Vulnerabilities > CVE-2016-9381 - Race Condition vulnerability in multiple products
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a "double fetch" vulnerability.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_58685E23BA4D11E6AE1B002590263BF5.NASL description The Xen Project reports : The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Specifically data on the rings shared between qemu and the hypervisor (which the guest under control can obtain mappings of) can be fetched twice (during which time the guest can alter the contents) possibly leading to arbitrary code execution in qemu. Malicious administrators can exploit this vulnerability to take over the qemu process, elevating its privilege to that of the qemu process. In a system not using a device model stub domain (or other techniques for deprivileging qemu), malicious guest administrators can thus elevate their privilege to that of the host. last seen 2020-06-01 modified 2020-06-02 plugin id 95510 published 2016-12-05 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95510 title FreeBSD : xen-tools -- qemu incautious about shared ring processing (58685e23-ba4d-11e6-ae1b-002590263bf5) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(95510); script_version("3.4"); script_cvs_date("Date: 2018/11/10 11:49:45"); script_cve_id("CVE-2016-9381"); script_name(english:"FreeBSD : xen-tools -- qemu incautious about shared ring processing (58685e23-ba4d-11e6-ae1b-002590263bf5)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "The Xen Project reports : The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Specifically data on the rings shared between qemu and the hypervisor (which the guest under control can obtain mappings of) can be fetched twice (during which time the guest can alter the contents) possibly leading to arbitrary code execution in qemu. Malicious administrators can exploit this vulnerability to take over the qemu process, elevating its privilege to that of the qemu process. In a system not using a device model stub domain (or other techniques for deprivileging qemu), malicious guest administrators can thus elevate their privilege to that of the host." ); script_set_attribute( attribute:"see_also", value:"https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=214936" ); script_set_attribute( attribute:"see_also", value:"https://xenbits.xen.org/xsa/advisory-197.html" ); # https://vuxml.freebsd.org/freebsd/58685e23-ba4d-11e6-ae1b-002590263bf5.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?ecaba224" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:xen-tools"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/22"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/04"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"xen-tools<4.7.1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1430.NASL description According to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code.(CVE-2020-8608) - This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.(CVE-2019-11135) - tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code.(CVE-2020-7039) - ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.(CVE-2019-14378) - Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.(CVE-2015-5239) - Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message.(CVE-2015-5745) - The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets.(CVE-2015-5278) - The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors.(CVE-2015-6815) - Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets.(CVE-2015-5279) - Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.(CVE-2016-7161) - hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information.(CVE-2013-4544) - The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program.(CVE-2015-4037) - hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash.(CVE-2015-6855) - hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface.(CVE-2015-7295) - The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method.(CVE-2015-7549) - The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list.(CVE-2015-8345) - Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client.(CVE-2015-8504) - The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list.(CVE-2015-8558) - Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption).(CVE-2015-8567) - Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly.(CVE-2015-8568) - Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when built with SCSI MegaRAID SAS HBA emulation support, allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INFO command.(CVE-2015-8613) - Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.(CVE-2016-1568) - QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS.(CVE-2016-2198) - The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers.(CVE-2016-2391) - The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 does not properly validate USB configuration descriptor objects, which allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet.(CVE-2016-2392) - Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function.(CVE-2016-2538) - The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTOP registers, involving ring buffer control.(CVE-2016-2841) - QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption.(CVE-2016-2858) - Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet.(CVE-2016-4001) - Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes.(CVE-2016-4002) - The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558.(CVE-2016-4037) - The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command.(CVE-2016-4453) - The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read.(CVE-2016-4454) - The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length.(CVE-2016-6834) - The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length.(CVE-2016-6835) - The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object.(CVE-2016-6836) - Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference.(CVE-2016-6888) - Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string.(CVE-2016-7116) - The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size.(CVE-2016-7421) - The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.(CVE-2016-7908) - The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0.(CVE-2016-7909) - The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process.(CVE-2016-8576) - The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base.(CVE-2016-8669) - The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position.(CVE-2016-8909) - The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count.(CVE-2016-8910) - Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number.(CVE-2016-9102) - The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them.(CVE-2016-9103) - Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access.(CVE-2016-9104) - Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object.(CVE-2016-9105) - Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector.(CVE-2016-9106) - Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a last seen 2020-05-06 modified 2020-04-15 plugin id 135559 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135559 title EulerOS 2.0 SP3 : qemu-kvm (EulerOS-SA-2020-1430) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-720.NASL description Multiple vulnerabilities have been discovered in the Xen hypervisor. The Common Vulnerabilities and Exposures project identifies the following problems : CVE-2016-9379, CVE-2016-9380 (XSA-198) pygrub, the boot loader emulator, fails to quote (or sanity check) its results when reporting them to its caller. A malicious guest administrator can obtain the contents of sensitive host files CVE-2016-9381 (XSA-197) The compiler can emit optimizations in qemu which can lead to double fetch vulnerabilities. Malicious administrators can exploit this vulnerability to take over the qemu process, elevating its privilege to that of the qemu process. CVE-2016-9382 (XSA-192) LDTR, just like TR, is purely a protected mode facility. Hence even when switching to a VM86 mode task, LDTR loading needs to follow protected mode semantics. A malicious unprivileged guest process can crash or escalate its privilege to that of the guest operating system. CVE-2016-9383 (XSA-195) When Xen needs to emulate some instruction, to efficiently handle the emulation, the memory address and register operand are recalculated internally to Xen. In this process, the high bits of an intermediate expression were discarded, leading to both the memory location and the register operand being wrong. A malicious guest can modify arbitrary memory. CVE-2016-9386 (XSA-191) The Xen x86 emulator erroneously failed to consider the unusability of segments when performing memory accesses. An unprivileged guest user program may be able to elevate its privilege to that of the guest operating system. For Debian 7 last seen 2020-03-17 modified 2016-11-25 plugin id 95296 published 2016-11-25 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95296 title Debian DLA-720-1 : xen security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-5.NASL description This updates xen to version 4.4.4_06 to fix the following issues : - An unprivileged user in a guest could gain guest could escalate privilege to that of the guest kernel, if it had could invoke the instruction emulator. Only 64-bit x86 HVM guest were affected. Linux guest have not been vulnerable. (boo#1016340, CVE-2016-10013) - An unprivileged user in a 64 bit x86 guest could gain information from the host, crash the host or gain privilege of the host (boo#1009107, CVE-2016-9383) - An unprivileged guest process could (unintentionally or maliciously) obtain or ocorrupt sensitive information of other programs in the same guest. Only x86 HVM guests have been affected. The attacker needs to be able to trigger the Xen instruction emulator. (boo#1000106, CVE-2016-7777) - A guest on x86 systems could read small parts of hypervisor stack data (boo#1012651, CVE-2016-9932) - A malicious guest kernel could hang or crash the host system (boo#1014298, CVE-2016-10024) - A malicious guest administrator could escalate their privilege to that of the host. Only affects x86 HVM guests using qemu older version 1.6.0 or using the qemu-xen-traditional. (boo#1011652, CVE-2016-9637) - An unprivileged guest user could escalate privilege to that of the guest administrator on x86 HVM guests, especially on Intel CPUs (boo#1009100, CVE-2016-9386) - An unprivileged guest user could escalate privilege to that of the guest administrator (on AMD CPUs) or crash the system (on Intel CPUs) on 32-bit x86 HVM guests. Only guest operating systems that allowed a new task to start in VM86 mode were affected. (boo#1009103, CVE-2016-9382) - A malicious guest administrator could crash the host on x86 PV guests only (boo#1009104, CVE-2016-9385) - A malicious guest administrator could get privilege of the host emulator process on x86 HVM guests. (boo#1009109, CVE-2016-9381) - A vulnerability in pygrub allowed a malicious guest administrator to obtain the contents of sensitive host files, or even delete those files (boo#1009111, CVE-2016-9379, CVE-2016-9380) - A privileged guest user could cause an infinite loop in the RTL8139 ethernet emulation to consume CPU cycles on the host, causing a DoS situation (boo#1007157, CVE-2016-8910) - A privileged guest user could cause an infinite loop in the intel-hda sound emulation to consume CPU cycles on the host, causing a DoS situation (boo#1007160, CVE-2016-8909) - A privileged guest user could cause a crash of the emulator process on the host by exploiting a divide by zero vulnerability of the JAZZ RC4030 chipset emulation (boo#1005004 CVE-2016-8667) - A privileged guest user could cause a crash of the emulator process on the host by exploiting a divide by zero issue of the 16550A UART emulation (boo#1005005, CVE-2016-8669) - A privileged guest user could cause an infinite loop in the USB xHCI emulation, causing a DoS situation on the host (boo#1004016, CVE-2016-8576) - A privileged guest user could cause an infinite loop in the ColdFire Fash Ethernet Controller emulation, causing a DoS situation on the host (boo#1003030, CVE-2016-7908) - A privileged guest user could cause an infinite loop in the AMD PC-Net II emulation, causing a DoS situation on the host (boo#1003032, CVE-2016-7909) - Cause a reload of clvm in the block-dmmd script to avoid a blocking lvchange call (boo#1002496) - Also unplug SCSI disks in qemu-xen-traditional for upstream unplug protocol. Before a single SCSI storage devices added to HVM guests could appear multiple times in the guest. (boo#953518) - Fix a kernel panic / black screen when trying to boot a XEN kernel on some UEFI firmwares (boo#1000195) last seen 2020-06-05 modified 2017-01-03 plugin id 96253 published 2017-01-03 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96253 title openSUSE Security Update : xen (openSUSE-2017-5) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-0127-1.NASL description qemu was updated to fix several issues. These security issues were fixed : - CVE-2016-9102: Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number (bsc#1014256). - CVE-2016-9103: The v9fs_xattrcreate function in hw/9pfs/9p.c in allowed local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values writing to them (bsc#1007454). - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in last seen 2020-06-01 modified 2020-06-02 plugin id 96529 published 2017-01-16 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96529 title SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:0127-1) NASL family Fedora Local Security Checks NASL id FEDORA_2017-12394E2CC7.NASL description - CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz #1366370) - CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196) - CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667) - CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286) - CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz #1383292) - CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898) - CVE-2016-8669: divide by zero error in serial_update_parameters (bz #1384911) - CVE-2016-8910: rtl8139: infinite loop while transmit in C+ mode (bz #1388047) - CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053) - Infinite loop vulnerability in a9_gtimer_update (bz #1388300) - CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539) - CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643) - CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz #1389551) - CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687) - CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704) - CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713) - CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385) - CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz #1399054) - CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz #1400830) - CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz #1402247) - CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz #1402258) - CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz #1402266) - CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz #1402273) - CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz #1402277) - CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities (bz #1406368) - CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz #1402263) - CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz #1402285) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-01-26 plugin id 96782 published 2017-01-26 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96782 title Fedora 24 : 2:qemu (2017-12394e2cc7) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-4.NASL description This updates xen to version 4.5.5 to fix the following issues : - An unprivileged user in a guest could gain guest could escalate privilege to that of the guest kernel, if it had could invoke the instruction emulator. Only 64-bit x86 HVM guest were affected. Linux guest have not been vulnerable. (boo#1016340, CVE-2016-10013) - An unprivileged user in a 64 bit x86 guest could gain information from the host, crash the host or gain privilege of the host (boo#1009107, CVE-2016-9383) - An unprivileged guest process could (unintentionally or maliciously) obtain or ocorrupt sensitive information of other programs in the same guest. Only x86 HVM guests have been affected. The attacker needs to be able to trigger the Xen instruction emulator. (boo#1000106, CVE-2016-7777) - A guest on x86 systems could read small parts of hypervisor stack data (boo#1012651, CVE-2016-9932) - A malicious guest kernel could hang or crash the host system (boo#1014298, CVE-2016-10024) - The epro100 emulated network device caused a memory leak in the host when unplugged in the guest. A privileged user in the guest could use this to cause a DoS on the host or potentially crash the guest process on the host (boo#1013668, CVE-2016-9101) - The ColdFire Fast Ethernet Controller was vulnerable to an infinite loop that could be trigged by a privileged user in the guest, leading to DoS (boo#1013657, CVE-2016-9776) - A malicious guest administrator could escalate their privilege to that of the host. Only affects x86 HVM guests using qemu older version 1.6.0 or using the qemu-xen-traditional. (boo#1011652, CVE-2016-9637) - An unprivileged guest user could escalate privilege to that of the guest administrator on x86 HVM guests, especially on Intel CPUs (boo#1009100, CVE-2016-9386) - An unprivileged guest user could escalate privilege to that of the guest administrator (on AMD CPUs) or crash the system (on Intel CPUs) on 32-bit x86 HVM guests. Only guest operating systems that allowed a new task to start in VM86 mode were affected. (boo#1009103, CVE-2016-9382) - A malicious guest administrator could crash the host on x86 PV guests only (boo#1009104, CVE-2016-9385) - An unprivileged guest user was able to crash the guest. (boo#1009108, CVE-2016-9377, CVE-2016-9378) - A malicious guest administrator could get privilege of the host emulator process on x86 HVM guests. (boo#1009109, CVE-2016-9381) - A vulnerability in pygrub allowed a malicious guest administrator to obtain the contents of sensitive host files, or even delete those files (boo#1009111, CVE-2016-9379, CVE-2016-9380) - A privileged guest user could cause an infinite loop in the RTL8139 ethernet emulation to consume CPU cycles on the host, causing a DoS situation (boo#1007157, CVE-2016-8910) - A privileged guest user could cause an infinite loop in the intel-hda sound emulation to consume CPU cycles on the host, causing a DoS situation (boo#1007160, CVE-2016-8909) - A privileged guest user could cause a crash of the emulator process on the host by exploiting a divide by zero vulnerability of the JAZZ RC4030 chipset emulation (boo#1005004 CVE-2016-8667) - A privileged guest user could cause a crash of the emulator process on the host by exploiting a divide by zero issue of the 16550A UART emulation (boo#1005005, CVE-2016-8669) - A privileged guest user could cause a memory leak in the USB EHCI emulation, causing a DoS situation on the host (boo#1003870, CVE-2016-7995) - A privileged guest user could cause an infinite loop in the USB xHCI emulation, causing a DoS situation on the host (boo#1004016, CVE-2016-8576) - A privileged guest user could cause an infinite loop in the ColdFire Fash Ethernet Controller emulation, causing a DoS situation on the host (boo#1003030, CVE-2016-7908) - A privileged guest user could cause an infinite loop in the AMD PC-Net II emulation, causing a DoS situation on the host (boo#1003032, CVE-2016-7909) - Cause a reload of clvm in the block-dmmd script to avoid a blocking lvchange call (boo#1002496) last seen 2020-06-05 modified 2017-01-03 plugin id 96252 published 2017-01-03 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96252 title openSUSE Security Update : xen (openSUSE-2017-4) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201612-56.NASL description The remote host is affected by the vulnerability described in GLSA-201612-56 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly execute arbitrary code with the privileges of the process, could gain privileges on the host system, cause a Denial of Service condition, or obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 96231 published 2017-01-03 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96231 title GLSA-201612-56 : Xen: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2016-68B71978A1.NASL description xen : various security flaws (#1397383) x86 null segments not always treated as unusable [XSA-191, CVE-2016-9386] x86 task switch to VM86 mode mis-handled [XSA-192, CVE-2016-9382] x86 segment base write emulation lacking canonical address checks [XSA-193, CVE-2016-9385] x86 64-bit bit test instruction emulation broken [XSA-195, CVE-2016-9383] x86 software interrupt injection mis-handled [XSA-196, CVE-2016-9377, CVE-2016-9378] qemu incautious about shared ring processing [XSA-197, CVE-2016-9381] delimiter injection vulnerabilities in pygrub [XSA-198, CVE-2016-9379, CVE-2016-9380] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-12-05 plugin id 95491 published 2016-12-05 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95491 title Fedora 23 : xen (2016-68b71978a1) NASL family Fedora Local Security Checks NASL id FEDORA_2017-B953D4D3A4.NASL description - CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz #1366370) - CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196) - CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667) - CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286) - CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz #1383292) - CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898) - CVE-2016-8669: divide by zero error in serial_update_parameters (bz #1384911) - CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053) - Infinite loop vulnerability in a9_gtimer_update (bz #1388300) - CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539) - CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643) - CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz #1389551) - CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687) - CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704) - CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713) - CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385) - CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz #1399054) - CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz #1400830) - CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz #1402247) - CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz #1402258) - CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz #1402266) - CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz #1402273) - CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz #1402277) - CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities (bz #1406368) - CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz #1402263) - CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz #1402285) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-01-23 plugin id 96677 published 2017-01-23 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96677 title Fedora 25 : 2:qemu (2017-b953d4d3a4) NASL family Fedora Local Security Checks NASL id FEDORA_2016-95C104A4C6.NASL description xen : various security flaws (#1397383) x86 null segments not always treated as unusable [XSA-191, CVE-2016-9386] x86 task switch to VM86 mode mis-handled [XSA-192, CVE-2016-9382] x86 segment base write emulation lacking canonical address checks [XSA-193, CVE-2016-9385] x86 64-bit bit test instruction emulation broken [XSA-195, CVE-2016-9383] x86 software interrupt injection mis-handled [XSA-196, CVE-2016-9377, CVE-2016-9378] qemu incautious about shared ring processing [XSA-197, CVE-2016-9381] delimiter injection vulnerabilities in pygrub [XSA-198, CVE-2016-9379, CVE-2016-9380] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-12-05 plugin id 95492 published 2016-12-05 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95492 title Fedora 24 : xen (2016-95c104a4c6) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3067-1.NASL description xen was updated to version 4.7.1 to fix 17 security issues. These security issues were fixed : - CVE-2016-9637: ioport array overflow allowing a malicious guest administrator can escalate their privilege to that of the host (bsc#1011652). - CVE-2016-9386: x86 null segments were not always treated as unusable allowing an unprivileged guest user program to elevate its privilege to that of the guest operating system. Exploit of this vulnerability is easy on Intel and more complicated on AMD (bsc#1009100). - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a unprivileged guest process to escalate its privilege to that of the guest operating system on AMD hardware. On Intel hardware a malicious unprivileged guest process can crash the guest (bsc#1009103). - CVE-2016-9385: x86 segment base write emulation lacked canonical address checks, allowing a malicious guest administrator to crash the host (bsc#1009104). - CVE-2016-9384: Guest 32-bit ELF symbol table load leaking host data to unprivileged guest users (bsc#1009105). - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken, allowing a guest to modify arbitrary memory leading to arbitray code execution (bsc#1009107). - CVE-2016-9377: x86 software interrupt injection was mis-handled, allowing an unprivileged guest user to crash the guest (bsc#1009108). - CVE-2016-9378: x86 software interrupt injection was mis-handled, allowing an unprivileged guest user to crash the guest (bsc#1009108) - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109). - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111). - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111). - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it (bsc#1000106). - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1007157). - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1005004). - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1005005). - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1003030). - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1003032). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 95709 published 2016-12-12 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95709 title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:3067-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3273-1.NASL description This update for xen fixes several issues. These security issues were fixed : - CVE-2016-9637: ioport array overflow allowing a malicious guest administrator can escalate their privilege to that of the host (bsc#1011652) - CVE-2016-9386: x86 null segments were not always treated as unusable allowing an unprivileged guest user program to elevate its privilege to that of the guest operating system. Exploit of this vulnerability is easy on Intel and more complicated on AMD (bsc#1009100) - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a unprivileged guest process to escalate its privilege to that of the guest operating system on AMD hardware. On Intel hardware a malicious unprivileged guest process can crash the guest (bsc#1009103) - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken, allowing a guest to modify arbitrary memory leading to arbitray code execution (bsc#1009107) - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it (bsc#1000106) - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1007157) - CVE-2016-8909: The intel_hda_xfer function in hw/audio/intel-hda.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position (bsc#1007160) - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1005004) - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1005005) - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1003030) - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1003032) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96150 published 2016-12-27 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96150 title SUSE SLES11 Security Update : xen (SUSE-SU-2016:3273-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-116.NASL description qemu was updated to fix several issues. These security issues were fixed : - CVE-2016-9102: Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number (bsc#1014256). - CVE-2016-9103: The v9fs_xattrcreate function in hw/9pfs/9p.c in allowed local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values writing to them (bsc#1007454). - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in last seen 2020-06-05 modified 2017-01-19 plugin id 96623 published 2017-01-19 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/96623 title openSUSE Security Update : qemu (openSUSE-2017-116) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2431.NASL description According to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a last seen 2020-05-08 modified 2019-12-04 plugin id 131585 published 2019-12-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131585 title EulerOS 2.0 SP2 : qemu-kvm (EulerOS-SA-2019-2431) NASL family Misc. NASL id XEN_SERVER_XSA-198.NASL description According to its self-reported version number, the Xen hypervisor installed on the remote host is missing a security update. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the inject_swint() function in x86_emulate.c due to improper handling of the format of IDT lookups when emulating instructions which generate software interrupts. A guest attacker can exploit this to crash the host, resulting in a denial of service condition. (CVE-2016-9377) - A flaw exists in the svm_inject_trap() function in svm.c due to a failure to properly perform IDT privilege checks when emulating instructions which generate software interrupts. A guest attacker can exploit this to crash the host, resulting in a denial of service condition. (CVE-2016-9378) - A flaw exists in the sniff_netware() function in file tools/pygrub/src/pygrub due to improper handling of string quotes and S-expressions in the bootloader when the S-expressions output format is requested. A guest attacker can exploit this to cause the bootloader configuration file to produce incorrect output, resulting in the disclosure or deletion of files from the host. (CVE-2016-9379) - A flaw exists in the sniff_netware() function in file tools/pygrub/src/pygrub due to improper handling of NULL bytes in the bootloader when the null-delimited output format is requested. A guest attacker can exploit this to cause configuration files to output ambiguous or confusing results, resulting in the disclosure or deletion of files from the host. (CVE-2016-9380) - A double-fetch flaw exists that is triggered when the compiler omits QEMU optimizations. A guest attacker can exploit this to gain elevated privileges on the host. (CVE-2016-9381) - A flaw exists in the hvm_task_switch() function in hvm.c due to improper handling of x86 task switching to VM86 mode. A guest attacker can exploit this to cause a denial of service condition or gain elevated privileges within the guest environment. (CVE-2016-9382) - A flaw exists in the x86_emulate() function in x86_emulate.c that allows a guest attacker to cause changes to memory and thereby gain elevated privileges on the host. (CVE-2016-9383) - A flaw exists that is triggered as unused bytes in image metadata are not properly cleared during symbol table loading. This may allow a guest attacker to disclose potentially sensitive information from the host. (CVE-2016-9384) - A flaw exists due to improper clearing of unused bytes in image metadata during symbol table loading. A guest attacker can exploit this to disclose sensitive information from the host. (CVE-2016-9384) - A flaw exists in the x86 segment base write emulation due to a lack of canonical address checks. A guest attacker can exploit this issue to crash the host, resulting in a denial of service condition. (CVE-2016-9385) - A flaw exists in the x86 emulator due to improper validation of the usability of segments when performing memory accesses. A guest attacker can exploit this to gain elevated privileges within the guest environment. (CVE-2016-9386) Note that Nessus has checked the changeset versions based on the xen.git change log. Nessus did not check guest hardware configurations or if patches were applied manually to the source code before a recompile and reinstall. last seen 2020-06-01 modified 2020-06-02 plugin id 95630 published 2016-12-08 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95630 title Xen Multiple Vulnerabilities (XSA-191 - XSA-198) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3174-1.NASL description This update for xen fixes several issues. These security issues were fixed : - CVE-2016-9637: ioport array overflow allowing a malicious guest administrator can escalate their privilege to that of the host (bsc#1011652) - CVE-2016-9386: x86 null segments were not always treated as unusable allowing an unprivileged guest user program to elevate its privilege to that of the guest operating system. Exploit of this vulnerability is easy on Intel and more complicated on AMD (bsc#1009100) - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a unprivileged guest process to escalate its privilege to that of the guest operating system on AMD hardware. On Intel hardware a malicious unprivileged guest process can crash the guest (bsc#1009103) - CVE-2016-9385: x86 segment base write emulation lacked canonical address checks, allowing a malicious guest administrator to crash the host (bsc#1009104) - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken, allowing a guest to modify arbitrary memory leading to arbitray code execution (bsc#1009107) - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it (bsc#1000106) - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1007157) - CVE-2016-8909: The intel_hda_xfer function in hw/audio/intel-hda.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position (bsc#1007160) - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1005004) - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1005005) - CVE-2016-8576: The xhci_ring_fetch function in hw/usb/hcd-xhci.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process (bsc#1004016) - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1003030) - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1003032) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 96032 published 2016-12-20 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96032 title SUSE SLES11 Security Update : xen (SUSE-SU-2016:3174-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3083-1.NASL description This update for xen to version 4.5.5 fixes several issues. These security issues were fixed : - CVE-2016-9637: ioport array overflow allowing a malicious guest administrator can escalate their privilege to that of the host (bsc#1011652) - CVE-2016-9386: x86 null segments were not always treated as unusable allowing an unprivileged guest user program to elevate its privilege to that of the guest operating system. Exploit of this vulnerability is easy on Intel and more complicated on AMD (bsc#1009100) - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a unprivileged guest process to escalate its privilege to that of the guest operating system on AMD hardware. On Intel hardware a malicious unprivileged guest process can crash the guest (bsc#1009103) - CVE-2016-9385: x86 segment base write emulation lacked canonical address checks, allowing a malicious guest administrator to crash the host (bsc#1009104) - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken, allowing a guest to modify arbitrary memory leading to arbitray code execution (bsc#1009107) - CVE-2016-9378: x86 software interrupt injection was mis-handled, allowing an unprivileged guest user to crash the guest (bsc#1009108) - CVE-2016-9377: x86 software interrupt injection was mis-handled, allowing an unprivileged guest user to crash the guest (bsc#1009108) - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it (bsc#1000106) - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1007157) - CVE-2016-8909: The intel_hda_xfer function in hw/audio/intel-hda.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position (bsc#1007160). - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1005004) - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1005005) - CVE-2016-7995: A memory leak in ehci_process_itd allowed a privileged user inside guest to DoS the host (bsc#1003870). - CVE-2016-8576: The xhci_ring_fetch function in hw/usb/hcd-xhci.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process (bsc#1004016). - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1003030) - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1003032) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 95761 published 2016-12-13 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95761 title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:3083-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3261-1.NASL description Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10028, CVE-2016-10029) Li Qiang discovered that QEMU incorrectly handled the 6300esb watchdog. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-10155) Li Qiang discovered that QEMU incorrectly handled the i.MX Fast Ethernet Controller. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7907) It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8667) It was discovered that QEMU incorrectly handled the 16550A UART device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8669) It was discovered that QEMU incorrectly handled the shared rings when used with Xen. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. (CVE-2016-9381) Jann Horn discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to access files on the host file system outside of the shared directory and possibly escalate their privileges. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9602) Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA device when being used with a VNC connection. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9603) It was discovered that QEMU incorrectly handled the ColdFire Fast Ethernet Controller. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9776) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9845, CVE-2016-9908) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9846, CVE-2016-9912, CVE-2017-5552, CVE-2017-5578, CVE-2017-5857) Li Qiang discovered that QEMU incorrectly handled the USB redirector. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9907) Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9911) Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9913, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916) Qinghao Tang, Li Qiang, and Jiangxin discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9921, CVE-2016-9922) Wjjzhang and Li Qiang discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-2615) It was discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-2620) It was discovered that QEMU incorrectly handled VNC connections. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-2633) Li Qiang discovered that QEMU incorrectly handled the ac97 audio device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5525) Li Qiang discovered that QEMU incorrectly handled the es1370 audio device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5526) Li Qiang discovered that QEMU incorrectly handled the 16550A UART device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5579) Jiang Xin discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-5667) Li Qiang discovered that QEMU incorrectly handled the MegaRAID SAS device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5856) Li Qiang discovered that QEMU incorrectly handled the CCID Card device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5898) Li Qiang discovered that QEMU incorrectly handled USB xHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5973) Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5987) Li Qiang discovered that QEMU incorrectly handled USB OHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2017-6505). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 99581 published 2017-04-21 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99581 title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : qemu vulnerabilities (USN-3261-1) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2016-0165.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0165 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 95279 published 2016-11-23 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95279 title OracleVM 3.3 : xen (OVMSA-2016-0165) NASL family Misc. NASL id CITRIX_XENSERVER_CTX218775.NASL description The version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the sniff_netware() function within file tools/pygrub/src/pygrub when handling string quotes and S-expressions in the bootloader whenever the S-expressions output format is requested. A guest attacker can exploit this to cause the bootloader configuration file to produce incorrect output, resulting in the disclosure or deletion of files from the host. (CVE-2016-9379) - A flaw exists in the sniff_netware() function within file tools/pygrub/src/pygrub when handling NULL bytes in the bootloader whenever the null-delimited output format is requested. A guest attacker can exploit this to cause configuration files to output ambiguous or confusing results, resulting in the disclosure or deletion of files from the host. (CVE-2016-9380) - A double-fetch flaw exists that is triggered when the compiler omits QEMU optimizations. A guest attacker can exploit this to gain elevated privileges on the host. (CVE-2016-9381) - A flaw exists in the hvm_task_switch() function within file arch/x86/hvm/hvm.c due to improper handling of x86 task switching to VM86 mode. A guest attacker can exploit this to cause a denial of service condition or gain elevated privileges within the guest environment. (CVE-2016-9382) - A flaw exists in the x86_emulate() function within file arch/x86/x86_emulate/x86_emulate.c that allows a guest attacker to cause changes to memory and thereby gain elevated privileges on the host. (CVE-2016-9383) - A denial of service vulnerability exists in the x86 segment base write emulation that is related to lacking canonical address checks. A local attacker who has administrative rights within a guest can exploit this issue to crash the host. (CVE-2016-9385) - A flaw exists in the x86 emulator due to improper checking of the usability of segments when performing memory accesses. A guest attacker can exploit this to gain elevated privileges. (CVE-2016-9386) last seen 2020-06-01 modified 2020-06-02 plugin id 95539 published 2016-12-05 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95539 title Citrix XenServer Multiple Vulnerabilities (CTX218775) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3156-1.NASL description This update for xen fixes several issues. These security issues were fixed : - CVE-2016-9637: ioport array overflow allowing a malicious guest administrator can escalate their privilege to that of the host (bsc#1011652) - CVE-2016-9386: x86 null segments were not always treated as unusable allowing an unprivileged guest user program to elevate its privilege to that of the guest operating system. Exploit of this vulnerability is easy on Intel and more complicated on AMD (bsc#1009100) - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a unprivileged guest process to escalate its privilege to that of the guest operating system on AMD hardware. On Intel hardware a malicious unprivileged guest process can crash the guest (bsc#1009103) - CVE-2016-9385: x86 segment base write emulation lacked canonical address checks, allowing a malicious guest administrator to crash the host (bsc#1009104) - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken, allowing a guest to modify arbitrary memory leading to arbitray code execution (bsc#1009107) - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it (bsc#1000106) - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1007157) - CVE-2016-8909: The intel_hda_xfer function in hw/audio/intel-hda.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position (bsc#1007160) - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1005004) - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1005005) - CVE-2016-8576: The xhci_ring_fetch function in hw/usb/hcd-xhci.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process (bsc#1004016) - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1003030) - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1003032) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 95822 published 2016-12-14 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95822 title SUSE SLES12 Security Update : xen (SUSE-SU-2016:3156-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-3044-1.NASL description xen was updated to fix several security issues. These security issues were fixed : - CVE-2016-9637: ioport array overflow allowing a malicious guest administrator can escalate their privilege to that of the host (bsc#1011652). - CVE-2016-9386: x86 null segments were not always treated as unusable allowing an unprivileged guest user program to elevate its privilege to that of the guest operating system. Exploit of this vulnerability is easy on Intel and more complicated on AMD (bsc#1009100) - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a unprivileged guest process to escalate its privilege to that of the guest operating system on AMD hardware. On Intel hardware a malicious unprivileged guest process can crash the guest (bsc#1009103) - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken, allowing a guest to modify arbitrary memory leading to arbitray code execution (bsc#1009107) - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111) - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it (bsc#1000106) - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1007157) - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1005004) - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1005005) - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1003030) - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1003032) - CVE-2016-6351: The esp_do_dma function in hw/scsi/esp.c, when built with ESP/NCR53C9x controller emulation support, allowed local guest OS administrators to cause a denial of service (out-of-bounds write and QEMU process crash) or execute arbitrary code on the host via vectors involving DMA read into ESP command buffer (bsc#990843) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 95624 published 2016-12-08 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95624 title SUSE SLES11 Security Update : xen (SUSE-SU-2016:3044-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1477.NASL description xen was updated to version 4.7.1 to fix 17 security issues. These security issues were fixed : - CVE-2016-9637: ioport array overflow allowing a malicious guest administrator can escalate their privilege to that of the host (bsc#1011652). - CVE-2016-9386: x86 null segments were not always treated as unusable allowing an unprivileged guest user program to elevate its privilege to that of the guest operating system. Exploit of this vulnerability is easy on Intel and more complicated on AMD (bsc#1009100). - CVE-2016-9382: x86 task switch to VM86 mode was mis-handled, allowing a unprivileged guest process to escalate its privilege to that of the guest operating system on AMD hardware. On Intel hardware a malicious unprivileged guest process can crash the guest (bsc#1009103). - CVE-2016-9385: x86 segment base write emulation lacked canonical address checks, allowing a malicious guest administrator to crash the host (bsc#1009104). - CVE-2016-9384: Guest 32-bit ELF symbol table load leaking host data to unprivileged guest users (bsc#1009105). - CVE-2016-9383: The x86 64-bit bit test instruction emulation was broken, allowing a guest to modify arbitrary memory leading to arbitray code execution (bsc#1009107). - CVE-2016-9377: x86 software interrupt injection was mis-handled, allowing an unprivileged guest user to crash the guest (bsc#1009108). - CVE-2016-9378: x86 software interrupt injection was mis-handled, allowing an unprivileged guest user to crash the guest (bsc#1009108) - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109). - CVE-2016-9379: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111). - CVE-2016-9380: Delimiter injection vulnerabilities in pygrub allowed guest administrators to obtain the contents of sensitive host files or delete the files (bsc#1009111). - CVE-2016-7777: Xen did not properly honor CR0.TS and CR0.EM, which allowed local x86 HVM guest OS users to read or modify FPU, MMX, or XMM register state information belonging to arbitrary tasks on the guest by modifying an instruction while the hypervisor is preparing to emulate it (bsc#1000106). - CVE-2016-8910: The rtl8139_cplus_transmit function in hw/net/rtl8139.c allowed local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count (bsc#1007157). - CVE-2016-8667: The rc4030_write function in hw/dma/rc4030.c in allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via a large interval timer reload value (bsc#1005004). - CVE-2016-8669: The serial_update_parameters function in hw/char/serial.c allowed local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base (bsc#1005005). - CVE-2016-7908: The mcf_fec_do_tx function in hw/net/mcf_fec.c did not properly limit the buffer descriptor count when transmitting packets, which allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags (bsc#1003030). - CVE-2016-7909: The pcnet_rdra_addr function in hw/net/pcnet.c allowed local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0 (bsc#1003032). These non-security issues were fixed : - bsc#1004981: Xen RPM didn last seen 2020-06-05 modified 2016-12-16 plugin id 95910 published 2016-12-16 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/95910 title openSUSE Security Update : xen (openSUSE-2016-1477) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2016-0166.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2016-0166 for details. last seen 2020-06-01 modified 2020-06-02 plugin id 95280 published 2016-11-23 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95280 title OracleVM 3.2 : xen (OVMSA-2016-0166) NASL family Fedora Local Security Checks NASL id FEDORA_2016-999E1A6927.NASL description xen : various security flaws (#1397383) x86 null segments not always treated as unusable [XSA-191, CVE-2016-9386] x86 task switch to VM86 mode mis-handled [XSA-192, CVE-2016-9382] x86 segment base write emulation lacking canonical address checks [XSA-193, CVE-2016-9385] guest 32-bit ELF symbol table load leaking host data [XSA-194, CVE-2016-9384] x86 64-bit bit test instruction emulation broken [XSA-195, CVE-2016-9383] x86 software interrupt injection mis-handled [XSA-196, CVE-2016-9377, CVE-2016-9378] qemu incautious about shared ring processing [XSA-197, CVE-2016-9381] delimiter injection vulnerabilities in pygrub [XSA-198, CVE-2016-9379, CVE-2016-9380] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-12-05 plugin id 95493 published 2016-12-05 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95493 title Fedora 25 : xen (2016-999e1a6927)