Vulnerabilities > CVE-2016-9845 - Information Exposure vulnerability in Qemu

047910
CVSS 6.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
local
low complexity
qemu
CWE-200
nessus

Summary

QEMU (aka Quick Emulator) built with the Virtio GPU Device emulator support is vulnerable to an information leakage issue. It could occur while processing 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command. A guest user/process could use this flaw to leak contents of the host memory bytes.

Vulnerable Configurations

Part Description Count
Application
Qemu
230

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0127-1.NASL
    descriptionqemu was updated to fix several issues. These security issues were fixed : - CVE-2016-9102: Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number (bsc#1014256). - CVE-2016-9103: The v9fs_xattrcreate function in hw/9pfs/9p.c in allowed local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values writing to them (bsc#1007454). - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-01
    modified2020-06-02
    plugin id96529
    published2017-01-16
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96529
    titleSUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:0127-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:0127-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96529);
      script_version("3.9");
      script_cvs_date("Date: 2019/09/11 11:22:14");
    
      script_cve_id("CVE-2016-9102", "CVE-2016-9103", "CVE-2016-9381", "CVE-2016-9776", "CVE-2016-9845", "CVE-2016-9846", "CVE-2016-9907", "CVE-2016-9908", "CVE-2016-9911", "CVE-2016-9912", "CVE-2016-9913", "CVE-2016-9921", "CVE-2016-9922");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:0127-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "qemu was updated to fix several issues. These security issues were
    fixed :
    
      - CVE-2016-9102: Memory leak in the v9fs_xattrcreate
        function in hw/9pfs/9p.c in allowed local guest OS
        administrators to cause a denial of service (memory
        consumption and QEMU process crash) via a large number
        of Txattrcreate messages with the same fid number
        (bsc#1014256).
    
      - CVE-2016-9103: The v9fs_xattrcreate function in
        hw/9pfs/9p.c in allowed local guest OS administrators to
        obtain sensitive host heap memory information by reading
        xattribute values writing to them (bsc#1007454).
    
      - CVE-2016-9381: Improper processing of shared rings
        allowing guest administrators take over the qemu
        process, elevating their privilege to that of the qemu
        process (bsc#1009109)
    
      - CVE-2016-9776: The ColdFire Fast Ethernet Controller
        emulator support was vulnerable to an infinite loop
        issue while receiving packets in 'mcf_fec_receive'. A
        privileged user/process inside guest could have used
        this issue to crash the Qemu process on the host leading
        to DoS (bsc#1013285).
    
      - CVE-2016-9845: The Virtio GPU Device emulator support as
        vulnerable to an information leakage issue while
        processing the 'VIRTIO_GPU_CMD_GET_CAPSET_INFO' command.
        A guest user/process could have used this flaw to leak
        contents of the host memory (bsc#1013767).
    
      - CVE-2016-9846: The Virtio GPU Device emulator support
        was vulnerable to a memory leakage issue while updating
        the cursor data in update_cursor_data_virgl. A guest
        user/process could have used this flaw to leak host
        memory bytes, resulting in DoS for the host
        (bsc#1013764).
    
      - CVE-2016-9907: The USB redirector usb-guest support was
        vulnerable to a memory leakage flaw when destroying the
        USB redirector in 'usbredir_handle_destroy'. A guest
        user/process could have used this issue to leak host
        memory, resulting in DoS for a host (bsc#1014109).
    
      - CVE-2016-9908: The Virtio GPU Device emulator support
        was vulnerable to an information leakage issue while
        processing the 'VIRTIO_GPU_CMD_GET_CAPSET' command. A
        guest user/process could have used this flaw to leak
        contents of the host memory (bsc#1014514).
    
      - CVE-2016-9911: The USB EHCI Emulation support was
        vulnerable to a memory leakage issue while processing
        packet data in 'ehci_init_transfer'. A guest
        user/process could have used this issue to leak host
        memory, resulting in DoS for the host (bsc#1014111).
    
      - CVE-2016-9912: The Virtio GPU Device emulator support
        was vulnerable to a memory leakage issue while
        destroying gpu resource object in
        'virtio_gpu_resource_destroy'. A guest user/process
        could have used this flaw to leak host memory bytes,
        resulting in DoS for the host (bsc#1014112).
    
      - CVE-2016-9913: VirtFS was vulnerable to memory leakage
        issue via its '9p-handle' or '9p-proxy' backend drivers.
        A privileged user inside guest could have used this flaw
        to leak host memory, thus affecting other services on
        the host and/or potentially crash the Qemu process on
        the host (bsc#1014110).
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1007454"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1008519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1009109"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1013285"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1013341"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1013764"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1013767"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014109"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014110"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014112"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014256"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014514"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1016779"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=937125"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9102/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9103/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9381/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9776/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9845/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9846/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9907/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9908/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9911/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9912/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9913/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9921/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9922/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20170127-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?3d1d0fff"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
    patch SUSE-SLE-RPI-12-SP2-2017-68=1
    
    SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2017-68=1
    
    SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP2-2017-68=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-ssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-lang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-x86");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/16");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-block-curl-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-block-curl-debuginfo-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-block-ssh-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-block-ssh-debuginfo-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-debugsource-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-guest-agent-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-guest-agent-debuginfo-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-lang-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-tools-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-tools-debuginfo-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-block-rbd-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-block-rbd-debuginfo-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-kvm-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-x86-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-block-curl-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-block-curl-debuginfo-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-debugsource-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-kvm-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-tools-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-tools-debuginfo-2.6.2-39.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-x86-2.6.2-39.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-12394E2CC7.NASL
    description - CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz #1366370) - CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196) - CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667) - CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286) - CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz #1383292) - CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898) - CVE-2016-8669: divide by zero error in serial_update_parameters (bz #1384911) - CVE-2016-8910: rtl8139: infinite loop while transmit in C+ mode (bz #1388047) - CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053) - Infinite loop vulnerability in a9_gtimer_update (bz #1388300) - CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539) - CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643) - CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz #1389551) - CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687) - CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704) - CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713) - CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385) - CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz #1399054) - CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz #1400830) - CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz #1402247) - CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz #1402258) - CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz #1402266) - CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz #1402273) - CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz #1402277) - CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities (bz #1406368) - CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz #1402263) - CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz #1402285) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-01-26
    plugin id96782
    published2017-01-26
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96782
    titleFedora 24 : 2:qemu (2017-12394e2cc7)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-12394e2cc7.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96782);
      script_version("3.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-10028", "CVE-2016-6836", "CVE-2016-7909", "CVE-2016-7994", "CVE-2016-8577", "CVE-2016-8578", "CVE-2016-8668", "CVE-2016-8669", "CVE-2016-8909", "CVE-2016-8910", "CVE-2016-9101", "CVE-2016-9102", "CVE-2016-9103", "CVE-2016-9104", "CVE-2016-9105", "CVE-2016-9106", "CVE-2016-9381", "CVE-2016-9776", "CVE-2016-9845", "CVE-2016-9846", "CVE-2016-9907", "CVE-2016-9908", "CVE-2016-9911", "CVE-2016-9912", "CVE-2016-9913", "CVE-2016-9921");
      script_xref(name:"FEDORA", value:"2017-12394e2cc7");
    
      script_name(english:"Fedora 24 : 2:qemu (2017-12394e2cc7)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - CVE-2016-6836: vmxnet: Information leakage in
        vmxnet3_complete_packet (bz #1366370)
    
      - CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr
        (bz #1381196)
    
      - CVE-2016-7994: virtio-gpu: memory leak in
        resource_create_2d (bz #1382667)
    
      - CVE-2016-8577: 9pfs: host memory leakage in v9fs_read
        (bz #1383286)
    
      - CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs
        routines (bz #1383292)
    
      - CVE-2016-8668: OOB buffer access in rocker switch
        emulation (bz #1384898)
    
      - CVE-2016-8669: divide by zero error in
        serial_update_parameters (bz #1384911)
    
      - CVE-2016-8910: rtl8139: infinite loop while transmit in
        C+ mode (bz #1388047)
    
      - CVE-2016-8909: intel-hda: infinite loop in dma buffer
        stream (bz #1388053)
    
      - Infinite loop vulnerability in a9_gtimer_update (bz
        #1388300)
    
      - CVE-2016-9101: eepro100: memory leakage at device unplug
        (bz #1389539)
    
      - CVE-2016-9103: 9pfs: information leakage via xattr (bz
        #1389643)
    
      - CVE-2016-9102: 9pfs: memory leakage when creating
        extended attribute (bz #1389551)
    
      - CVE-2016-9104: 9pfs: integer overflow leading to OOB
        access (bz #1389687)
    
      - CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz
        #1389704)
    
      - CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz
        #1389713)
    
      - CVE-2016-9381: xen: incautious about shared ring
        processing (bz #1397385)
    
      - CVE-2016-9921: Divide by zero vulnerability in
        cirrus_do_copy (bz #1399054)
    
      - CVE-2016-9776: infinite loop while receiving data in
        mcf_fec_receive (bz #1400830)
    
      - CVE-2016-9845: information leakage in
        virgl_cmd_get_capset_info (bz #1402247)
    
      - CVE-2016-9846: virtio-gpu: memory leakage while updating
        cursor data (bz #1402258)
    
      - CVE-2016-9907: usbredir: memory leakage when destroying
        redirector (bz #1402266)
    
      - CVE-2016-9911: usb: ehci: memory leakage in
        ehci_init_transfer (bz #1402273)
    
      - CVE-2016-9913: 9pfs: memory leakage via proxy/handle
        callbacks (bz #1402277)
    
      - CVE-2016-10028: virtio-gpu-3d: OOB access while reading
        virgl capabilities (bz #1406368)
    
      - CVE-2016-9908: virtio-gpu: information leakage in
        virgl_cmd_get_capset (bz #1402263)
    
      - CVE-2016-9912: virtio-gpu: memory leakage when
        destroying gpu resource (bz #1402285)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-12394e2cc7"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 2:qemu package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:2:qemu");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC24", reference:"qemu-2.6.2-6.fc24", epoch:"2")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "2:qemu");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-B953D4D3A4.NASL
    description - CVE-2016-6836: vmxnet: Information leakage in vmxnet3_complete_packet (bz #1366370) - CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr (bz #1381196) - CVE-2016-7994: virtio-gpu: memory leak in resource_create_2d (bz #1382667) - CVE-2016-8577: 9pfs: host memory leakage in v9fs_read (bz #1383286) - CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs routines (bz #1383292) - CVE-2016-8668: OOB buffer access in rocker switch emulation (bz #1384898) - CVE-2016-8669: divide by zero error in serial_update_parameters (bz #1384911) - CVE-2016-8909: intel-hda: infinite loop in dma buffer stream (bz #1388053) - Infinite loop vulnerability in a9_gtimer_update (bz #1388300) - CVE-2016-9101: eepro100: memory leakage at device unplug (bz #1389539) - CVE-2016-9103: 9pfs: information leakage via xattr (bz #1389643) - CVE-2016-9102: 9pfs: memory leakage when creating extended attribute (bz #1389551) - CVE-2016-9104: 9pfs: integer overflow leading to OOB access (bz #1389687) - CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz #1389704) - CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz #1389713) - CVE-2016-9381: xen: incautious about shared ring processing (bz #1397385) - CVE-2016-9921: Divide by zero vulnerability in cirrus_do_copy (bz #1399054) - CVE-2016-9776: infinite loop while receiving data in mcf_fec_receive (bz #1400830) - CVE-2016-9845: information leakage in virgl_cmd_get_capset_info (bz #1402247) - CVE-2016-9846: virtio-gpu: memory leakage while updating cursor data (bz #1402258) - CVE-2016-9907: usbredir: memory leakage when destroying redirector (bz #1402266) - CVE-2016-9911: usb: ehci: memory leakage in ehci_init_transfer (bz #1402273) - CVE-2016-9913: 9pfs: memory leakage via proxy/handle callbacks (bz #1402277) - CVE-2016-10028: virtio-gpu-3d: OOB access while reading virgl capabilities (bz #1406368) - CVE-2016-9908: virtio-gpu: information leakage in virgl_cmd_get_capset (bz #1402263) - CVE-2016-9912: virtio-gpu: memory leakage when destroying gpu resource (bz #1402285) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-01-23
    plugin id96677
    published2017-01-23
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96677
    titleFedora 25 : 2:qemu (2017-b953d4d3a4)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-b953d4d3a4.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(96677);
      script_version("3.6");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-10028", "CVE-2016-6836", "CVE-2016-7909", "CVE-2016-7994", "CVE-2016-8577", "CVE-2016-8578", "CVE-2016-8668", "CVE-2016-8669", "CVE-2016-8909", "CVE-2016-9101", "CVE-2016-9102", "CVE-2016-9103", "CVE-2016-9104", "CVE-2016-9105", "CVE-2016-9106", "CVE-2016-9381", "CVE-2016-9776", "CVE-2016-9845", "CVE-2016-9846", "CVE-2016-9907", "CVE-2016-9908", "CVE-2016-9911", "CVE-2016-9912", "CVE-2016-9913", "CVE-2016-9921");
      script_xref(name:"FEDORA", value:"2017-b953d4d3a4");
    
      script_name(english:"Fedora 25 : 2:qemu (2017-b953d4d3a4)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - CVE-2016-6836: vmxnet: Information leakage in
        vmxnet3_complete_packet (bz #1366370)
    
      - CVE-2016-7909: pcnet: Infinite loop in pcnet_rdra_addr
        (bz #1381196)
    
      - CVE-2016-7994: virtio-gpu: memory leak in
        resource_create_2d (bz #1382667)
    
      - CVE-2016-8577: 9pfs: host memory leakage in v9fs_read
        (bz #1383286)
    
      - CVE-2016-8578: 9pfs: potential NULL dereferencein 9pfs
        routines (bz #1383292)
    
      - CVE-2016-8668: OOB buffer access in rocker switch
        emulation (bz #1384898)
    
      - CVE-2016-8669: divide by zero error in
        serial_update_parameters (bz #1384911)
    
      - CVE-2016-8909: intel-hda: infinite loop in dma buffer
        stream (bz #1388053)
    
      - Infinite loop vulnerability in a9_gtimer_update (bz
        #1388300)
    
      - CVE-2016-9101: eepro100: memory leakage at device unplug
        (bz #1389539)
    
      - CVE-2016-9103: 9pfs: information leakage via xattr (bz
        #1389643)
    
      - CVE-2016-9102: 9pfs: memory leakage when creating
        extended attribute (bz #1389551)
    
      - CVE-2016-9104: 9pfs: integer overflow leading to OOB
        access (bz #1389687)
    
      - CVE-2016-9105: 9pfs: memory leakage in v9fs_link (bz
        #1389704)
    
      - CVE-2016-9106: 9pfs: memory leakage in v9fs_write (bz
        #1389713)
    
      - CVE-2016-9381: xen: incautious about shared ring
        processing (bz #1397385)
    
      - CVE-2016-9921: Divide by zero vulnerability in
        cirrus_do_copy (bz #1399054)
    
      - CVE-2016-9776: infinite loop while receiving data in
        mcf_fec_receive (bz #1400830)
    
      - CVE-2016-9845: information leakage in
        virgl_cmd_get_capset_info (bz #1402247)
    
      - CVE-2016-9846: virtio-gpu: memory leakage while updating
        cursor data (bz #1402258)
    
      - CVE-2016-9907: usbredir: memory leakage when destroying
        redirector (bz #1402266)
    
      - CVE-2016-9911: usb: ehci: memory leakage in
        ehci_init_transfer (bz #1402273)
    
      - CVE-2016-9913: 9pfs: memory leakage via proxy/handle
        callbacks (bz #1402277)
    
      - CVE-2016-10028: virtio-gpu-3d: OOB access while reading
        virgl capabilities (bz #1406368)
    
      - CVE-2016-9908: virtio-gpu: information leakage in
        virgl_cmd_get_capset (bz #1402263)
    
      - CVE-2016-9912: virtio-gpu: memory leakage when
        destroying gpu resource (bz #1402285)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-b953d4d3a4"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 2:qemu package."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:2:qemu");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/01/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/23");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"qemu-2.7.1-2.fc25", epoch:"2")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "2:qemu");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201701-49.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201701-49 (QEMU: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact : A privileged user/process within a guest QEMU environment can cause a Denial of Service condition against the QEMU guest process or the host. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id96684
    published2017-01-23
    reporterThis script is Copyright (C) 2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96684
    titleGLSA-201701-49 : QEMU: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-116.NASL
    descriptionqemu was updated to fix several issues. These security issues were fixed : - CVE-2016-9102: Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number (bsc#1014256). - CVE-2016-9103: The v9fs_xattrcreate function in hw/9pfs/9p.c in allowed local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values writing to them (bsc#1007454). - CVE-2016-9381: Improper processing of shared rings allowing guest administrators take over the qemu process, elevating their privilege to that of the qemu process (bsc#1009109) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-05
    modified2017-01-19
    plugin id96623
    published2017-01-19
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/96623
    titleopenSUSE Security Update : qemu (openSUSE-2017-116)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3261-1.NASL
    descriptionZhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10028, CVE-2016-10029) Li Qiang discovered that QEMU incorrectly handled the 6300esb watchdog. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-10155) Li Qiang discovered that QEMU incorrectly handled the i.MX Fast Ethernet Controller. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7907) It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8667) It was discovered that QEMU incorrectly handled the 16550A UART device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8669) It was discovered that QEMU incorrectly handled the shared rings when used with Xen. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. (CVE-2016-9381) Jann Horn discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to access files on the host file system outside of the shared directory and possibly escalate their privileges. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9602) Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA device when being used with a VNC connection. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9603) It was discovered that QEMU incorrectly handled the ColdFire Fast Ethernet Controller. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9776) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9845, CVE-2016-9908) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9846, CVE-2016-9912, CVE-2017-5552, CVE-2017-5578, CVE-2017-5857) Li Qiang discovered that QEMU incorrectly handled the USB redirector. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9907) Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9911) Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9913, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916) Qinghao Tang, Li Qiang, and Jiangxin discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9921, CVE-2016-9922) Wjjzhang and Li Qiang discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-2615) It was discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-2620) It was discovered that QEMU incorrectly handled VNC connections. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-2633) Li Qiang discovered that QEMU incorrectly handled the ac97 audio device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5525) Li Qiang discovered that QEMU incorrectly handled the es1370 audio device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5526) Li Qiang discovered that QEMU incorrectly handled the 16550A UART device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5579) Jiang Xin discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-5667) Li Qiang discovered that QEMU incorrectly handled the MegaRAID SAS device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5856) Li Qiang discovered that QEMU incorrectly handled the CCID Card device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5898) Li Qiang discovered that QEMU incorrectly handled USB xHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5973) Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5987) Li Qiang discovered that QEMU incorrectly handled USB OHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2017-6505). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99581
    published2017-04-21
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99581
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 : qemu vulnerabilities (USN-3261-1)