Vulnerabilities > CVE-2016-7155

047910
CVSS 4.4 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
low complexity
qemu
debian
nessus

Summary

hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (out-of-bounds access or infinite loop, and QEMU process crash) via a crafted page count for descriptor rings.

Vulnerable Configurations

Part Description Count
Application
Qemu
227
OS
Debian
1

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1234.NASL
    descriptionqemu was updated to fix 19 security issues. These security issues were fixed : - CVE-2016-2392: The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU did not properly validate USB configuration descriptor objects, which allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet (bsc#967012) - CVE-2016-2391: The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers (bsc#967013) - CVE-2016-5106: The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982018) - CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, used an uninitialized variable, which allowed local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982017) - CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors (bsc#982019) - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allowed local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982285) - CVE-2016-4454: The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read (bsc#982222) - CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command (bsc#982223) - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer (bsc#983982) - CVE-2016-5337: The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information (bsc#983961) - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode (bsc#982959) - CVE-2016-5403: The virtqueue_pop function in hw/virtio/virtio.c in QEMU allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion (bsc#991080) - CVE-2016-6490: Infinite loop in the virtio framework. A privileged user inside the guest could have used this flaw to crash the Qemu instance on the host resulting in DoS (bsc#991466) - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3 device driver. A privileged user inside guest could have used this flaw to crash the Qemu instance resulting in DoS (bsc#994771) - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device support. A privileged user inside guest could have used this issue to crash the Qemu instance resulting in DoS (bsc#994774) - CVE-2016-7116: Host directory sharing via Plan 9 File System(9pfs) was vulnerable to a directory/path traversal issue. A privileged user inside guest could have used this flaw to access undue files on the host (bsc#996441) - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information leakage. A privileged user inside guest could have used this to leak host memory bytes to a guest (bsc#994760) - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus a OOB access and/or infinite loop issue could have allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#997858) - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus a infinite loop issue could have allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#997859) This non-security issue was fixed : - bsc#1000048: Fix migration failure where target host is a soon to be released SLES 12 SP2. Qemu
    last seen2020-06-05
    modified2016-10-27
    plugin id94309
    published2016-10-27
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/94309
    titleopenSUSE Security Update : qemu (openSUSE-2016-1234)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2016-1234.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(94309);
      script_version("2.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-2391", "CVE-2016-2392", "CVE-2016-4453", "CVE-2016-4454", "CVE-2016-5105", "CVE-2016-5106", "CVE-2016-5107", "CVE-2016-5126", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-5338", "CVE-2016-5403", "CVE-2016-6490", "CVE-2016-6833", "CVE-2016-6836", "CVE-2016-6888", "CVE-2016-7116", "CVE-2016-7155", "CVE-2016-7156");
    
      script_name(english:"openSUSE Security Update : qemu (openSUSE-2016-1234)");
      script_summary(english:"Check for the openSUSE-2016-1234 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "qemu was updated to fix 19 security issues.
    
    These security issues were fixed :
    
      - CVE-2016-2392: The is_rndis function in the USB Net
        device emulator (hw/usb/dev-network.c) in QEMU did not
        properly validate USB configuration descriptor objects,
        which allowed local guest OS administrators to cause a
        denial of service (NULL pointer dereference and QEMU
        process crash) via vectors involving a remote NDIS
        control message packet (bsc#967012)
    
      - CVE-2016-2391: The ohci_bus_start function in the USB
        OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU
        allowed local guest OS administrators to cause a denial
        of service (NULL pointer dereference and QEMU process
        crash) via vectors related to multiple eof_timers
        (bsc#967013)
    
      - CVE-2016-5106: The megasas_dcmd_set_properties function
        in hw/scsi/megasas.c in QEMU, when built with MegaRAID
        SAS 8708EM2 Host Bus Adapter emulation support, allowed
        local guest administrators to cause a denial of service
        (out-of-bounds write access) via vectors involving a
        MegaRAID Firmware Interface (MFI) command (bsc#982018)
    
      - CVE-2016-5105: The megasas_dcmd_cfg_read function in
        hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS
        8708EM2 Host Bus Adapter emulation support, used an
        uninitialized variable, which allowed local guest
        administrators to read host memory via vectors involving
        a MegaRAID Firmware Interface (MFI) command (bsc#982017)
    
      - CVE-2016-5107: The megasas_lookup_frame function in
        QEMU, when built with MegaRAID SAS 8708EM2 Host Bus
        Adapter emulation support, allowed local guest OS
        administrators to cause a denial of service
        (out-of-bounds read and crash) via unspecified vectors
        (bsc#982019)
    
      - CVE-2016-5126: Heap-based buffer overflow in the
        iscsi_aio_ioctl function in block/iscsi.c in QEMU
        allowed local guest OS users to cause a denial of
        service (QEMU process crash) or possibly execute
        arbitrary code via a crafted iSCSI asynchronous I/O
        ioctl call (bsc#982285)
    
      - CVE-2016-4454: The vmsvga_fifo_read_raw function in
        hw/display/vmware_vga.c in QEMU allowed local guest OS
        administrators to obtain sensitive host memory
        information or cause a denial of service (QEMU process
        crash) by changing FIFO registers and issuing a VGA
        command, which triggers an out-of-bounds read
        (bsc#982222)
    
      - CVE-2016-4453: The vmsvga_fifo_run function in
        hw/display/vmware_vga.c in QEMU allowed local guest OS
        administrators to cause a denial of service (infinite
        loop and QEMU process crash) via a VGA command
        (bsc#982223)
    
      - CVE-2016-5338: The (1) esp_reg_read and (2)
        esp_reg_write functions in hw/scsi/esp.c in QEMU allowed
        local guest OS administrators to cause a denial of
        service (QEMU process crash) or execute arbitrary code
        on the QEMU host via vectors related to the information
        transfer buffer (bsc#983982)
    
      - CVE-2016-5337: The megasas_ctrl_get_info function in
        hw/scsi/megasas.c in QEMU allowed local guest OS
        administrators to obtain sensitive host memory
        information via vectors related to reading device
        control information (bsc#983961)
    
      - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in
        QEMU allowed local guest OS administrators to cause a
        denial of service (out-of-bounds write and QEMU process
        crash) via vectors related to reading from the
        information transfer buffer in non-DMA mode (bsc#982959)
    
      - CVE-2016-5403: The virtqueue_pop function in
        hw/virtio/virtio.c in QEMU allowed local guest OS
        administrators to cause a denial of service (memory
        consumption and QEMU process crash) by submitting
        requests without waiting for completion (bsc#991080)
    
      - CVE-2016-6490: Infinite loop in the virtio framework. A
        privileged user inside the guest could have used this
        flaw to crash the Qemu instance on the host resulting in
        DoS (bsc#991466)
    
      - CVE-2016-6888: Integer overflow in packet initialisation
        in VMXNET3 device driver. A privileged user inside guest
        could have used this flaw to crash the Qemu instance
        resulting in DoS (bsc#994771)
    
      - CVE-2016-6833: Use-after-free issue in the VMWARE
        VMXNET3 NIC device support. A privileged user inside
        guest could have used this issue to crash the Qemu
        instance resulting in DoS (bsc#994774)
    
      - CVE-2016-7116: Host directory sharing via Plan 9 File
        System(9pfs) was vulnerable to a directory/path
        traversal issue. A privileged user inside guest could
        have used this flaw to access undue files on the host
        (bsc#996441)
    
      - CVE-2016-6836: VMWARE VMXNET3 NIC device support was
        leaging information leakage. A privileged user inside
        guest could have used this to leak host memory bytes to
        a guest (bsc#994760)
    
      - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus
        a OOB access and/or infinite loop issue could have
        allowed a privileged user inside guest to crash the Qemu
        process resulting in DoS (bsc#997858)
    
      - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus
        a infinite loop issue could have allowed a privileged
        user inside guest to crash the Qemu process resulting in
        DoS (bsc#997859)
    
    This non-security issue was fixed :
    
      - bsc#1000048: Fix migration failure where target host is
        a soon to be released SLES 12 SP2. Qemu's spice code
        gets an assertion.
    
    This update was imported from the SUSE:SLE-12-SP1:Update update
    project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1000048"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=967012"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=967013"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=982017"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=982018"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=982019"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=982222"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=982223"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=982285"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=982959"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=983961"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=983982"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=991080"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=991466"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=994760"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=994771"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=994774"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=996441"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=997858"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=997859"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected qemu packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-arm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-curl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-rbd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-rbd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-extra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-extra-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-guest-agent");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-guest-agent-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-ipxe");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-lang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-linux-user");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-linux-user-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-linux-user-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-ppc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-ppc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-s390");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-s390-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-seabios");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-sgabios");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-testsuite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-vgabios");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-x86-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/10/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/27");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.1)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.1", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-arm-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-arm-debuginfo-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-block-curl-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-block-curl-debuginfo-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-debugsource-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-extra-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-extra-debuginfo-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-guest-agent-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-guest-agent-debuginfo-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-ipxe-1.0.0-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-kvm-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-lang-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-linux-user-2.3.1-19.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-linux-user-debuginfo-2.3.1-19.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-linux-user-debugsource-2.3.1-19.1") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-ppc-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-ppc-debuginfo-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-s390-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-s390-debuginfo-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-seabios-1.8.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-sgabios-8-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-tools-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-tools-debuginfo-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-vgabios-1.8.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-x86-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", reference:"qemu-x86-debuginfo-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"qemu-block-rbd-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"qemu-block-rbd-debuginfo-2.3.1-19.3") ) flag++;
    if ( rpm_check(release:"SUSE42.1", cpu:"x86_64", reference:"qemu-testsuite-2.3.1-19.6") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-linux-user / qemu-linux-user-debuginfo / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1599.NASL
    descriptionSeveral vulnerabilities were found in QEMU, a fast processor emulator : CVE-2016-2391 Zuozhi Fzz discovered that eof_times in USB OHCI emulation support could be used to cause a denial of service, via a NULL pointer dereference. CVE-2016-2392 / CVE-2016-2538 Qinghao Tang found a NULL pointer dereference and multiple integer overflows in the USB Net device support that could allow local guest OS administrators to cause a denial of service. These issues related to remote NDIS control message handling. CVE-2016-2841 Yang Hongke reported an infinite loop vulnerability in the NE2000 NIC emulation support. CVE-2016-2857 Liu Ling found a flaw in QEMU IP checksum routines. Attackers could take advantage of this issue to cause QEMU to crash. CVE-2016-2858 Arbitrary stack based allocation in the Pseudo Random Number Generator (PRNG) back-end support. CVE-2016-4001 / CVE-2016-4002 Oleksandr Bazhaniuk reported buffer overflows in the Stellaris and the MIPSnet ethernet controllers emulation. Remote malicious users could use these issues to cause QEMU to crash. CVE-2016-4020 Donghai Zdh reported that QEMU incorrectly handled the access to the Task Priority Register (TPR), allowing local guest OS administrators to obtain sensitive information from host stack memory. CVE-2016-4037 Du Shaobo found an infinite loop vulnerability in the USB EHCI emulation support. CVE-2016-4439 / CVE-2016-4441 / CVE-2016-5238 / CVE-2016-5338 / CVE-2016-6351 Li Qiang found different issues in the QEMU 53C9X Fast SCSI Controller (FSC) emulation support, that made it possible for local guest OS privileged users to cause denials of service or potentially execute arbitrary code. CVE-2016-4453 / CVE-2016-4454 Li Qiang reported issues in the QEMU VMWare VGA module handling, that may be used to cause QEMU to crash, or to obtain host sensitive information. CVE-2016-4952 / CVE-2016-7421 / CVE-2016-7156 Li Qiang reported flaws in the VMware paravirtual SCSI bus emulation support. These issues concern an out-of-bounds access and infinite loops, that allowed local guest OS privileged users to cause a denial of service. CVE-2016-5105 / CVE-2016-5106 / CVE-2016-5107 / CVE-2016-5337 Li Qiang discovered several issues in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. These issues include stack information leakage while reading configuration and out-of-bounds write and read. CVE-2016-6834 Li Qiang reported an infinite loop vulnerability during packet fragmentation in the network transport abstraction layer support. Local guest OS privileged users could made use of this flaw to cause a denial of service. CVE-2016-6836 / CVE-2016-6888 Li Qiang found issues in the VMWare VMXNET3 network card emulation support, relating to information leak and integer overflow in packet initialisation. CVE-2016-7116 Felix Wilhel discovered a directory traversal flaw in the Plan 9 File System (9pfs), exploitable by local guest OS privileged users. CVE-2016-7155 Tom Victor and Li Qiang reported an out-of-bounds read and an infinite loop in the VMware paravirtual SCSI bus emulation support. CVE-2016-7161 Hu Chaojian reported a heap overflow in the xlnx.xps-ethernetlite emulation support. Privileged users in local guest OS could made use of this to cause QEMU to crash. CVE-2016-7170 Qinghao Tang and Li Qiang reported a flaw in the QEMU VMWare VGA module, that could be used by privileged user in local guest OS to cause QEMU to crash via an out-of-bounds stack memory access. CVE-2016-7908 / CVE-2016-7909 Li Qiang reported infinite loop vulnerabilities in the ColdFire Fast Ethernet Controller and the AMD PC-Net II (Am79C970A) emulations. These flaws allowed local guest OS administrators to cause a denial of service. CVE-2016-8909 Huawei PSIRT found an infinite loop vulnerability in the Intel HDA emulation support, relating to DMA buffer stream processing. Privileged users in local guest OS could made use of this to cause a denial of service. CVE-2016-8910 Andrew Henderson reported an infinite loop in the RTL8139 ethernet controller emulation support. Privileged users inside a local guest OS could made use of this to cause a denial of service. CVE-2016-9101 Li Qiang reported a memory leakage in the i8255x (PRO100) ethernet controller emulation support. CVE-2016-9102 / CVE-2016-9103 / CVE-2016-9104 / CVE-2016-9105 / CVE-2016-9106 / CVE-2016-8577 / CVE-2016-8578 Li Qiang reported various Plan 9 File System (9pfs) security issues, including host memory leakage and denial of service. CVE-2017-10664 Denial of service in the qemu-nbd (QEMU Disk Network Block Device) Server. CVE-2018-10839 / CVE-2018-17962 / CVE-2018-17963 Daniel Shapira reported several integer overflows in the packet handling in ethernet controllers emulated by QEMU. These issues could lead to denial of service. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id119310
    published2018-12-01
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119310
    titleDebian DLA-1599-1 : qemu security update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1599-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(119310);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/18");
    
      script_cve_id("CVE-2016-2391", "CVE-2016-2392", "CVE-2016-2538", "CVE-2016-2841", "CVE-2016-2857", "CVE-2016-2858", "CVE-2016-4001", "CVE-2016-4002", "CVE-2016-4020", "CVE-2016-4037", "CVE-2016-4439", "CVE-2016-4441", "CVE-2016-4453", "CVE-2016-4454", "CVE-2016-4952", "CVE-2016-5105", "CVE-2016-5106", "CVE-2016-5107", "CVE-2016-5238", "CVE-2016-5337", "CVE-2016-5338", "CVE-2016-6351", "CVE-2016-6834", "CVE-2016-6836", "CVE-2016-6888", "CVE-2016-7116", "CVE-2016-7155", "CVE-2016-7156", "CVE-2016-7161", "CVE-2016-7170", "CVE-2016-7421", "CVE-2016-7908", "CVE-2016-7909", "CVE-2016-8577", "CVE-2016-8578", "CVE-2016-8909", "CVE-2016-8910", "CVE-2016-9101", "CVE-2016-9102", "CVE-2016-9103", "CVE-2016-9104", "CVE-2016-9105", "CVE-2016-9106", "CVE-2017-10664", "CVE-2018-10839", "CVE-2018-17962", "CVE-2018-17963");
    
      script_name(english:"Debian DLA-1599-1 : qemu security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "Several vulnerabilities were found in QEMU, a fast processor 
    emulator :
    
    CVE-2016-2391
    
    Zuozhi Fzz discovered that eof_times in USB OHCI emulation support
    could be used to cause a denial of service, via a NULL pointer
    dereference.
    
    CVE-2016-2392 / CVE-2016-2538
    
    Qinghao Tang found a NULL pointer dereference and multiple integer
    overflows in the USB Net device support that could allow local guest
    OS administrators to cause a denial of service. These issues related
    to remote NDIS control message handling.
    
    CVE-2016-2841
    
    Yang Hongke reported an infinite loop vulnerability in the NE2000 NIC
    emulation support.
    
    CVE-2016-2857
    
    Liu Ling found a flaw in QEMU IP checksum routines. Attackers could
    take advantage of this issue to cause QEMU to crash.
    
    CVE-2016-2858
    
    Arbitrary stack based allocation in the Pseudo Random Number Generator
    (PRNG) back-end support.
    
    CVE-2016-4001 / CVE-2016-4002
    
    Oleksandr Bazhaniuk reported buffer overflows in the Stellaris and the
    MIPSnet ethernet controllers emulation. Remote malicious users could
    use these issues to cause QEMU to crash.
    
    CVE-2016-4020
    
    Donghai Zdh reported that QEMU incorrectly handled the access to the
    Task Priority Register (TPR), allowing local guest OS administrators
    to obtain sensitive information from host stack memory.
    
    CVE-2016-4037
    
    Du Shaobo found an infinite loop vulnerability in the USB EHCI
    emulation support.
    
    CVE-2016-4439 / CVE-2016-4441 / CVE-2016-5238 / CVE-2016-5338 /
    CVE-2016-6351
    
    Li Qiang found different issues in the QEMU 53C9X Fast SCSI Controller
    (FSC) emulation support, that made it possible for local guest OS
    privileged users to cause denials of service or potentially execute
    arbitrary code.
    
    CVE-2016-4453 / CVE-2016-4454
    
    Li Qiang reported issues in the QEMU VMWare VGA module handling, that
    may be used to cause QEMU to crash, or to obtain host sensitive
    information.
    
    CVE-2016-4952 / CVE-2016-7421 / CVE-2016-7156
    
    Li Qiang reported flaws in the VMware paravirtual SCSI bus emulation
    support. These issues concern an out-of-bounds access and infinite
    loops, that allowed local guest OS privileged users to cause a denial
    of service.
    
    CVE-2016-5105 / CVE-2016-5106 / CVE-2016-5107 / CVE-2016-5337
    
    Li Qiang discovered several issues in the MegaRAID SAS 8708EM2 Host
    Bus Adapter emulation support. These issues include stack information
    leakage while reading configuration and out-of-bounds write and read.
    
    CVE-2016-6834
    
    Li Qiang reported an infinite loop vulnerability during packet
    fragmentation in the network transport abstraction layer support.
    Local guest OS privileged users could made use of this flaw to cause a
    denial of service.
    
    CVE-2016-6836 / CVE-2016-6888
    
    Li Qiang found issues in the VMWare VMXNET3 network card emulation
    support, relating to information leak and integer overflow in packet
    initialisation.
    
    CVE-2016-7116
    
    Felix Wilhel discovered a directory traversal flaw in the Plan 9 File
    System (9pfs), exploitable by local guest OS privileged users.
    
    CVE-2016-7155
    
    Tom Victor and Li Qiang reported an out-of-bounds read and an infinite
    loop in the VMware paravirtual SCSI bus emulation support.
    
    CVE-2016-7161
    
    Hu Chaojian reported a heap overflow in the xlnx.xps-ethernetlite
    emulation support. Privileged users in local guest OS could made use
    of this to cause QEMU to crash.
    
    CVE-2016-7170
    
    Qinghao Tang and Li Qiang reported a flaw in the QEMU VMWare VGA
    module, that could be used by privileged user in local guest OS to
    cause QEMU to crash via an out-of-bounds stack memory access.
    
    CVE-2016-7908 / CVE-2016-7909
    
    Li Qiang reported infinite loop vulnerabilities in the ColdFire Fast
    Ethernet Controller and the AMD PC-Net II (Am79C970A) emulations.
    These flaws allowed local guest OS administrators to cause a denial of
    service.
    
    CVE-2016-8909
    
    Huawei PSIRT found an infinite loop vulnerability in the Intel HDA
    emulation support, relating to DMA buffer stream processing.
    Privileged users in local guest OS could made use of this to cause a
    denial of service.
    
    CVE-2016-8910
    
    Andrew Henderson reported an infinite loop in the RTL8139 ethernet
    controller emulation support. Privileged users inside a local guest OS
    could made use of this to cause a denial of service.
    
    CVE-2016-9101
    
    Li Qiang reported a memory leakage in the i8255x (PRO100) ethernet
    controller emulation support.
    
    CVE-2016-9102 / CVE-2016-9103 / CVE-2016-9104 / CVE-2016-9105 /
    CVE-2016-9106 / CVE-2016-8577 / CVE-2016-8578
    
    Li Qiang reported various Plan 9 File System (9pfs) security issues,
    including host memory leakage and denial of service.
    
    CVE-2017-10664
    
    Denial of service in the qemu-nbd (QEMU Disk Network Block Device)
    Server.
    
    CVE-2018-10839 / CVE-2018-17962 / CVE-2018-17963
    
    Daniel Shapira reported several integer overflows in the packet
    handling in ethernet controllers emulated by QEMU. These issues could
    lead to denial of service.
    
    For Debian 8 'Jessie', these problems have been fixed in version
    1:2.1+dfsg-12+deb8u8.
    
    We recommend that you upgrade your qemu packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2018/11/msg00038.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/qemu"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-guest-agent");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-mips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-misc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-ppc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-sparc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-user");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-user-binfmt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-user-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-utils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/07");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/11/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"qemu", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-guest-agent", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-kvm", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system-arm", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system-common", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system-mips", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system-misc", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system-ppc", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system-sparc", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system-x86", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-user", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-user-binfmt", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-user-static", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-utils", reference:"1:2.1+dfsg-12+deb8u8")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3125-1.NASL
    descriptionZhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-5403) Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6833, CVE-2016-6834, CVE-2016-6888) Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6835) Li Qiang discovered that QEMU incorrectly handled VMWARE VMXNET3 network card emulation support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host memory. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-6836) Felix Wilhelm discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host files. (CVE-2016-7116) Li Qiang and Tom Victor discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual SCSI bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7155) Li Qiang discovered that QEMU incorrectly handled VMWARE PVSCSI paravirtual SCSI bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7156, CVE-2016-7421) Tom Victor discovered that QEMU incorrectly handled LSI SAS1068 host bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.10. (CVE-2016-7157) Hu Chaojian discovered that QEMU incorrectly handled xlnx.xps-ethernetlite emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-7161) Qinghao Tang and Li Qiang discovered that QEMU incorrectly handled the VMware VGA module. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-7170) Qinghao Tang and Zhenhao Hong discovered that QEMU incorrectly handled the Virtio module. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.10. (CVE-2016-7422) Li Qiang discovered that QEMU incorrectly handled LSI SAS1068 host bus emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.10. (CVE-2016-7423) Li Qiang discovered that QEMU incorrectly handled USB xHCI controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7466) Li Qiang discovered that QEMU incorrectly handled ColdFire Fast Ethernet Controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-7908) Li Qiang discovered that QEMU incorrectly handled AMD PC-Net II emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-7909) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7994) Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. This issue only affected Ubuntu 16.10. (CVE-2016-7995) Li Qiang discovered that QEMU incorrectly handled USB xHCI controller support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-8576) Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-8577, CVE-2016-8578) It was discovered that QEMU incorrectly handled Rocker switch emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-8668) It was discovered that QEMU incorrectly handled Intel HDA controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-8909) Andrew Henderson discovered that QEMU incorrectly handled RTL8139 ethernet controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-8910) Li Qiang discovered that QEMU incorrectly handled Intel i8255x ethernet controller emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-9101) Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. (CVE-2016-9102, CVE-2016-9104, CVE-2016-9105) Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to possibly to obtain sensitive host memory. (CVE-2016-9103) Li Qiang discovered that QEMU incorrectly handled Plan 9 File System (9pfs) support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9106). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id94669
    published2016-11-10
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94669
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : qemu, qemu-kvm vulnerabilities (USN-3125-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2589-1.NASL
    descriptionqemu was updated to fix 19 security issues. These security issues were fixed : - CVE-2016-2392: The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU did not properly validate USB configuration descriptor objects, which allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet (bsc#967012) - CVE-2016-2391: The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers (bsc#967013) - CVE-2016-5106: The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982018) - CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, used an uninitialized variable, which allowed local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982017) - CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors (bsc#982019) - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allowed local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982285) - CVE-2016-4454: The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read (bsc#982222) - CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command (bsc#982223) - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer (bsc#983982) - CVE-2016-5337: The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information (bsc#983961) - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode (bsc#982959) - CVE-2016-5403: The virtqueue_pop function in hw/virtio/virtio.c in QEMU allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion (bsc#991080) - CVE-2016-6490: Infinite loop in the virtio framework. A privileged user inside the guest could have used this flaw to crash the Qemu instance on the host resulting in DoS (bsc#991466) - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3 device driver. A privileged user inside guest could have used this flaw to crash the Qemu instance resulting in DoS (bsc#994771) - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device support. A privileged user inside guest could have used this issue to crash the Qemu instance resulting in DoS (bsc#994774) - CVE-2016-7116: Host directory sharing via Plan 9 File System(9pfs) was vulnerable to a directory/path traversal issue. A privileged user inside guest could have used this flaw to access undue files on the host (bsc#996441) - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information leakage. A privileged user inside guest could have used this to leak host memory bytes to a guest (bsc#994760) - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus a OOB access and/or infinite loop issue could have allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#997858) - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus a infinite loop issue could have allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#997859) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id94277
    published2016-10-26
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94277
    titleSUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2016:2589-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-2781-1.NASL
    descriptionqemu was updated to fix 21 security issues. These security issues were fixed : - CVE-2014-5388: Off-by-one error in the pci_read function in the ACPI PCI hotplug interface (hw/acpi/pcihp.c) in QEMU allowed local guest users to obtain sensitive information and have other unspecified impact related to a crafted PCI device that triggers memory corruption (bsc#893323). - CVE-2015-6815: e1000 NIC emulation support was vulnerable to an infinite loop issue. A privileged user inside guest could have used this flaw to crash the Qemu instance resulting in DoS. (bsc#944697). - CVE-2016-2391: The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers (bsc#967013). - CVE-2016-2392: The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU did not properly validate USB configuration descriptor objects, which allowed local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet (bsc#967012). - CVE-2016-4453: The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command (bsc#982223). - CVE-2016-4454: The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read (bsc#982222). - CVE-2016-5105: The megasas_dcmd_cfg_read function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, used an uninitialized variable, which allowed local guest administrators to read host memory via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982017). - CVE-2016-5106: The megasas_dcmd_set_properties function in hw/scsi/megasas.c in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest administrators to cause a denial of service (out-of-bounds write access) via vectors involving a MegaRAID Firmware Interface (MFI) command (bsc#982018). - CVE-2016-5107: The megasas_lookup_frame function in QEMU, when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds read and crash) via unspecified vectors (bsc#982019). - CVE-2016-5126: Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allowed local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call (bsc#982285). - CVE-2016-5238: The get_cmd function in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) via vectors related to reading from the information transfer buffer in non-DMA mode (bsc#982959). - CVE-2016-5337: The megasas_ctrl_get_info function in hw/scsi/megasas.c in QEMU allowed local guest OS administrators to obtain sensitive host memory information via vectors related to reading device control information (bsc#983961). - CVE-2016-5338: The (1) esp_reg_read and (2) esp_reg_write functions in hw/scsi/esp.c in QEMU allowed local guest OS administrators to cause a denial of service (QEMU process crash) or execute arbitrary code on the QEMU host via vectors related to the information transfer buffer (bsc#983982). - CVE-2016-5403: The virtqueue_pop function in hw/virtio/virtio.c in QEMU allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion (bsc#991080). - CVE-2016-6490: Infinite loop in the virtio framework. A privileged user inside the guest could have used this flaw to crash the Qemu instance on the host resulting in DoS (bsc#991466). - CVE-2016-6833: Use-after-free issue in the VMWARE VMXNET3 NIC device support. A privileged user inside guest could have used this issue to crash the Qemu instance resulting in DoS (bsc#994774). - CVE-2016-6836: VMWARE VMXNET3 NIC device support was leaging information leakage. A privileged user inside guest could have used this to leak host memory bytes to a guest (bsc#994760). - CVE-2016-6888: Integer overflow in packet initialisation in VMXNET3 device driver. A privileged user inside guest could have used this flaw to crash the Qemu instance resulting in DoS (bsc#994771). - CVE-2016-7116: Host directory sharing via Plan 9 File System(9pfs) was vulnerable to a directory/path traversal issue. A privileged user inside guest could have used this flaw to access undue files on the host (bsc#996441). - CVE-2016-7155: In the VMWARE PVSCSI paravirtual SCSI bus a OOB access and/or infinite loop issue could have allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#997858). - CVE-2016-7156: In the VMWARE PVSCSI paravirtual SCSI bus a infinite loop issue could have allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#997859). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id94758
    published2016-11-14
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94758
    titleSUSE SLES12 Security Update : qemu (SUSE-SU-2016:2781-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-3D3218EC41.NASL
    description - CVE-2016-7155: pvscsi: OOB read and infinite loop (bz #1373463) - CVE-2016-7156: pvscsi: infinite loop when building SG list (bz #1373480) - CVE-2016-7156: pvscsi: infinite loop when processing IO requests (bz #1373480) - CVE-2016-7170: vmware_vga: OOB stack memory access (bz #1374709) - CVE-2016-7157: mptsas: invalid memory access (bz #1373505) - CVE-2016-7466: usb: xhci memory leakage during device unplug (bz #1377838) - CVE-2016-7423: scsi: mptsas: OOB access (bz #1376777) - CVE-2016-7422: virtio: NULL pointer dereference (bz #1376756) - CVE-2016-7908: net: Infinite loop in mcf_fec_do_tx (bz #1381193) - CVE-2016-8576: usb: xHCI: infinite loop vulnerability (bz #1382322) - CVE-2016-7995: usb: hcd-ehci: memory leak (bz #1382669) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-15
    plugin id94794
    published2016-11-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94794
    titleFedora 25 : 2:qemu (2016-3d3218ec41)