Vulnerabilities > CVE-2015-4106 - Incorrect Authorization vulnerability in multiple products

047910
CVSS 4.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL

Summary

QEMU does not properly restrict write access to the PCI config space for certain PCI pass-through devices, which might allow local x86 HVM guests to gain privileges, cause a denial of service (host crash), obtain sensitive information, or possibly have other unspecified impact via unknown vectors.

Vulnerable Configurations

Part Description Count
Application
Qemu
138
Application
Citrix
5
OS
Debian
2
OS
Fedoraproject
3
OS
Suse
8
OS
Canonical
4

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2015-0063.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - xen/pt: unknown PCI config space fields should be read-only ... by default. Add a per-device
    last seen2020-06-01
    modified2020-06-02
    plugin id83966
    published2015-06-03
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83966
    titleOracleVM 3.2 : xen (OVMSA-2015-0063)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2630-1.NASL
    descriptionMatt Tait discovered that QEMU incorrectly handled the virtual PCNET driver. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3209) Kurt Seifried discovered that QEMU incorrectly handled certain temporary files. A local attacker could use this issue to cause a denial of service. (CVE-2015-4037) Jan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the host MSI message data field. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4103) Jan Beulich discovered that the QEMU Xen code incorrectly restricted access to the PCI MSI mask bits. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4104) Jan Beulich discovered that the QEMU Xen code incorrectly handled MSI-X error messages. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4105) Jan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the PCI config space. A malicious guest could use this issue to cause a denial of service, obtain sensitive information, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4106). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id84118
    published2015-06-11
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84118
    titleUbuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : qemu, qemu-kvm vulnerabilities (USN-2630-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-9456.NASL
    descriptionreplace deprecated gnutls use in qemu-xen-traditional based on qemu-xen patches, work around a gcc 5 bug, Potential unintended writes to host MSI message data field via qemu [XSA-128, CVE-2015-4103], PCI MSI mask bits inadvertently exposed to guests [XSA-129, CVE-2015-4104], Guest triggerable qemu MSI-X pass-through error messages [XSA-130, CVE-2015-4105], Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-06-15
    plugin id84177
    published2015-06-15
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84177
    titleFedora 22 : xen-4.5.0-10.fc22 (2015-9456)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1045-1.NASL
    descriptionXen was updated to fix seven security vulnerabilities : CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bnc#931625) CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests. (XSA-129, bnc#931626) CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bnc#931627) CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bnc#931628) CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior. (XSA-134, bnc#932790) CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bnc#932770) CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bnc#932996) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id84190
    published2015-06-15
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84190
    titleSUSE SLED11 / SLES11 Security Update : Xen (SUSE-SU-2015:1045-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1156-1.NASL
    descriptionXen was updated to fix six security issues : CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bsc#931625) CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests. (XSA-129, bsc#931626) CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bsc#931627) CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bsc#931628) CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bsc#932770) CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bsc#932996) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id84468
    published2015-06-30
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84468
    titleSUSE SLES11 Security Update : Xen (SUSE-SU-2015:1156-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2015-0064.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0064 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id83967
    published2015-06-03
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/83967
    titleOracleVM 3.3 : xen (OVMSA-2015-0064)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_3D65734027EA11E5A4A5002590263BF5.NASL
    descriptionThe Xen Project reports : Qemu allows guests to not only read, but also write all parts of the PCI config space (but not extended config space) of passed through PCI devices not explicitly dealt with for (partial) emulation purposes. Since the effect depends on the specific purpose of the the config space field, it
    last seen2020-06-01
    modified2020-06-02
    plugin id84699
    published2015-07-14
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84699
    titleFreeBSD : xen-tools -- Unmediated PCI register access in qemu (3d657340-27ea-11e5-a4a5-002590263bf5)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-2324-1.NASL
    descriptionThis update fixes the following security issues : - bsc#956832 - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list - Revert x86/IO-APIC: don
    last seen2020-06-01
    modified2020-06-02
    plugin id87588
    published2015-12-22
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87588
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:2324-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-892.NASL
    descriptionThis update fixes the following security issues : - bsc#947165 - CVE-2015-7311: xen: libxl fails to honour readonly flag on disks with qemu-xen (xsa-142) - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by triggering an infinite loop in microcode via #DB exception - bsc#954018 - CVE-2015-5307: xen: x86: CPU lockup during fault delivery (XSA-156) - bsc#950704 - CVE-2015-7970 xen: x86: Long latency populate-on-demand operation is not preemptible (XSA-150) 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch
    last seen2020-06-05
    modified2015-12-16
    plugin id87393
    published2015-12-16
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87393
    titleopenSUSE Security Update : xen (openSUSE-2015-892)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-434.NASL
    descriptionXen was updated to 4.4.2 to fix multiple vulnerabilities and non-security bugs. The following vulnerabilities were fixed : - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (boo#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (boo#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (boo#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (boo#931628) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (boo#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (boo#932770) - CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. () - CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. () - CVE-2015-2752: Long latency MMIO mapping operations are not preemptible (XSA-125 boo#922705) - CVE-2015-2756: Unmediated PCI command register access in qemu (XSA-126 boo#922706) - CVE-2015-2751: Certain domctl operations may be abused to lock up the host (XSA-127 boo#922709) - CVE-2015-2151: Hypervisor memory corruption due to x86 emulator flaw (boo#919464 XSA-123) - CVE-2015-2045: Information leak through version information hypercall (boo#918998 XSA-122) - CVE-2015-2044: Information leak via internal x86 system device emulation (boo#918995 (XSA-121) - CVE-2015-2152: HVM qemu unexpectedly enabling emulated VGA graphics backends (boo#919663 XSA-119) - CVE-2014-3615: information leakage when guest sets high resolution (boo#895528) The following non-security bugs were fixed : - xentop: Fix memory leak on read failure - boo#923758: xen dmesg contains bogus output in early boot - boo#921842: Xentop doesn
    last seen2020-06-05
    modified2015-06-23
    plugin id84333
    published2015-06-23
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84333
    titleopenSUSE Security Update : xen (openSUSE-2015-434) (Venom)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1042-1.NASL
    descriptionXen was updated to fix seven security issues and one non-security bug. The following vulnerabilities were fixed : - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (bnc#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (bnc#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (bnc#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (bnc#931628) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (bnc#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (bnc#932770) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (bnc#932996) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id84146
    published2015-06-12
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84146
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:1042-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2016-0012.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - XSA-125: Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 GFNs (or less) (Jan Beulich) [20732412] (CVE-2015-2752) - XSA-126: xen: limit guest control of PCI command register (Jan Beulich) [20739399] (CVE-2015-2756) - XSA-128: xen: properly gate host writes of modified PCI CFG contents (Jan Beulich) [21157440] (CVE-2015-4103) - XSA-129: xen: don
    last seen2020-06-01
    modified2020-06-02
    plugin id88737
    published2016-02-15
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88737
    titleOracleVM 2.2 : xen (OVMSA-2016-0012)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-9965.NASL
    descriptionHeap overflow in QEMU PCNET controller, allowing guest->host escape [XSA-135, CVE-2015-3209] (#1230537) GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163] vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164] Potential unintended writes to host MSI message data field via qemu [XSA-128, CVE-2015-4103], PCI MSI mask bits inadvertently exposed to guests [XSA-129, CVE-2015-4104], Guest triggerable qemu MSI-X pass-through error messages [XSA-130, CVE-2015-4105], Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-06-25
    plugin id84378
    published2015-06-25
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84378
    titleFedora 20 : xen-4.3.4-6.fc20 (2015-9965)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201604-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly cause a Denial of Service condition or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id90380
    published2016-04-07
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90380
    titleGLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3284.NASL
    descriptionSeveral vulnerabilities were discovered in qemu, a fast processor emulator. - CVE-2015-3209 Matt Tait of Google
    last seen2020-06-01
    modified2020-06-02
    plugin id84167
    published2015-06-15
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84167
    titleDebian DSA-3284-1 : qemu - security update
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3286.NASL
    descriptionMultiple security issues have been found in the Xen virtualisation solution : - CVE-2015-3209 Matt Tait discovered a flaw in the way QEMU
    last seen2020-06-01
    modified2020-06-02
    plugin id84169
    published2015-06-15
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84169
    titleDebian DSA-3286-1 : xen - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-9466.NASL
    descriptionPotential unintended writes to host MSI message data field via qemu [XSA-128, CVE-2015-4103], PCI MSI mask bits inadvertently exposed to guests [XSA-129, CVE-2015-4104], Guest triggerable qemu MSI-X pass-through error messages [XSA-130, CVE-2015-4105], Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-06-15
    plugin id84178
    published2015-06-15
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84178
    titleFedora 21 : xen-4.4.2-5.fc21 (2015-9466)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1157-1.NASL
    descriptionXen was updated to fix six security issues : CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bsc#931625) CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests. (XSA-129, bsc#931626) CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bsc#931627) CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bsc#931628) CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bsc#932770) CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bsc#932996) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id84469
    published2015-06-30
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/84469
    titleSUSE SLES11 Security Update : Xen (SUSE-SU-2015:1157-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-435.NASL
    descriptionXen was updated to fix eight vulnerabilities. The following vulnerabilities were fixed : - CVE-2015-2751: Certain domctl operations may be abused to lock up the host (XSA-127 boo#922709) - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (boo#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (boo#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (boo#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (boo#931628) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (boo#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (boo#932770) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996)
    last seen2020-06-05
    modified2015-06-23
    plugin id84334
    published2015-06-23
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84334
    titleopenSUSE Security Update : xen (openSUSE-2015-435)