Vulnerabilities > CVE-2015-5154 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN

Summary

Heap-based buffer overflow in the IDE subsystem in QEMU, as used in Xen 4.5.x and earlier, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands.

Vulnerable Configurations

Part Description Count
OS
Xen
216
OS
Suse
6
OS
Fedoraproject
3
Application
Suse
1
Application
Qemu
189

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1421-1.NASL
    descriptionXen was updated to fix the following security issues : - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344) - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model (XSA-140, bsc#939712) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85598
    published2015-08-24
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85598
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2015:1421-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-13404.NASL
    description - Fix crash in qemu_spice_create_display (bz #1163047) * CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz #1230536) * CVE-2015-3214: i8254: out-of-bounds memory access (bz #1243728) * CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory access (bz #1247141) * CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160) * CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest (bz #1249755) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-09-02
    plugin id85727
    published2015-09-02
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85727
    titleFedora 21 : qemu-2.1.3-9.fc21 (2015-13404)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-750.NASL
    descriptionxen was updated to fix 12 security issues. These security issues were fixed : - CVE-2015-7972: Populate-on-demand balloon size inaccuracy can crash guests (bsc#951845). - CVE-2015-7969: Leak of main per-domain vcpu pointer array (DoS) (bsc#950703). - CVE-2015-7969: Leak of per-domain profiling-related vcpu pointer array (DoS) (bsc#950705). - CVE-2015-7971: Some pmu and profiling hypercalls log without rate limiting (bsc#950706). - CVE-2015-4037: Insecure temporary file use in /net/slirp.c (bsc#932267). - CVE-2014-0222: Validate L2 table size to avoid integer overflows (bsc#877642). - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests (bsc#950367). - CVE-2015-7311: libxl fails to honour readonly flag on disks with qemu-xen (bsc#947165). - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model (bsc#939712). - CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol (bsc#939709). - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344). - CVE-2015-3259: xl command line config handling stack overflow (bsc#935634). These non-security issues were fixed : - bsc#907514: Bus fatal error and sles12 sudden reboot has been observed - bsc#910258: SLES12 Xen host crashes with FATAL NMI after shutdown of guest with VT-d NIC - bsc#918984: Bus fatal error and sles11-SP4 sudden reboot has been observed - bsc#923967: Partner-L3: Bus fatal error and sles11-SP3 sudden reboot has been observed - bsc#901488: Intel ixgbe driver assigns rx/tx queues per core resulting in irq problems on servers with a large amount of CPU cores - bsc#945167: Running command xl pci-assignable-add 03:10.1 secondly show errors - bsc#949138: Setting vcpu affinity under Xen causes libvirtd abort - bsc#944463: VUL-0: CVE-2015-5239: qemu-kvm: Integer overflow in vnc_client_read() and protocol_client_msg() - bsc#944697: VUL-1: CVE-2015-6815: qemu: net: e1000: infinite loop issue - bsc#925466: Kdump does not work in a XEN environment
    last seen2020-06-05
    modified2015-11-18
    plugin id86909
    published2015-11-18
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86909
    titleopenSUSE Security Update : xen (openSUSE-2015-750)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2015-0095.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - ide: Clear DRQ after handling all expected accesses This is additional hardening against an end_transfer_func that fails to clear the DRQ status bit. The bit must be unset as soon as the PIO transfer has completed, so it
    last seen2020-06-01
    modified2020-06-02
    plugin id85037
    published2015-07-28
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85037
    titleOracleVM 3.3 : xen (OVMSA-2015-0095)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1508.NASL
    descriptionUpdated qemu-kvm-rhev packages that fix two security issues are now available for Red Hat Enterprise Virtualization Hypervisor 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM. A heap buffer overflow flaw was found in the way QEMU
    last seen2020-06-01
    modified2020-06-02
    plugin id117306
    published2018-09-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117306
    titleRHEL 7 : qemu-kvm-rhev (RHSA-2015:1508)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1479-2.NASL
    descriptionxen was updated to fix the following security issues : - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model (bsc#939712, XSA-140) - CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol (bsc#939709, XSA-139) - CVE-2015-2751: Certain domctl operations could have be used to lock up the host (bsc#922709, XSA-127) - CVE-2015-3259: xl command line config handling stack overflow (bsc#935634, XSA-137) - CVE-2015-4164: DoS through iret hypercall handler (bsc#932996, XSA-136) - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85792
    published2015-09-04
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85792
    titleSUSE SLED11 Security Update : xen (SUSE-SU-2015:1479-2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1426-1.NASL
    descriptionkvm was updated to fix two security issues. The following vulnerabilities were fixed : - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344). - CVE-2015-3209: Fix buffer overflow in pcnet emulation (bsc#932770). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85625
    published2015-08-25
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85625
    titleSUSE SLES11 Security Update : kvm (SUSE-SU-2015:1426-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1472-1.NASL
    descriptionkvm was updated to fix one security issue. This security issue was fixed : - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85761
    published2015-09-03
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85761
    titleSUSE SLED11 / SLES11 Security Update : kvm (SUSE-SU-2015:1472-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_DA451130365D11E5A4A5002590263BF5.NASL
    descriptionThe Xen Project reports : A heap overflow flaw was found in the way QEMU
    last seen2020-06-01
    modified2020-06-02
    plugin id85234
    published2015-08-05
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85234
    titleFreeBSD : qemu, xen-tools -- QEMU heap overflow flaw with certain ATAPI commands (da451130-365d-11e5-a4a5-002590263bf5)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3348.NASL
    descriptionSeveral vulnerabilities were discovered in qemu, a fast processor emulator. - CVE-2015-3214 Matt Tait of Google
    last seen2020-06-01
    modified2020-06-02
    plugin id85754
    published2015-09-03
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85754
    titleDebian DSA-3348-1 : qemu - security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-2324-1.NASL
    descriptionThis update fixes the following security issues : - bsc#956832 - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing command block list - Revert x86/IO-APIC: don
    last seen2020-06-01
    modified2020-06-02
    plugin id87588
    published2015-12-22
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87588
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:2324-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-892.NASL
    descriptionThis update fixes the following security issues : - bsc#947165 - CVE-2015-7311: xen: libxl fails to honour readonly flag on disks with qemu-xen (xsa-142) - bsc#954405 - CVE-2015-8104: Xen: guest to host DoS by triggering an infinite loop in microcode via #DB exception - bsc#954018 - CVE-2015-5307: xen: x86: CPU lockup during fault delivery (XSA-156) - bsc#950704 - CVE-2015-7970 xen: x86: Long latency populate-on-demand operation is not preemptible (XSA-150) 563212c9-x86-PoD-Eager-sweep-for-zeroed-pages.patch
    last seen2020-06-05
    modified2015-12-16
    plugin id87393
    published2015-12-16
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87393
    titleopenSUSE Security Update : xen (openSUSE-2015-892)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1408-1.NASL
    descriptionThis security update of Xen fixes the following issues : - bsc#939712 (XSA-140): QEMU leak of uninitialized heap memory in rtl8139 device model (CVE-2015-5165) - bsc#938344: qemu,kvm,xen: host code execution via IDE subsystem CD-ROM (CVE-2015-5154) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85575
    published2015-08-21
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85575
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2015:1408-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1455-1.NASL
    descriptionkvm was updated to fix one security issue. This security issue was fixed : - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85722
    published2015-09-01
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85722
    titleSUSE SLED11 / SLES11 Security Update : kvm (SUSE-SU-2015:1455-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1302-1.NASL
    descriptionxen was updated to fix two security issues. These security issues were fixed : - CVE-2015-3259: xl command line config handling stack overflow (bsc#935634, XSA-137). - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85074
    published2015-07-29
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85074
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:1302-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2015-1507.NASL
    descriptionUpdated qemu-kvm packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. A heap buffer overflow flaw was found in the way QEMU
    last seen2020-06-01
    modified2020-06-02
    plugin id85030
    published2015-07-28
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85030
    titleCentOS 7 : qemu-kvm (CESA-2015:1507)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1643-1.NASL
    descriptionXen was updated to fix the following security issues : CVE-2015-5154: Host code execution via IDE subsystem CD-ROM. (bsc#938344) CVE-2015-3209: Heap overflow in QEMU
    last seen2020-06-01
    modified2020-06-02
    plugin id86203
    published2015-09-30
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86203
    titleSUSE SLES10 Security Update : Xen (SUSE-SU-2015:1643-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20150727_QEMU_KVM_ON_SL7_X.NASL
    descriptionA heap buffer overflow flaw was found in the way QEMU
    last seen2020-03-18
    modified2015-07-29
    plugin id85072
    published2015-07-29
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85072
    titleScientific Linux Security Update : qemu-kvm on SL7.x x86_64 (20150727)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201604-03.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly cause a Denial of Service condition or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id90380
    published2016-04-07
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90380
    titleGLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2015-1507.NASL
    descriptionFrom Red Hat Security Advisory 2015:1507 : Updated qemu-kvm packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. A heap buffer overflow flaw was found in the way QEMU
    last seen2020-06-01
    modified2020-06-02
    plugin id85035
    published2015-07-28
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85035
    titleOracle Linux 7 : qemu-kvm (ELSA-2015-1507)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2015-0096.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0096 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id85038
    published2015-07-28
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85038
    titleOracleVM 3.2 : xen (OVMSA-2015-0096)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201510-02.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201510-02 (QEMU: Arbitrary code execution) Heap-based buffer overflow has been found in QEMU’s PCNET controller. Impact : A remote attacker could execute arbitrary code via a specially crafted packets. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id86687
    published2015-11-02
    reporterThis script is Copyright (C) 2015-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/86687
    titleGLSA-201510-02 : QEMU: Arbitrary code execution
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-2692-1.NASL
    descriptionMatt Tait discovered that QEMU incorrectly handled PIT emulation. In a non-default configuration, a malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3214) Kevin Wolf discovered that QEMU incorrectly handled processing ATAPI commands. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-5154) Zhu Donghai discovered that QEMU incorrectly handled the SCSI driver. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 15.04. (CVE-2015-5158). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85080
    published2015-07-29
    reporterUbuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85080
    titleUbuntu 14.04 LTS / 15.04 : qemu vulnerabilities (USN-2692-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-12679.NASL
    descriptionQEMU heap overflow flaw while processing certain ATAPI commands. [XSA-138, CVE-2015-5154] (#1247142) try again to fix xen-qemu-dom0-disk-backend.service (#1242246) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-08-11
    plugin id85316
    published2015-08-11
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85316
    titleFedora 23 : xen-4.5.1-5.fc23 (2015-12679)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1782-1.NASL
    descriptionqemu was updated to fix several security issues and bugs. The following vulnerabilities were fixed : - CVE-2015-5154: Heap-based buffer overflow in the IDE subsystem in QEMU, when the container has a CDROM drive enabled, allows local guest users to execute arbitrary code on the host via unspecified ATAPI commands. (bsc#938344). - CVE-2015-5278: QEMU was vulnerable to an infinite loop issue that could occur when receiving packets over the network. (bsc#945989) - CVE-2015-5279: QEMU was vulnerable to a heap buffer overflow issue that could occur when receiving packets over the network. (bsc#945987) - CVE-2015-6855: QEMU was vulnerable to a divide by zero issue that could occur while executing an IDE command WIN_READ_NATIVE_MAX to determine the maximum size of a drive. (bsc#945404) - CVE-2014-7815: The set_pixel_format function in ui/vnc.c in QEMU allowed remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value. (bsc#902737) : Also The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id86490
    published2015-10-21
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86490
    titleSUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2015:1782-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-12714.NASL
    descriptionQEMU heap overflow flaw while processing certain ATAPI commands. [XSA-138, CVE-2015-5154] (#1247142) rebuild efi grub.cfg if it is present (#1239309), add gcc5 build fixes, one needed for the following patch, modify gnutls use in line with Fedora
    last seen2020-06-05
    modified2015-08-13
    plugin id85361
    published2015-08-13
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85361
    titleFedora 21 : xen-4.4.2-9.fc21 (2015-12714)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-729.NASL
    descriptionxen was updated to fix 13 security issues. These security issues were fixed : - CVE-2015-7972: Populate-on-demand balloon size inaccuracy can crash guests (bsc#951845). - CVE-2015-7969: Leak of main per-domain vcpu pointer array (DoS) (bsc#950703). - CVE-2015-7969: Leak of per-domain profiling-related vcpu pointer array (DoS) (bsc#950705). - CVE-2015-7971: Some pmu and profiling hypercalls log without rate limiting (bsc#950706). - CVE-2015-4037: Insecure temporary file use in /net/slirp.c (bsc#932267). - CVE-2014-0222: Validate L2 table size to avoid integer overflows (bsc#877642). - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests (bsc#950367). - CVE-2015-7311: libxl fails to honour readonly flag on disks with qemu-xen (bsc#947165). - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model (bsc#939712). - CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol (bsc#939709). - CVE-2015-5239: Integer overflow in vnc_client_read() and protocol_client_msg() (bsc#944463). - CVE-2015-6815: e1000: infinite loop issue (bsc#944697). - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344). This non-security issues was fixed : - bsc#941074: VmError: Device 51728 (vbd) could not be connected. Hotplug scripts not working.
    last seen2020-06-05
    modified2015-11-13
    plugin id86863
    published2015-11-13
    reporterThis script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86863
    titleopenSUSE Security Update : xen (openSUSE-2015-729)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1479-1.NASL
    descriptionxen was updated to fix the following security issues : - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model (bsc#939712, XSA-140) - CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol (bsc#939709, XSA-139) - CVE-2015-2751: Certain domctl operations could have be used to lock up the host (bsc#922709, XSA-127) - CVE-2015-3259: xl command line config handling stack overflow (bsc#935634, XSA-137) - CVE-2015-4164: DoS through iret hypercall handler (bsc#932996, XSA-136) - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85791
    published2015-09-04
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85791
    titleSUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2015:1479-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1299-1.NASL
    descriptionxen was updated to fix two security issues. These security issues were fixed : - CVE-2015-3259: xl command line config handling stack overflow (bsc#935634, XSA-137). - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85073
    published2015-07-29
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85073
    titleSUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2015:1299-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-1409-1.NASL
    descriptionkvm was updated to fix one security issue. This security issue was fixed : - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id85576
    published2015-08-21
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85576
    titleSUSE SLES11 Security Update : kvm (SUSE-SU-2015:1409-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-13402.NASL
    description - Rebased to version 2.3.1 - Fix crash in qemu_spice_create_display (bz #1163047) - Fix qemu-img map crash for unaligned image (bz #1229394) - CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz #1230536) - CVE-2015-3214: i8254: out-of-bounds memory access (bz #1243728) - CVE-2015-5158: scsi stack-based buffer overflow (bz #1246025) - CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory access (bz #1247141) - CVE-2015-5166: BlockBackend object use after free issue (bz #1249758) - CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160) - CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest (bz #1249755) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2015-08-18
    plugin id85480
    published2015-08-18
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85480
    titleFedora 22 : qemu-2.3.1-1.fc22 (2015-13402)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-12657.NASL
    descriptionQEMU heap overflow flaw while processing certain ATAPI commands. [XSA-138, CVE-2015-5154] (#1247142) try again to fix xen-qemu-dom0-disk-backend.service (#1242246) correct qemu location in xen-qemu-dom0-disk-backend.service (#1242246), rebuild efi grub.cfg if it is present (#1239309), re-enable remus by building with libnl3, modify gnutls use in line with Fedora
    last seen2020-06-05
    modified2015-08-13
    plugin id85359
    published2015-08-13
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85359
    titleFedora 22 : xen-4.5.1-5.fc22 (2015-12657)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2015-1507.NASL
    descriptionUpdated qemu-kvm packages that fix two security issues and one bug are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. A heap buffer overflow flaw was found in the way QEMU
    last seen2020-06-01
    modified2020-06-02
    plugin id85040
    published2015-07-28
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85040
    titleRHEL 7 : qemu-kvm (RHSA-2015:1507)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2015-13358.NASL
    description - Rebased to version 2.4.0 * Support for virtio-gpu, 2D only * Support for virtio-based keyboard/mouse/tablet emulation * x86 support for memory hot-unplug - ACPI v5.1 table support for
    last seen2020-06-05
    modified2015-08-24
    plugin id85592
    published2015-08-24
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/85592
    titleFedora 23 : qemu-2.4.0-1.fc23 (2015-13358)
  • NASL familyMisc.
    NASL idCITRIX_XENSERVER_CTX201593.NASL
    descriptionThe version of Citrix XenServer running on the remote host is affected by a heap buffer overflow condition in the IDE subsystem of the bundled QEMU software, which is related to I/O buffer access when handling certain ATAPI commands. An attacker, with sufficient privileges in an HVM guest VM, can exploit this issue to execute arbitrary code in the context of the hypervisor process on the host system. Note that exploitation requires the CDROM drive to be enabled on the guest system.
    last seen2020-06-01
    modified2020-06-02
    plugin id85242
    published2015-08-05
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/85242
    titleCitrix XenServer QEMU IDE Buffer Overflow Code Execution (CTX201593)

Redhat

advisories
  • bugzilla
    id1243563
    titleCVE-2015-5154 qemu: ide: atapi: heap overflow during I/O buffer memory access
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentlibcacard-devel is earlier than 10:1.5.3-86.el7_1.5
            ovaloval:com.redhat.rhsa:tst:20151507001
          • commentlibcacard-devel is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140704012
        • AND
          • commentlibcacard-tools is earlier than 10:1.5.3-86.el7_1.5
            ovaloval:com.redhat.rhsa:tst:20151507003
          • commentlibcacard-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140704006
        • AND
          • commentlibcacard is earlier than 10:1.5.3-86.el7_1.5
            ovaloval:com.redhat.rhsa:tst:20151507005
          • commentlibcacard is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140704008
        • AND
          • commentqemu-kvm-tools is earlier than 10:1.5.3-86.el7_1.5
            ovaloval:com.redhat.rhsa:tst:20151507007
          • commentqemu-kvm-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345002
        • AND
          • commentqemu-kvm-common is earlier than 10:1.5.3-86.el7_1.5
            ovaloval:com.redhat.rhsa:tst:20151507009
          • commentqemu-kvm-common is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140704004
        • AND
          • commentqemu-kvm is earlier than 10:1.5.3-86.el7_1.5
            ovaloval:com.redhat.rhsa:tst:20151507011
          • commentqemu-kvm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345004
        • AND
          • commentqemu-img is earlier than 10:1.5.3-86.el7_1.5
            ovaloval:com.redhat.rhsa:tst:20151507013
          • commentqemu-img is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345006
    rhsa
    idRHSA-2015:1507
    released2015-07-27
    severityImportant
    titleRHSA-2015:1507: qemu-kvm security and bug fix update (Important)
  • rhsa
    idRHSA-2015:1508
  • rhsa
    idRHSA-2015:1512
rpms
  • libcacard-10:1.5.3-86.el7_1.5
  • libcacard-devel-10:1.5.3-86.el7_1.5
  • libcacard-tools-10:1.5.3-86.el7_1.5
  • qemu-img-10:1.5.3-86.el7_1.5
  • qemu-kvm-10:1.5.3-86.el7_1.5
  • qemu-kvm-common-10:1.5.3-86.el7_1.5
  • qemu-kvm-debuginfo-10:1.5.3-86.el7_1.5
  • qemu-kvm-tools-10:1.5.3-86.el7_1.5
  • libcacard-devel-rhev-10:2.1.2-23.el7_1.6
  • libcacard-rhev-10:2.1.2-23.el7_1.6
  • libcacard-tools-rhev-10:2.1.2-23.el7_1.6
  • qemu-img-rhev-10:2.1.2-23.el7_1.6
  • qemu-kvm-common-rhev-10:2.1.2-23.el7_1.6
  • qemu-kvm-rhev-10:2.1.2-23.el7_1.6
  • qemu-kvm-rhev-debuginfo-10:2.1.2-23.el7_1.6
  • qemu-kvm-tools-rhev-10:2.1.2-23.el7_1.6
  • libcacard-devel-rhev-10:2.1.2-23.el7_1.6
  • libcacard-rhev-10:2.1.2-23.el7_1.6
  • libcacard-tools-rhev-10:2.1.2-23.el7_1.6
  • qemu-img-rhev-10:2.1.2-23.el7_1.6
  • qemu-kvm-common-rhev-10:2.1.2-23.el7_1.6
  • qemu-kvm-rhev-10:2.1.2-23.el7_1.6
  • qemu-kvm-rhev-debuginfo-10:2.1.2-23.el7_1.6
  • qemu-kvm-tools-rhev-10:2.1.2-23.el7_1.6

References