Vulnerabilities > CVE-2016-9776 - Infinite Loop vulnerability in multiple products

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
low complexity
qemu
debian
CWE-835
nessus

Summary

QEMU (aka Quick Emulator) built with the ColdFire Fast Ethernet Controller emulator support is vulnerable to an infinite loop issue. It could occur while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could use this issue to crash the QEMU process on the host leading to DoS.

Vulnerable Configurations

Part Description Count
Application
Qemu
230
OS
Debian
1

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0661-1.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a memory leakage issue allowing a privileged user to leak host memory resulting in DoS (bsc#1023053) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-01
    modified2020-06-02
    plugin id97696
    published2017-03-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97696
    titleSUSE SLES12 Security Update : qemu (SUSE-SU-2017:0661-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:0661-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97696);
      script_version("3.16");
      script_cvs_date("Date: 2019/09/11 11:22:15");
    
      script_cve_id("CVE-2016-10155", "CVE-2016-9776", "CVE-2016-9907", "CVE-2016-9911", "CVE-2016-9921", "CVE-2016-9922", "CVE-2017-2615", "CVE-2017-2620", "CVE-2017-5667", "CVE-2017-5856", "CVE-2017-5898");
      script_xref(name:"IAVB", value:"2017-B-0024");
    
      script_name(english:"SUSE SLES12 Security Update : qemu (SUSE-SU-2017:0661-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for qemu fixes several issues. These security issues were
    fixed :
    
      - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the
        bitblit copy routine cirrus_bitblt_cputovideo failed to
        check the memory region, allowing for an out-of-bounds
        write that allows for privilege escalation (bsc#1024972)
    
      - CVE-2017-2615: An error in the bitblt copy operation
        could have allowed a malicious guest administrator to
        cause an out of bounds memory access, possibly leading
        to information disclosure or privilege escalation
        (bsc#1023004)
    
      - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter
        emulation support was vulnerable to a memory leakage
        issue allowing a privileged user to leak host memory
        resulting in DoS (bsc#1023053)
    
      - CVE-2016-9776: The ColdFire Fast Ethernet Controller
        emulator support was vulnerable to an infinite loop
        issue while receiving packets in 'mcf_fec_receive'. A
        privileged user/process inside guest could have used
        this issue to crash the Qemu process on the host leading
        to DoS (bsc#1013285)
    
      - CVE-2016-9911: The USB EHCI Emulation support was
        vulnerable to a memory leakage issue while processing
        packet data in 'ehci_init_transfer'. A guest
        user/process could have used this issue to leak host
        memory, resulting in DoS for the host (bsc#1014111)
    
      - CVE-2016-9907: The USB redirector usb-guest support was
        vulnerable to a memory leakage flaw when destroying the
        USB redirector in 'usbredir_handle_destroy'. A guest
        user/process could have used this issue to leak host
        memory, resulting in DoS for a host (bsc#1014109)
    
      - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support
        was vulnerable to a divide by zero issue while copying
        VGA data. A privileged user inside guest could have used
        this flaw to crash the process instance on the host,
        resulting in DoS (bsc#1014702)
    
      - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support
        was vulnerable to a divide by zero issue while copying
        VGA data. A privileged user inside guest could have used
        this flaw to crash the process instance on the host,
        resulting in DoS (bsc#1014702)
    
      - CVE-2017-5667: The SDHCI device emulation support was
        vulnerable to an OOB heap access issue allowing a
        privileged user inside the guest to crash the Qemu
        process resulting in DoS or potentially execute
        arbitrary code with privileges of the Qemu process on
        the host (bsc#1022541)
    
      - CVE-2017-5898: The CCID Card device emulator support was
        vulnerable to an integer overflow allowing a privileged
        user inside the guest to crash the Qemu process
        resulting in DoS (bnc#1023907)
    
      - CVE-2016-10155: The i6300esb watchdog emulation support
        was vulnerable to a memory leakage issue allowing a
        privileged user inside the guest to leak memory on the
        host resulting in DoS (bnc#1021129)
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1013285"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014109"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014702"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1015048"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1015169"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1016779"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1021129"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1022541"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1023004"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1023053"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1023907"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1024972"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10155/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9776/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9907/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9911/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9921/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9922/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-2615/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-2620/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5667/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5856/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5898/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20170661-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?35846804"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server for SAP 12:zypper in -t patch
    SUSE-SLE-SAP-12-2017-366=1
    
    SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-2017-366=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-lang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-s390");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/13");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"qemu-block-rbd-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"qemu-block-rbd-debuginfo-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"qemu-x86-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"qemu-x86-debuginfo-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"s390x", reference:"qemu-s390-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"s390x", reference:"qemu-s390-debuginfo-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-block-curl-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-block-curl-debuginfo-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-debugsource-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-guest-agent-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-guest-agent-debuginfo-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-lang-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-tools-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-tools-debuginfo-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-kvm-2.0.2-48.31.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-CDB53B04E0.NASL
    descriptionQemu: net: mcf_fec: infinite loop while receiving data in mcf_fec_receive [CVE-2016-9776] Qemu: audio: memory leakage in ac97 [CVE-2017-5525] Qemu: audio: memory leakage in es1370 device [CVE-2017-5526] oob access in cirrus bitblt copy [XSA-208, CVE-2017-2615] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-02-15
    plugin id97179
    published2017-02-15
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97179
    titleFedora 25 : xen (2017-cdb53b04e0)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-cdb53b04e0.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97179);
      script_version("3.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-9776", "CVE-2017-2615", "CVE-2017-5525", "CVE-2017-5526");
      script_xref(name:"FEDORA", value:"2017-cdb53b04e0");
      script_xref(name:"IAVB", value:"2017-B-0024");
    
      script_name(english:"Fedora 25 : xen (2017-cdb53b04e0)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Qemu: net: mcf_fec: infinite loop while receiving data in
    mcf_fec_receive [CVE-2016-9776] Qemu: audio: memory leakage in ac97
    [CVE-2017-5525] Qemu: audio: memory leakage in es1370 device
    [CVE-2017-5526] oob access in cirrus bitblt copy [XSA-208,
    CVE-2017-2615]
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-cdb53b04e0"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected xen package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xen");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/29");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/02/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"xen-4.7.1-7.fc25")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-589.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a memory leakage issue allowing a privileged user to leak host memory resulting in DoS (bsc#1023053) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-05
    modified2017-05-17
    plugin id100232
    published2017-05-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100232
    titleopenSUSE Security Update : qemu (openSUSE-2017-589)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0127-1.NASL
    descriptionqemu was updated to fix several issues. These security issues were fixed : - CVE-2016-9102: Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number (bsc#1014256). - CVE-2016-9103: The v9fs_xattrcreate function in hw/9pfs/9p.c in allowed local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values writing to them (bsc#1007454). - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-01
    modified2020-06-02
    plugin id96529
    published2017-01-16
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96529
    titleSUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:0127-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-12394E2CC7.NASL
    description - CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz #1366370) - CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196) - CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667) - CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286) - CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz #1383292) - CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898) - CVE-2016-8669: divide by zero error in serial_update_parameters (bz #1384911) - CVE-2016-8910: rtl8139: infinite loop while transmit in C+ mode (bz #1388047) - CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053) - Infinite loop vulnerability in a9_gtimer_update (bz #1388300) - CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539) - CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643) - CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz #1389551) - CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687) - CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704) - CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713) - CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385) - CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz #1399054) - CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz #1400830) - CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz #1402247) - CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz #1402258) - CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz #1402266) - CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz #1402273) - CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz #1402277) - CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities (bz #1406368) - CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz #1402263) - CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz #1402285) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-01-26
    plugin id96782
    published2017-01-26
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96782
    titleFedora 24 : 2:qemu (2017-12394e2cc7)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-4.NASL
    descriptionThis updates xen to version 4.5.5 to fix the following issues : - An unprivileged user in a guest could gain guest could escalate privilege to that of the guest kernel, if it had could invoke the instruction emulator. Only 64-bit x86 HVM guest were affected. Linux guest have not been vulnerable. (boo#1016340, CVE-2016-10013) - An unprivileged user in a 64 bit x86 guest could gain information from the host, crash the host or gain privilege of the host (boo#1009107, CVE-2016-9383) - An unprivileged guest process could (unintentionally or maliciously) obtain or ocorrupt sensitive information of other programs in the same guest. Only x86 HVM guests have been affected. The attacker needs to be able to trigger the Xen instruction emulator. (boo#1000106, CVE-2016-7777) - A guest on x86 systems could read small parts of hypervisor stack data (boo#1012651, CVE-2016-9932) - A malicious guest kernel could hang or crash the host system (boo#1014298, CVE-2016-10024) - The epro100 emulated network device caused a memory leak in the host when unplugged in the guest. A privileged user in the guest could use this to cause a DoS on the host or potentially crash the guest process on the host (boo#1013668, CVE-2016-9101) - The ColdFire Fast Ethernet Controller was vulnerable to an infinite loop that could be trigged by a privileged user in the guest, leading to DoS (boo#1013657, CVE-2016-9776) - A malicious guest administrator could escalate their privilege to that of the host. Only affects x86 HVM guests using qemu older version 1.6.0 or using the qemu-xen-traditional. (boo#1011652, CVE-2016-9637) - An unprivileged guest user could escalate privilege to that of the guest administrator on x86 HVM guests, especially on Intel CPUs (boo#1009100, CVE-2016-9386) - An unprivileged guest user could escalate privilege to that of the guest administrator (on AMD CPUs) or crash the system (on Intel CPUs) on 32-bit x86 HVM guests. Only guest operating systems that allowed a new task to start in VM86 mode were affected. (boo#1009103, CVE-2016-9382) - A malicious guest administrator could crash the host on x86 PV guests only (boo#1009104, CVE-2016-9385) - An unprivileged guest user was able to crash the guest. (boo#1009108, CVE-2016-9377, CVE-2016-9378) - A malicious guest administrator could get privilege of the host emulator process on x86 HVM guests. (boo#1009109, CVE-2016-9381) - A vulnerability in pygrub allowed a malicious guest administrator to obtain the contents of sensitive host files, or even delete those files (boo#1009111, CVE-2016-9379, CVE-2016-9380) - A privileged guest user could cause an infinite loop in the RTL8139 ethernet emulation to consume CPU cycles on the host, causing a DoS situation (boo#1007157, CVE-2016-8910) - A privileged guest user could cause an infinite loop in the intel-hda sound emulation to consume CPU cycles on the host, causing a DoS situation (boo#1007160, CVE-2016-8909) - A privileged guest user could cause a crash of the emulator process on the host by exploiting a divide by zero vulnerability of the JAZZ RC4030 chipset emulation (boo#1005004 CVE-2016-8667) - A privileged guest user could cause a crash of the emulator process on the host by exploiting a divide by zero issue of the 16550A UART emulation (boo#1005005, CVE-2016-8669) - A privileged guest user could cause a memory leak in the USB EHCI emulation, causing a DoS situation on the host (boo#1003870, CVE-2016-7995) - A privileged guest user could cause an infinite loop in the USB xHCI emulation, causing a DoS situation on the host (boo#1004016, CVE-2016-8576) - A privileged guest user could cause an infinite loop in the ColdFire Fash Ethernet Controller emulation, causing a DoS situation on the host (boo#1003030, CVE-2016-7908) - A privileged guest user could cause an infinite loop in the AMD PC-Net II emulation, causing a DoS situation on the host (boo#1003032, CVE-2016-7909) - Cause a reload of clvm in the block-dmmd script to avoid a blocking lvchange call (boo#1002496)
    last seen2020-06-05
    modified2017-01-03
    plugin id96252
    published2017-01-03
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96252
    titleopenSUSE Security Update : xen (openSUSE-2017-4)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1497.NASL
    descriptionSeveral vulnerabilities were found in qemu, a fast processor emulator : CVE-2015-8666 Heap-based buffer overflow in QEMU when built with the Q35-chipset-based PC system emulator CVE-2016-2198 NULL pointer dereference in ehci_caps_write in the USB EHCI support that may result in denial of service CVE-2016-6833 Use after free while writing in the vmxnet3 device that could be used to cause a denial of service CVE-2016-6835 Buffer overflow in vmxnet_tx_pkt_parse_headers() in vmxnet3 device that could result in denial of service CVE-2016-8576 Infinite loop vulnerability in xhci_ring_fetch in the USB xHCI support CVE-2016-8667 / CVE-2016-8669 Divide by zero errors in set_next_tick in the JAZZ RC4030 chipset emulator, and in serial_update_parameters of some serial devices, that could result in denial of service CVE-2016-9602 Improper link following with VirtFS CVE-2016-9603 Heap buffer overflow via vnc connection in the Cirrus CLGD 54xx VGA emulator support CVE-2016-9776 Infinite loop while receiving data in the ColdFire Fast Ethernet Controller emulator CVE-2016-9907 Memory leakage in the USB redirector usb-guest support CVE-2016-9911 Memory leakage in ehci_init_transfer in the USB EHCI support CVE-2016-9914 / CVE-2016-9915 / CVE-2016-9916 Plan 9 File System (9pfs): add missing cleanup operation in FileOperations, in the handle backend and in the proxy backend driver CVE-2016-9921 / CVE-2016-9922 Divide by zero in cirrus_do_copy in the Cirrus CLGD 54xx VGA Emulator support CVE-2016-10155 Memory leak in hw/watchdog/wdt_i6300esb.c allowing local guest OS privileged users to cause a denial of service via a large number of device unplug operations. CVE-2017-2615 / CVE-2017-2620 / CVE-2017-18030 / CVE-2018-5683 / CVE-2017-7718 Out-of-bounds access issues in the Cirrus CLGD 54xx VGA emulator support, that could result in denial of service CVE-2017-5525 / CVE-2017-5526 Memory leakage issues in the ac97 and es1370 device emulation CVE-2017-5579 Most memory leakage in the 16550A UART emulation CVE-2017-5667 Out-of-bounds access during multi block SDMA transfer in the SDHCI emulation support. CVE-2017-5715 Mitigations against the Spectre v2 vulnerability. For more information please refer to https://www.qemu.org/2018/01/04/spectre/ CVE-2017-5856 Memory leak in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support CVE-2017-5973 / CVE-2017-5987 / CVE-2017-6505 Infinite loop issues in the USB xHCI, in the transfer mode register of the SDHCI protocol, and the USB ohci_service_ed_list CVE-2017-7377 9pfs: host memory leakage via v9fs_create CVE-2017-7493 Improper access control issues in the host directory sharing via 9pfs support. CVE-2017-7980 Heap-based buffer overflow in the Cirrus VGA device that could allow local guest OS users to execute arbitrary code or cause a denial of service CVE-2017-8086 9pfs: host memory leakage via v9pfs_list_xattr CVE-2017-8112 Infinite loop in the VMWare PVSCSI emulation CVE-2017-8309 / CVE-2017-8379 Host memory leakage issues via the audio capture buffer and the keyboard input event handlers CVE-2017-9330 Infinite loop due to incorrect return value in USB OHCI that may result in denial of service CVE-2017-9373 / CVE-2017-9374 Host memory leakage during hot unplug in IDE AHCI and USB emulated devices that could result in denial of service CVE-2017-9503 NULL pointer dereference while processing megasas command CVE-2017-10806 Stack buffer overflow in USB redirector CVE-2017-10911 Xen disk may leak stack data via response ring CVE-2017-11434 Out-of-bounds read while parsing Slirp/DHCP options CVE-2017-14167 Out-of-bounds access while processing multiboot headers that could result in the execution of arbitrary code CVE-2017-15038 9pfs: information disclosure when reading extended attributes CVE-2017-15289 Out-of-bounds write access issue in the Cirrus graphic adaptor that could result in denial of service CVE-2017-16845 Information leak in the PS/2 mouse and keyboard emulation support that could be exploited during instance migration CVE-2017-18043 Integer overflow in the macro ROUND_UP (n, d) that could result in denial of service CVE-2018-7550 Incorrect handling of memory during multiboot that could may result in execution of arbitrary code For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id117351
    published2018-09-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117351
    titleDebian DLA-1497-1 : qemu security update (Spectre)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-B953D4D3A4.NASL
    description - CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz #1366370) - CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196) - CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667) - CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286) - CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz #1383292) - CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898) - CVE-2016-8669: divide by zero error in serial_update_parameters (bz #1384911) - CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053) - Infinite loop vulnerability in a9_gtimer_update (bz #1388300) - CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539) - CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643) - CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz #1389551) - CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687) - CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704) - CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713) - CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385) - CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz #1399054) - CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz #1400830) - CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz #1402247) - CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz #1402258) - CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz #1402266) - CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz #1402273) - CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz #1402277) - CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities (bz #1406368) - CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz #1402263) - CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz #1402285) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-01-23
    plugin id96677
    published2017-01-23
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96677
    titleFedora 25 : 2:qemu (2017-b953d4d3a4)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0718-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2016-10155: The virtual hardware watchdog
    last seen2020-06-01
    modified2020-06-02
    plugin id97828
    published2017-03-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97828
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2017:0718-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-49.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-49 (QEMU: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact : A privileged user/process within a guest QEMU environment can cause a Denial of Service condition against the QEMU guest process or the host. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96684
    published2017-01-23
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96684
    titleGLSA-201701-49 : QEMU: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-116.NASL
    descriptionqemu was updated to fix several issues. These security issues were fixed : - CVE-2016-9102: Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number (bsc#1014256). - CVE-2016-9103: The v9fs_xattrcreate function in hw/9pfs/9p.c in allowed local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values writing to them (bsc#1007454). - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-05
    modified2017-01-19
    plugin id96623
    published2017-01-19
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96623
    titleopenSUSE Security Update : qemu (openSUSE-2017-116)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0647-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025188) - CVE-2016-10155: The virtual hardware watchdog
    last seen2020-06-01
    modified2020-06-02
    plugin id97657
    published2017-03-10
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97657
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2017:0647-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0570-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025188). - CVE-2016-10155: The virtual hardware watchdog
    last seen2020-06-01
    modified2020-06-02
    plugin id97432
    published2017-02-28
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97432
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:0570-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1241-1.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a memory leakage issue allowing a privileged user to leak host memory resulting in DoS (bsc#1023053) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-01
    modified2020-06-02
    plugin id100149
    published2017-05-12
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100149
    titleSUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:1241-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-3084-1.NASL
    descriptionThis update for kvm fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-01
    modified2020-06-02
    plugin id104780
    published2017-11-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104780
    titleSUSE SLES11 Security Update : kvm (SUSE-SU-2017:3084-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-D4EE7018C1.NASL
    descriptionmemory leak when destroying guest without PT devices [XSA-207] (#1422492) update patches for XSA-208 after upstream revision (no functional change) ---- Qemu: net: mcf_fec: infinite loop while receiving data in mcf_fec_receive [CVE-2016-9776] Qemu: audio: memory leakage in ac97 [CVE-2017-5525] (#1414111) Qemu: audio: memory leakage in es1370 device [CVE-2017-5526] (#1414211) oob access in cirrus bitblt copy [XSA-208, CVE-2017-2615] (#1418243) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-02-28
    plugin id97430
    published2017-02-28
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97430
    titleFedora 24 : xen (2017-d4ee7018c1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3261-1.NASL
    descriptionZhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10028, CVE-2016-10029) Li Qiang discovered that QEMU incorrectly handled the 6300esb watchdog. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-10155) Li Qiang discovered that QEMU incorrectly handled the i.MX Fast Ethernet Controller. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7907) It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8667) It was discovered that QEMU incorrectly handled the 16550A UART device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8669) It was discovered that QEMU incorrectly handled the shared rings when used with Xen. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. (CVE-2016-9381) Jann Horn discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to access files on the host file system outside of the shared directory and possibly escalate their privileges. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9602) Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA device when being used with a VNC connection. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9603) It was discovered that QEMU incorrectly handled the ColdFire Fast Ethernet Controller. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9776) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9845, CVE-2016-9908) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9846, CVE-2016-9912, CVE-2017-5552, CVE-2017-5578, CVE-2017-5857) Li Qiang discovered that QEMU incorrectly handled the USB redirector. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9907) Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9911) Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9913, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916) Qinghao Tang, Li Qiang, and Jiangxin discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9921, CVE-2016-9922) Wjjzhang and Li Qiang discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-2615) It was discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-2620) It was discovered that QEMU incorrectly handled VNC connections. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-2633) Li Qiang discovered that QEMU incorrectly handled the ac97 audio device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5525) Li Qiang discovered that QEMU incorrectly handled the es1370 audio device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5526) Li Qiang discovered that QEMU incorrectly handled the 16550A UART device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5579) Jiang Xin discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-5667) Li Qiang discovered that QEMU incorrectly handled the MegaRAID SAS device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5856) Li Qiang discovered that QEMU incorrectly handled the CCID Card device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5898) Li Qiang discovered that QEMU incorrectly handled USB xHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5973) Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5987) Li Qiang discovered that QEMU incorrectly handled USB OHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2017-6505). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99581
    published2017-04-21
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99581
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 : qemu vulnerabilities (USN-3261-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0582-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025188) - CVE-2016-10155: The virtual hardware watchdog
    last seen2020-06-01
    modified2020-06-02
    plugin id97467
    published2017-03-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97467
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2017:0582-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1135-1.NASL
    descriptionThis update for kvm fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-01
    modified2020-06-02
    plugin id99758
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99758
    titleSUSE SLES11 Security Update : kvm (SUSE-SU-2017:1135-1)