Vulnerabilities > CVE-2014-2894 - Numeric Errors vulnerability in Qemu
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU before 2.0 allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20140610_QEMU_KVM_ON_SL6_X.NASL description Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-03-18 modified 2014-06-12 plugin id 74490 published 2014-06-12 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74490 title Scientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64 (20140610) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(74490); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25"); script_cve_id("CVE-2013-4148", "CVE-2013-4151", "CVE-2013-4535", "CVE-2013-4536", "CVE-2013-4541", "CVE-2013-4542", "CVE-2013-6399", "CVE-2014-0182", "CVE-2014-2894", "CVE-2014-3461"); script_name(english:"Scientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64 (20140610)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) An out-of-bounds memory access flaw was found in the way QEMU's IDE device driver handled the execution of SMART EXECUTE OFFLINE commands. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-2894) This update also fixes the following bugs : - Previously, under certain circumstances, libvirt failed to start guests which used a non-zero PCI domain and SR-IOV Virtual Functions (VFs), and returned the following error message : Can't assign device inside non-zero PCI segment as this KVM module doesn't support it. This update fixes this issue and guests using the aforementioned configuration no longer fail to start. - Due to an incorrect initialization of the cpus_sts bitmap, which holds the enablement status of a vCPU, libvirt could fail to start a guest with an unusual vCPU topology (for example, a guest with three cores and two sockets). With this update, the initialization of cpus_sts has been corrected, and libvirt no longer fails to start the aforementioned guests. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1406&L=scientific-linux-errata&T=0&P=1593 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?dcaeef5a" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:qemu-guest-agent"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:qemu-img"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:qemu-kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:qemu-kvm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:qemu-kvm-tools"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/23"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL6", reference:"qemu-guest-agent-0.12.1.2-2.415.el6_5.10")) flag++; if (rpm_check(release:"SL6", cpu:"x86_64", reference:"qemu-img-0.12.1.2-2.415.el6_5.10")) flag++; if (rpm_check(release:"SL6", cpu:"x86_64", reference:"qemu-kvm-0.12.1.2-2.415.el6_5.10")) flag++; if (rpm_check(release:"SL6", reference:"qemu-kvm-debuginfo-0.12.1.2-2.415.el6_5.10")) flag++; if (rpm_check(release:"SL6", cpu:"x86_64", reference:"qemu-kvm-tools-0.12.1.2-2.415.el6_5.10")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-guest-agent / qemu-img / qemu-kvm / qemu-kvm-debuginfo / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2014-5825.NASL description - Fix arm sd warnings with latest kernel (bz #1091548) - Fix regression in CVE backport that affects openstack (thanks lbezdick) - Fix guest startup crashes from autotest (bz #1081610) - Block/image format validation CVE-2014-0142 - 2014-0148 (bz #1078201, bz #1086710, bz #1079140, bz #1086724, bz #1079240, bz #1086735, bz #1078885, bz #1086720, bz #1078232, bz #1086713, bz #1078848, bz #1086717, bz #1078212, bz #1086712) - CVE-2014-0150: virtio-net: buffer overflow in virtio_net_handle_mac() function (bz #1086775, bz #1078846) - CVE-2013-4544: vmxnet3: bounds checking buffer overrun (bz #1087513, bz #1087522) - CVE-2014-2894: out of bounds buffer accesses, guest triggerable via IDE SMART (bz #1087981, bz #1087971) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-05-02 plugin id 73818 published 2014-05-02 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/73818 title Fedora 20 : qemu-1.6.2-4.fc20 (2014-5825) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2014-5825. # include("compat.inc"); if (description) { script_id(73818); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2013-4544", "CVE-2014-0142", "CVE-2014-0143", "CVE-2014-0144", "CVE-2014-0145", "CVE-2014-0146", "CVE-2014-0147", "CVE-2014-0148", "CVE-2014-0150", "CVE-2014-2894"); script_bugtraq_id(66464, 66472, 66480, 66481, 66483, 66484, 66486, 66821, 66932, 66955); script_xref(name:"FEDORA", value:"2014-5825"); script_name(english:"Fedora 20 : qemu-1.6.2-4.fc20 (2014-5825)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Fix arm sd warnings with latest kernel (bz #1091548) - Fix regression in CVE backport that affects openstack (thanks lbezdick) - Fix guest startup crashes from autotest (bz #1081610) - Block/image format validation CVE-2014-0142 - 2014-0148 (bz #1078201, bz #1086710, bz #1079140, bz #1086724, bz #1079240, bz #1086735, bz #1078885, bz #1086720, bz #1078232, bz #1086713, bz #1078848, bz #1086717, bz #1078212, bz #1086712) - CVE-2014-0150: virtio-net: buffer overflow in virtio_net_handle_mac() function (bz #1086775, bz #1078846) - CVE-2013-4544: vmxnet3: bounds checking buffer overrun (bz #1087513, bz #1087522) - CVE-2014-2894: out of bounds buffer accesses, guest triggerable via IDE SMART (bz #1087981, bz #1087971) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1078201" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1078212" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1078232" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1078846" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1078848" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1078885" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1079140" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1079240" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1087513" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1087971" ); # https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132409.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?a47d1447" ); script_set_attribute(attribute:"solution", value:"Update the affected qemu package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:qemu"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20"); script_set_attribute(attribute:"patch_publication_date", value:"2014/05/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/05/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC20", reference:"qemu-1.6.2-4.fc20")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2014-0743.NASL description Updated qemu-kvm packages that fix multiple security issues and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 74474 published 2014-06-12 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74474 title CentOS 6 : qemu-kvm (CESA-2014:0743) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2014:0743 and # CentOS Errata and Security Advisory 2014:0743 respectively. # include("compat.inc"); if (description) { script_id(74474); script_version("1.7"); script_cvs_date("Date: 2020/02/13"); script_cve_id("CVE-2013-4148", "CVE-2013-4151", "CVE-2013-4535", "CVE-2013-4536", "CVE-2013-4541", "CVE-2013-4542", "CVE-2013-6399", "CVE-2014-0182", "CVE-2014-2894", "CVE-2014-3461"); script_bugtraq_id(66932, 66976, 67392, 67394, 67483); script_xref(name:"RHSA", value:"2014:0743"); script_name(english:"CentOS 6 : qemu-kvm (CESA-2014:0743)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated qemu-kvm packages that fix multiple security issues and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) An out-of-bounds memory access flaw was found in the way QEMU's IDE device driver handled the execution of SMART EXECUTE OFFLINE commands. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-2894) The CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, and CVE-2014-3461 issues were discovered by Michael S. Tsirkin of Red Hat, Anthony Liguori, and Michael Roth. This update also fixes the following bugs : * Previously, under certain circumstances, libvirt failed to start guests which used a non-zero PCI domain and SR-IOV Virtual Functions (VFs), and returned the following error message : Can't assign device inside non-zero PCI segment as this KVM module doesn't support it. This update fixes this issue and guests using the aforementioned configuration no longer fail to start. (BZ#1099941) * Due to an incorrect initialization of the cpus_sts bitmap, which holds the enablement status of a vCPU, libvirt could fail to start a guest with an unusual vCPU topology (for example, a guest with three cores and two sockets). With this update, the initialization of cpus_sts has been corrected, and libvirt no longer fails to start the aforementioned guests. (BZ#1100575) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect." ); # https://lists.centos.org/pipermail/centos-announce/2014-June/020364.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?50da6b5d" ); script_set_attribute( attribute:"solution", value:"Update the affected qemu-kvm packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:X/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-4148"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-guest-agent"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-img"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-kvm-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/04/23"); script_set_attribute(attribute:"patch_publication_date", value:"2014/06/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-6", reference:"qemu-guest-agent-0.12.1.2-2.415.el6_5.10")) flag++; if (rpm_check(release:"CentOS-6", cpu:"x86_64", reference:"qemu-img-0.12.1.2-2.415.el6_5.10")) flag++; if (rpm_check(release:"CentOS-6", cpu:"x86_64", reference:"qemu-kvm-0.12.1.2-2.415.el6_5.10")) flag++; if (rpm_check(release:"CentOS-6", cpu:"x86_64", reference:"qemu-kvm-tools-0.12.1.2-2.415.el6_5.10")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-guest-agent / qemu-img / qemu-kvm / qemu-kvm-tools"); }NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-220.NASL description Updated qemu packages fix security vulnerabilities : Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host (CVE-2013-4544). Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147). A buffer overflow flaw was found in the way the virtio_net_handle_mac() function of QEMU processed guest requests to update the table of MAC addresses. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0150). A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0142). A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0146). It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0148). An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 79407 published 2014-11-23 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79407 title Mandriva Linux Security Advisory : qemu (MDVSA-2014:220) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2014:220. # The text itself is copyright (C) Mandriva S.A. # if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if (description) { script_id(79407); script_version("1.3"); script_cvs_date("Date: 2019/08/02 13:32:56"); script_cve_id("CVE-2013-4148", "CVE-2013-4149", "CVE-2013-4150", "CVE-2013-4151", "CVE-2013-4526", "CVE-2013-4527", "CVE-2013-4529", "CVE-2013-4530", "CVE-2013-4531", "CVE-2013-4533", "CVE-2013-4534", "CVE-2013-4535", "CVE-2013-4536", "CVE-2013-4537", "CVE-2013-4538", "CVE-2013-4539", "CVE-2013-4540", "CVE-2013-4541", "CVE-2013-4542", "CVE-2013-6399", "CVE-2014-0142", "CVE-2014-0143", "CVE-2014-0144", "CVE-2014-0145", "CVE-2014-0146", "CVE-2014-0147", "CVE-2014-0148", "CVE-2014-0150", "CVE-2014-0182", "CVE-2014-0222", "CVE-2014-0223", "CVE-2014-3461", "CVE-2014-3615", "CVE-2014-3640", "CVE-2014-3689", "CVE-2014-5263", "CVE-2014-7815"); script_bugtraq_id(66464, 66472, 66480, 66481, 66483, 66484, 66486, 66821, 66976, 67357, 67391, 67392, 67394, 67483, 69247, 69654, 70237, 70997, 70998); script_xref(name:"MDVSA", value:"2014:220"); script_name(english:"Mandriva Linux Security Advisory : qemu (MDVSA-2014:220)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated qemu packages fix security vulnerabilities : Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host (CVE-2013-4544). Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147). A buffer overflow flaw was found in the way the virtio_net_handle_mac() function of QEMU processed guest requests to update the table of MAC addresses. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0150). A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0142). A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0146). It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0148). An out-of-bounds memory access flaw was found in the way QEMU's IDE device driver handled the execution of SMART EXECUTE OFFLINE commands. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-2894). Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0222, CVE-2014-0223). Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461). An information leak flaw was found in the way QEMU's VGA emulator accessed frame buffer memory for high resolution displays. A privileged guest user could use this flaw to leak memory contents of the host to the guest by setting the display to use a high resolution in the guest (CVE-2014-3615). When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access Only guests using qemu user networking are affected (CVE-2014-3640). The Advanced Threat Research team at Intel Security reported that guest provided parameter were insufficiently validated in rectangle functions in the vmware-vga driver. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process (CVE-2014-3689). It was discovered that QEMU incorrectly handled USB xHCI controller live migration. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code (CVE-2014-5263). James Spadaro of Cisco reported insufficiently sanitized bits_per_pixel from the client in the QEMU VNC display driver. An attacker having access to the guest's VNC console could use this flaw to crash the guest (CVE-2014-7815). Additionally qemu-1.6+ requires usbredir-0.6+ for USB redirection support which is also being provided with this advisory." ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2014-0426.html" ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2014-0467.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64usbredirhost-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64usbredirhost1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64usbredirparser-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64usbredirparser1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:qemu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:qemu-img"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:usbredir"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:usbredir-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1"); script_set_attribute(attribute:"patch_publication_date", value:"2014/11/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64usbredirhost-devel-0.7-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64usbredirhost1-0.7-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64usbredirparser-devel-0.7-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64usbredirparser1-0.7-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"qemu-1.6.2-1.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"qemu-img-1.6.2-1.1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"usbredir-0.7-1.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"usbredir-devel-0.7-1.mbs1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0674.NASL description Updated rhev-hypervisor6 packages that fix multiple security issues, several bugs, and add various enhancements are now available. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147) Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 79029 published 2014-11-08 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79029 title RHEL 6 : rhev-hypervisor6 3.4.0 (RHSA-2014:0674) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0744.NASL description Updated qemu-kvm-rhev packages that fix several security issues are now available for Red Hat Enterprise Virtualization. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager. Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 79030 published 2014-11-08 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79030 title RHEL 6 : qemu-kvm-rhev (RHSA-2014:0744) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2182-1.NASL description Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host. This issue only applied to Ubuntu 13.10 and Ubuntu 14.04 LTS. (CVE-2013-4544) Michael S. Tsirkin discovered that QEMU incorrectly handled virtio-net MAC addresses. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host. (CVE-2014-0150) Benoit Canet discovered that QEMU incorrectly handled SMART self-tests. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host. (CVE-2014-2894). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 73752 published 2014-04-29 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/73752 title Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 / 14.04 LTS : qemu, qemu-kvm vulnerabilities (USN-2182-1) NASL family SuSE Local Security Checks NASL id SUSE_11_KVM-140528.NASL description Several security issues in KVM have been fixed. Some issues could have resulted in arbitrary code execution or crash of the kvm host. - virtio-net: buffer overflow in virtio_net_handle_mac() function. (CVE-2014-0150) - Fixed out of bounds buffer accesses, guest triggerable via IDE SMART. (CVE-2014-2894) - Fixed various virtio-net buffer overflows. (CVE-2013-4148 / CVE-2013-4149 / CVE-2013-4150 / CVE-2013-4151) - Fixed ahci buffer overrun. (CVE-2013-4526) - Fixed hpet buffer overrun. (CVE-2013-4527) - Fixed a PCIE-AER buffer overrun. (CVE-2013-4529) - Fixed a buffer overrun in pl022. (CVE-2013-4530) - Fixed a vmstate buffer overflow. (CVE-2013-4531) - Fixed a pxa2xx buffer overrun. (CVE-2013-4533) - Fixed a openpic buffer overrun. (CVE-2013-4534) - Validate virtio num_sg mapping. (CVE-2013-4535 / CVE-2013-4536) - Fixed ssi-sd buffer overrun. (CVE-2013-4537) - Fixed ssd0323 buffer overrun. (CVE-2013-4538) - Fixed tsc210x buffer overrun. (CVE-2013-4539) - Fixed Zaurus buffer overrun. (CVE-2013-4540) - Some USB sanity checking added. (CVE-2013-4541) - Fixed virtio scsi buffer overrun. (CVE-2013-4542) - Fixed another virtio buffer overrun. (CVE-2013-6399) - Validate config_len on load in virtio (CVE-2014-0182) last seen 2020-06-05 modified 2014-06-19 plugin id 76138 published 2014-06-19 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76138 title SuSE 11.3 Security Update : KVM (SAT Patch Number 9302) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0743.NASL description Updated qemu-kvm packages that fix multiple security issues and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 74461 published 2014-06-11 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74461 title RHEL 6 : qemu-kvm (RHSA-2014:0743) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201408-17.NASL description The remote host is affected by the vulnerability described in GLSA-201408-17 (QEMU: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 77461 published 2014-08-30 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77461 title GLSA-201408-17 : QEMU: Multiple vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-0704.NASL description From Red Hat Security Advisory 2014:0704 : Updated qemu-kvm packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide a user-space component to run virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 76737 published 2014-07-24 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76737 title Oracle Linux 7 : qemu-kvm (ELSA-2014-0704) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2933.NASL description Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware. - CVE-2013-4344 Buffer overflow in the SCSI implementation in QEMU, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command. - CVE-2014-2894 Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption. last seen 2020-03-17 modified 2014-05-20 plugin id 74096 published 2014-05-20 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74096 title Debian DSA-2933-1 : qemu-kvm - security update NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-061.NASL description Updated qemu packages fix multiple security vulnerabilities : Sibiao Luo discovered that QEMU incorrectly handled device hot-unplugging. A local user could possibly use this flaw to cause a denial of service (CVE-2013-4377). Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host (CVE-2013-4544). Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147). A buffer overflow flaw was found in the way the virtio_net_handle_mac() function of QEMU processed guest requests to update the table of MAC addresses. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0150). A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0142). A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0146). It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0148). An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 81944 published 2015-03-19 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81944 title Mandriva Linux Security Advisory : qemu (MDVSA-2015:061) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2932.NASL description Several vulnerabilities were discovered in qemu, a fast processor emulator. - CVE-2013-4344 Buffer overflow in the SCSI implementation in QEMU, when a SCSI controller has more than 256 attached devices, allows local users to gain privileges via a small transfer buffer in a REPORT LUNS command. - CVE-2014-2894 Off-by-one error in the cmd_smart function in the smart self test in hw/ide/core.c in QEMU allows local users to have unspecified impact via a SMART EXECUTE OFFLINE command that triggers a buffer underflow and memory corruption. last seen 2020-03-17 modified 2014-05-20 plugin id 74095 published 2014-05-20 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74095 title Debian DSA-2932-1 : qemu - security update NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2014-0743.NASL description From Red Hat Security Advisory 2014:0743 : Updated qemu-kvm packages that fix multiple security issues and two bugs are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 74457 published 2014-06-11 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74457 title Oracle Linux 6 : qemu-kvm (ELSA-2014-0743) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2014-0704.NASL description Updated qemu-kvm packages that fix one security issue and several bugs are now available for Red Hat Enterprise Linux 7. The Red Hat Security Response Team has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide a user-space component to run virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU last seen 2020-06-01 modified 2020-06-02 plugin id 76899 published 2014-07-30 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76899 title RHEL 7 : qemu-kvm (RHSA-2014:0704)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- https://lists.nongnu.org/archive/html/qemu-devel/2014-04/msg02095.html
- http://www.openwall.com/lists/oss-security/2014/04/18/5
- https://lists.nongnu.org/archive/html/qemu-devel/2014-04/msg02016.html
- https://lists.nongnu.org/archive/html/qemu-devel/2014-04/msg02152.html
- http://www.openwall.com/lists/oss-security/2014/04/15/4
- http://www.securityfocus.com/bid/66932
- http://secunia.com/advisories/57945
- http://www.ubuntu.com/usn/USN-2182-1
- http://secunia.com/advisories/58191
- http://rhn.redhat.com/errata/RHSA-2014-0743.html
- http://rhn.redhat.com/errata/RHSA-2014-0744.html
- http://rhn.redhat.com/errata/RHSA-2014-0704.html