat would like to thank NSA for reporting these issues. This update also fixes the following bugs : * In certain scenarios, when performing live incremental migration, the disk size could be expanded considerably due to the transfer of unallocated sectors past the end of the base image. With this update, the bdrv_is_allocated() function has been fixed to no longer return
    last seen2020-06-01
    modified2020-06-02
    plugin id77286
    published2014-08-21
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77286
    titleCentOS 6 : qemu-kvm (CESA-2014:1075)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3045.NASL
    descriptionSeveral vulnerabilities were discovered in qemu, a fast processor emulator : - Various security issues have been found in the block qemu drivers. Malformed disk images might result in the execution of arbitrary code. - A NULL pointer dereference in SLIRP may result in denial of service - An information leak was discovered in the VGA emulation
    last seen2020-03-17
    modified2014-10-06
    plugin id78046
    published2014-10-06
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78046
    titleDebian DSA-3045-1 : qemu - security update
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-0927.NASL
    descriptionUpdated qemu-kvm packages that fix multiple security issues and various bugs are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way virtio, virtio-net, virtio-scsi, usb, and hpet drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) These issues were discovered by Michael S. Tsirkin, Anthony Liguori and Michael Roth of Red Hat: CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4527, CVE-2013-4529, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, and CVE-2014-3461. This update also fixes the following bugs : * Previously, QEMU did not free pre-allocated zero clusters correctly and the clusters under some circumstances leaked. With this update, pre-allocated zero clusters are freed appropriately and the cluster leaks no longer occur. (BZ#1110188) * Prior to this update, the QEMU command interface did not properly handle resizing of cache memory during guest migration, causing QEMU to terminate unexpectedly with a segmentation fault and QEMU to fail. This update fixes the related code and QEMU no longer crashes in the described situation. (BZ#1110191) * Previously, when a guest device was hot unplugged, QEMU correctly removed the corresponding file descriptor watch but did not re-create it after the device was re-connected. As a consequence, the guest became unable to receive any data from the host over this device. With this update, the file descriptor
    last seen2020-06-01
    modified2020-06-02
    plugin id76907
    published2014-07-30
    reporterThis script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/76907
    titleRHEL 7 : qemu-kvm (RHSA-2014:0927)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-0929-1.NASL
    descriptionKVM was updated to fix the following security issues : CVE-2015-3456: Buffer overflow in the floppy drive emulation, which could be used to carry out denial of service attacks or potential code execution against the host. This vulnerability is also known as VENOM. CVE-2014-0222: Integer overflow in the qcow_open function in block/qcow.c in QEMU allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image. CVE-2014-0223: Integer overflow in the qcow_open function in block/qcow.c in QEMU allowed local users to cause a denial of service (crash) and possibly execute arbitrary code via a large image size, which triggers a buffer overflow or out-of-bounds read. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id83854
    published2015-05-27
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83854
    titleSUSE SLES11 Security Update : KVM (SUSE-SU-2015:0929-1) (Venom)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2014-1075.NASL
    descriptionUpdated qemu-kvm packages that fix two security issues and three bugs are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222, CVE-2014-0223) Red Hat would like to thank NSA for reporting these issues. This update also fixes the following bugs : * In certain scenarios, when performing live incremental migration, the disk size could be expanded considerably due to the transfer of unallocated sectors past the end of the base image. With this update, the bdrv_is_allocated() function has been fixed to no longer return
    last seen2020-06-01
    modified2020-06-02
    plugin id77271
    published2014-08-20
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/77271
    titleRHEL 6 : qemu-kvm (RHSA-2014:1075)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_KVM-140919.NASL
    descriptionkvm has been updated to fix issues in the embedded qemu : - An integer overflow flaw was found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could have used this flaw to corrupt QEMU process memory on the host, which could potentially have resulted in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0223) - A user able to alter the savevm data (either on the disk or over the wire during migration) could have used this flaw to to corrupt QEMU process memory on the (destination) host, which could have potentially resulted in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-3461) - An integer overflow flaw was found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could have used this flaw to corrupt QEMU process memory on the host, which could have potentially resulted in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0222) Non-security bugs fixed : - Fix exceeding IRQ routes that could have caused freezes of guests. (bnc#876842) - Fix CPUID emulation bugs that may have broken Windows guests with newer -cpu types (bnc#886535)
    last seen2020-06-05
    modified2014-10-09
    plugin id78105
    published2014-10-09
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/78105
    titleSuSE 11.3 Security Update : kvm (SAT Patch Number 9739)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201408-17.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201408-17 (QEMU: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id77461
    published2014-08-30
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/77461
    titleGLSA-201408-17 : QEMU: Multiple vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2014-6970.NASL
    description - QCOW1 validation CVEs: CVE-2014-0222, CVE-2014-0223 (bz #1097232, bz #1097238, bz #1097222, bz #1097216) - CVE-2014-3461: Issues in USB post load checks (bz #1097260, bz #1096821) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-17
    modified2014-06-10
    plugin id74414
    published2014-06-10
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/74414
    titleFedora 20 : qemu-1.6.2-6.fc20 (2014-6970)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2015-061.NASL
    descriptionUpdated qemu packages fix multiple security vulnerabilities : Sibiao Luo discovered that QEMU incorrectly handled device hot-unplugging. A local user could possibly use this flaw to cause a denial of service (CVE-2013-4377). Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host (CVE-2013-4544). Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147). A buffer overflow flaw was found in the way the virtio_net_handle_mac() function of QEMU processed guest requests to update the table of MAC addresses. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0150). A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0142). A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0146). It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0148). An out-of-bounds memory access flaw was found in the way QEMU
    last seen2020-06-01
    modified2020-06-02
    plugin id81944
    published2015-03-19
    reporterThis script is Copyright (C) 2015-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/81944
    titleMandriva Linux Security Advisory : qemu (MDVSA-2015:061)

Redhat

advisories
bugzilla
id1123271
titleEnable ioenventfd for virtio-scsi-pci
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 6 is installed
      ovaloval:com.redhat.rhba:tst:20111656003
    • OR
      • AND
        • commentqemu-guest-agent is earlier than 2:0.12.1.2-2.415.el6_5.14
          ovaloval:com.redhat.rhsa:tst:20141075001
        • commentqemu-guest-agent is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20121234002
      • AND
        • commentqemu-img is earlier than 2:0.12.1.2-2.415.el6_5.14
          ovaloval:com.redhat.rhsa:tst:20141075003
        • commentqemu-img is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110345006
      • AND
        • commentqemu-kvm is earlier than 2:0.12.1.2-2.415.el6_5.14
          ovaloval:com.redhat.rhsa:tst:20141075005
        • commentqemu-kvm is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110345004
      • AND
        • commentqemu-kvm-tools is earlier than 2:0.12.1.2-2.415.el6_5.14
          ovaloval:com.redhat.rhsa:tst:20141075007
        • commentqemu-kvm-tools is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20110345002
rhsa
idRHSA-2014:1075
released2014-08-19
severityModerate
titleRHSA-2014:1075: qemu-kvm security and bug fix update (Moderate)
rpms
  • libcacard-10:1.5.3-60.el7_0.5
  • libcacard-devel-10:1.5.3-60.el7_0.5
  • libcacard-tools-10:1.5.3-60.el7_0.5
  • qemu-guest-agent-10:1.5.3-60.el7_0.5
  • qemu-img-10:1.5.3-60.el7_0.5
  • qemu-kvm-10:1.5.3-60.el7_0.5
  • qemu-kvm-common-10:1.5.3-60.el7_0.5
  • qemu-kvm-debuginfo-10:1.5.3-60.el7_0.5
  • qemu-kvm-tools-10:1.5.3-60.el7_0.5
  • qemu-guest-agent-2:0.12.1.2-2.415.el6_5.14
  • qemu-img-2:0.12.1.2-2.415.el6_5.14
  • qemu-kvm-2:0.12.1.2-2.415.el6_5.14
  • qemu-kvm-debuginfo-2:0.12.1.2-2.415.el6_5.14
  • qemu-kvm-tools-2:0.12.1.2-2.415.el6_5.14
  • qemu-img-rhev-2:0.12.1.2-2.415.el6_5.14
  • qemu-kvm-rhev-2:0.12.1.2-2.415.el6_5.14
  • qemu-kvm-rhev-debuginfo-2:0.12.1.2-2.415.el6_5.14
  • qemu-kvm-rhev-tools-2:0.12.1.2-2.415.el6_5.14
  • rhev-hypervisor6-0:6.5-20140821.1.el6ev
  • qemu-img-rhev-2:0.12.1.2-2.415.el6_5.14
  • qemu-kvm-rhev-2:0.12.1.2-2.415.el6_5.14
  • qemu-kvm-rhev-debuginfo-2:0.12.1.2-2.415.el6_5.14
  • qemu-kvm-rhev-tools-2:0.12.1.2-2.415.el6_5.14
  • libcacard-devel-rhev-10:1.5.3-60.el7_0.7
  • libcacard-rhev-10:1.5.3-60.el7_0.7
  • libcacard-tools-rhev-10:1.5.3-60.el7_0.7
  • qemu-img-rhev-10:1.5.3-60.el7_0.7
  • qemu-kvm-common-rhev-10:1.5.3-60.el7_0.7
  • qemu-kvm-rhev-10:1.5.3-60.el7_0.7
  • qemu-kvm-rhev-debuginfo-10:1.5.3-60.el7_0.7
  • qemu-kvm-tools-rhev-10:1.5.3-60.el7_0.7