Vulnerabilities > CVE-2017-10664

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
qemu
debian
redhat
nessus

Summary

qemu-nbd in QEMU (aka Quick Emulator) does not ignore SIGPIPE, which allows remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt.

Vulnerable Configurations

Part Description Count
Application
Qemu
245
Application
Redhat
8
OS
Debian
2
OS
Redhat
14

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1070.NASL
    descriptionMultiple vulnerabilities were discovered in qemu, a fast processor emulator. The Common Vulnerabilities and Exposures project identifies the following problems : CVE-2017-6505 Denial of service via infinite loop in the USB OHCI emulation CVE-2017-8309 Denial of service via VNC audio capture CVE-2017-10664 Denial of service in qemu-nbd server, qemu-io and qemu-img CVE-2017-11434 Denial of service via a crafted DHCP options string For Debian 7
    last seen2020-03-17
    modified2017-08-29
    plugin id102804
    published2017-08-29
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/102804
    titleDebian DLA-1070-1 : qemu security update
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1070-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102804);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12");
    
      script_cve_id("CVE-2017-10664", "CVE-2017-11434", "CVE-2017-6505", "CVE-2017-8309");
    
      script_name(english:"Debian DLA-1070-1 : qemu security update");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Multiple vulnerabilities were discovered in qemu, a fast processor
    emulator. The Common Vulnerabilities and Exposures project identifies
    the following problems :
    
    CVE-2017-6505
    
    Denial of service via infinite loop in the USB OHCI emulation
    
    CVE-2017-8309
    
    Denial of service via VNC audio capture
    
    CVE-2017-10664
    
    Denial of service in qemu-nbd server, qemu-io and qemu-img
    
    CVE-2017-11434
    
    Denial of service via a crafted DHCP options string
    
    For Debian 7 'Wheezy', these problems have been fixed in version
    1.1.2+dfsg-6+deb7u23.
    
    We recommend that you upgrade your qemu packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2017/08/msg00023.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/wheezy/qemu"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-keymaps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-user");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-user-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-utils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/28");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"7.0", prefix:"qemu", reference:"1.1.2+dfsg-6+deb7u23")) flag++;
    if (deb_check(release:"7.0", prefix:"qemu-keymaps", reference:"1.1.2+dfsg-6+deb7u23")) flag++;
    if (deb_check(release:"7.0", prefix:"qemu-system", reference:"1.1.2+dfsg-6+deb7u23")) flag++;
    if (deb_check(release:"7.0", prefix:"qemu-user", reference:"1.1.2+dfsg-6+deb7u23")) flag++;
    if (deb_check(release:"7.0", prefix:"qemu-user-static", reference:"1.1.2+dfsg-6+deb7u23")) flag++;
    if (deb_check(release:"7.0", prefix:"qemu-utils", reference:"1.1.2+dfsg-6+deb7u23")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2450-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2017-12135: Unbounded recursion in grant table code allowed a malicious guest to crash the host or potentially escalate privileges/leak information (XSA-226, bsc#1051787). - CVE-2017-12137: Incorrectly-aligned updates to pagetables allowed for privilege escalation (XSA-227, bsc#1051788). - CVE-2017-11334: The address_space_write_continue function in exec.c allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048920). - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049578). - CVE-2017-10806: Stack-based buffer overflow in hw/usb/redirect.c allowed local guest OS users to cause a denial of service via vectors related to logging debug messages (bsc#1047675). - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046637). - CVE-2017-12855: Premature clearing of GTF_writing / GTF_reading lead to potentially leaking sensitive information (XSA-230, bsc#1052686). - CVE-2017-14316: Missing bound check in function `alloc_heap_pages` for an internal array allowed attackers using crafted hypercalls to execute arbitrary code within Xen (XSA-231, bsc#1056278) - CVE-2017-14317: A race in cxenstored may have cause a double-free allowind for DoS of the xenstored daemon (XSA-233, bsc#1056281). - CVE-2017-14319: An error while handling grant mappings allowed malicious or buggy x86 PV guest to escalate its privileges or crash the hypervisor (XSA-234, bsc#1056282). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id103216
    published2017-09-14
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103216
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2017:2450-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:2450-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(103216);
      script_version("3.9");
      script_cvs_date("Date: 2019/09/11 11:22:16");
    
      script_cve_id("CVE-2017-10664", "CVE-2017-10806", "CVE-2017-11334", "CVE-2017-11434", "CVE-2017-12135", "CVE-2017-12137", "CVE-2017-12855", "CVE-2017-14316", "CVE-2017-14317", "CVE-2017-14319");
    
      script_name(english:"SUSE SLES11 Security Update : xen (SUSE-SU-2017:2450-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes several issues. These security issues were
    fixed :
    
      - CVE-2017-12135: Unbounded recursion in grant table code
        allowed a malicious guest to crash the host or
        potentially escalate privileges/leak information
        (XSA-226, bsc#1051787).
    
      - CVE-2017-12137: Incorrectly-aligned updates to
        pagetables allowed for privilege escalation (XSA-227,
        bsc#1051788).
    
      - CVE-2017-11334: The address_space_write_continue
        function in exec.c allowed local guest OS privileged
        users to cause a denial of service (out-of-bounds access
        and guest instance crash) by leveraging use of
        qemu_map_ram_ptr to access guest ram block area
        (bsc#1048920).
    
      - CVE-2017-11434: The dhcp_decode function in
        slirp/bootp.c allowed local guest OS users to cause a
        denial of service (out-of-bounds read) via a crafted
        DHCP options string (bsc#1049578).
    
      - CVE-2017-10806: Stack-based buffer overflow in
        hw/usb/redirect.c allowed local guest OS users to cause
        a denial of service via vectors related to logging debug
        messages (bsc#1047675).
    
      - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which
        allowed remote attackers to cause a denial of service
        (daemon crash) by disconnecting during a
        server-to-client reply attempt (bsc#1046637).
    
      - CVE-2017-12855: Premature clearing of GTF_writing /
        GTF_reading lead to potentially leaking sensitive
        information (XSA-230, bsc#1052686).
    
      - CVE-2017-14316: Missing bound check in function
        `alloc_heap_pages` for an internal array allowed
        attackers using crafted hypercalls to execute arbitrary
        code within Xen (XSA-231, bsc#1056278)
    
      - CVE-2017-14317: A race in cxenstored may have cause a
        double-free allowind for DoS of the xenstored daemon
        (XSA-233, bsc#1056281).
    
      - CVE-2017-14319: An error while handling grant mappings
        allowed malicious or buggy x86 PV guest to escalate its
        privileges or crash the hypervisor (XSA-234,
        bsc#1056282).
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1027519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1032598"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1037413"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1046637"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1047675"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1048920"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1049578"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1051787"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1051788"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1052686"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1056278"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1056281"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1056282"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-10664/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-10806/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-11334/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-11434/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-12135/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-12137/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-12855/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-14316/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-14317/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-14319/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20172450-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?70bea784"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t
    patch sdksp4-xen-13281=1
    
    SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
    slessp4-xen-13281=1
    
    SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
    dbgsp4-xen-13281=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-doc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/07/25");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/09/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "i386|i486|i586|i686|x86_64") audit(AUDIT_ARCH_NOT, "i386 / i486 / i586 / i686 / x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-kmp-default-4.4.4_22_3.0.101_108.7-61.9.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-libs-4.4.4_22-61.9.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-tools-domU-4.4.4_22-61.9.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-4.4.4_22-61.9.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-doc-html-4.4.4_22-61.9.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-libs-32bit-4.4.4_22-61.9.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-tools-4.4.4_22-61.9.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-kmp-pae-4.4.4_22_3.0.101_108.7-61.9.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"xen-kmp-default-4.4.4_22_3.0.101_108.7-61.9.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"xen-libs-4.4.4_22-61.9.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"xen-tools-domU-4.4.4_22-61.9.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"xen-kmp-pae-4.4.4_22_3.0.101_108.7-61.9.2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170815_QEMU_KVM_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - Quick Emulator (QEMU) built with the Network Block Device (NBD) Server support is vulnerable to a crash via a SIGPIPE signal. The crash can occur if a client aborts a connection due to any failure during negotiation or read operation. A remote user/process could use this flaw to crash the qemu-nbd server resulting in a DoS. (CVE-2017-10664)
    last seen2020-03-18
    modified2017-08-22
    plugin id102671
    published2017-08-22
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102671
    titleScientific Linux Security Update : qemu-kvm on SL7.x x86_64 (20170815)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text is (C) Scientific Linux.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102671);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25");
    
      script_cve_id("CVE-2017-10664");
    
      script_name(english:"Scientific Linux Security Update : qemu-kvm on SL7.x x86_64 (20170815)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Scientific Linux host is missing one or more security
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security Fix(es) :
    
      - Quick Emulator (QEMU) built with the Network Block
        Device (NBD) Server support is vulnerable to a crash via
        a SIGPIPE signal. The crash can occur if a client aborts
        a connection due to any failure during negotiation or
        read operation. A remote user/process could use this
        flaw to crash the qemu-nbd server resulting in a DoS.
        (CVE-2017-10664)"
      );
      # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1708&L=scientific-linux-errata&F=&S=&P=3130
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?c19ff378"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:qemu-img");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:qemu-kvm-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:qemu-kvm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:qemu-kvm-tools");
      script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/08/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Scientific Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
    os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"qemu-img-1.5.3-141.el7_4.1")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"qemu-kvm-1.5.3-141.el7_4.1")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"qemu-kvm-common-1.5.3-141.el7_4.1")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"qemu-kvm-debuginfo-1.5.3-141.el7_4.1")) flag++;
    if (rpm_check(release:"SL7", cpu:"x86_64", reference:"qemu-kvm-tools-1.5.3-141.el7_4.1")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-img / qemu-kvm / qemu-kvm-common / qemu-kvm-debuginfo / etc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3414-1.NASL
    descriptionLeo Gaspard discovered that QEMU incorrectly handled VirtFS access control. A guest attacker could use this issue to elevate privileges inside the guest. (CVE-2017-7493) Li Qiang discovered that QEMU incorrectly handled VMware PVSCSI emulation. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources or crash, resulting in a denial of service. (CVE-2017-8112) It was discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly to obtain sensitive host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-8380) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. This issue only affected Ubuntu 17.04. (CVE-2017-9060) Li Qiang discovered that QEMU incorrectly handled the e1000e device. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. This issue only affected Ubuntu 17.04. (CVE-2017-9310) Li Qiang discovered that QEMU incorrectly handled USB OHCI emulation support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9330) Li Qiang discovered that QEMU incorrectly handled IDE AHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9373) Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9374) Li Qiang discovered that QEMU incorrectly handled USB xHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2017-9375) Zhangyanyu discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9503) It was discovered that the QEMU qemu-nbd server incorrectly handled initialization. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-9524) It was discovered that the QEMU qemu-nbd server incorrectly handled signals. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-10664) Li Qiang discovered that the QEMU USB redirector incorrectly handled logging debug messages. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-10806) Anthony Perard discovered that QEMU incorrectly handled Xen block-interface responses. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. (CVE-2017-10911) Reno Robert discovered that QEMU incorrectly handled certain DHCP options strings. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-11434) Ryan Salsamendi discovered that QEMU incorrectly handled empty CDROM device drives. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-12809). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id103217
    published2017-09-14
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103217
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 : qemu vulnerabilities (USN-3414-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3414-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(103217);
      script_version("3.6");
      script_cvs_date("Date: 2019/09/18 12:31:47");
    
      script_cve_id("CVE-2017-10664", "CVE-2017-10806", "CVE-2017-10911", "CVE-2017-11434", "CVE-2017-12809", "CVE-2017-7493", "CVE-2017-8112", "CVE-2017-8380", "CVE-2017-9060", "CVE-2017-9310", "CVE-2017-9330", "CVE-2017-9373", "CVE-2017-9374", "CVE-2017-9375", "CVE-2017-9503", "CVE-2017-9524");
      script_xref(name:"USN", value:"3414-1");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : qemu vulnerabilities (USN-3414-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Leo Gaspard discovered that QEMU incorrectly handled VirtFS access
    control. A guest attacker could use this issue to elevate privileges
    inside the guest. (CVE-2017-7493)
    
    Li Qiang discovered that QEMU incorrectly handled VMware PVSCSI
    emulation. A privileged attacker inside the guest could use this issue
    to cause QEMU to consume resources or crash, resulting in a denial of
    service. (CVE-2017-8112)
    
    It was discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2
    Host Bus Adapter emulation support. A privileged attacker inside the
    guest could use this issue to cause QEMU to crash, resulting in a
    denial of service, or possibly to obtain sensitive host memory. This
    issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-8380)
    
    Li Qiang discovered that QEMU incorrectly handled the Virtio GPU
    device. An attacker inside the guest could use this issue to cause
    QEMU to consume resources and crash, resulting in a denial of service.
    This issue only affected Ubuntu 17.04. (CVE-2017-9060)
    
    Li Qiang discovered that QEMU incorrectly handled the e1000e device. A
    privileged attacker inside the guest could use this issue to cause
    QEMU to hang, resulting in a denial of service. This issue only
    affected Ubuntu 17.04. (CVE-2017-9310)
    
    Li Qiang discovered that QEMU incorrectly handled USB OHCI emulation
    support. An attacker inside the guest could use this issue to cause
    QEMU to crash, resulting in a denial of service. (CVE-2017-9330)
    
    Li Qiang discovered that QEMU incorrectly handled IDE AHCI emulation
    support. A privileged attacker inside the guest could use this issue
    to cause QEMU to consume resources and crash, resulting in a denial of
    service. (CVE-2017-9373)
    
    Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation
    support. A privileged attacker inside the guest could use this issue
    to cause QEMU to consume resources and crash, resulting in a denial of
    service. (CVE-2017-9374)
    
    Li Qiang discovered that QEMU incorrectly handled USB xHCI emulation
    support. A privileged attacker inside the guest could use this issue
    to cause QEMU to hang, resulting in a denial of service.
    (CVE-2017-9375)
    
    Zhangyanyu discovered that QEMU incorrectly handled MegaRAID SAS
    8708EM2 Host Bus Adapter emulation support. A privileged attacker
    inside the guest could use this issue to cause QEMU to crash,
    resulting in a denial of service. (CVE-2017-9503)
    
    It was discovered that the QEMU qemu-nbd server incorrectly handled
    initialization. A remote attacker could use this issue to cause the
    server to crash, resulting in a denial of service. (CVE-2017-9524)
    
    It was discovered that the QEMU qemu-nbd server incorrectly handled
    signals. A remote attacker could use this issue to cause the server to
    crash, resulting in a denial of service. (CVE-2017-10664)
    
    Li Qiang discovered that the QEMU USB redirector incorrectly handled
    logging debug messages. An attacker inside the guest could use this
    issue to cause QEMU to crash, resulting in a denial of service.
    (CVE-2017-10806)
    
    Anthony Perard discovered that QEMU incorrectly handled Xen
    block-interface responses. An attacker inside the guest could use this
    issue to cause QEMU to leak contents of host memory. (CVE-2017-10911)
    
    Reno Robert discovered that QEMU incorrectly handled certain DHCP
    options strings. An attacker inside the guest could use this issue to
    cause QEMU to crash, resulting in a denial of service.
    (CVE-2017-11434)
    
    Ryan Salsamendi discovered that QEMU incorrectly handled empty CDROM
    device drives. A privileged attacker inside the guest could use this
    issue to cause QEMU to crash, resulting in a denial of service. This
    issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04.
    (CVE-2017-12809).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3414-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/09/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/14");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04|17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 17.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system", pkgver:"2.0.0+dfsg-2ubuntu1.35")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-aarch64", pkgver:"2.0.0+dfsg-2ubuntu1.35")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-arm", pkgver:"2.0.0+dfsg-2ubuntu1.35")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-mips", pkgver:"2.0.0+dfsg-2ubuntu1.35")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-misc", pkgver:"2.0.0+dfsg-2ubuntu1.35")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-ppc", pkgver:"2.0.0+dfsg-2ubuntu1.35")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-sparc", pkgver:"2.0.0+dfsg-2ubuntu1.35")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-x86", pkgver:"2.0.0+dfsg-2ubuntu1.35")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system", pkgver:"1:2.5+dfsg-5ubuntu10.15")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-aarch64", pkgver:"1:2.5+dfsg-5ubuntu10.15")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-arm", pkgver:"1:2.5+dfsg-5ubuntu10.15")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-mips", pkgver:"1:2.5+dfsg-5ubuntu10.15")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-misc", pkgver:"1:2.5+dfsg-5ubuntu10.15")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-ppc", pkgver:"1:2.5+dfsg-5ubuntu10.15")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-s390x", pkgver:"1:2.5+dfsg-5ubuntu10.15")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-sparc", pkgver:"1:2.5+dfsg-5ubuntu10.15")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-x86", pkgver:"1:2.5+dfsg-5ubuntu10.15")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system", pkgver:"1:2.8+dfsg-3ubuntu2.4")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-aarch64", pkgver:"1:2.8+dfsg-3ubuntu2.4")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-arm", pkgver:"1:2.8+dfsg-3ubuntu2.4")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-mips", pkgver:"1:2.8+dfsg-3ubuntu2.4")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-misc", pkgver:"1:2.8+dfsg-3ubuntu2.4")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-ppc", pkgver:"1:2.8+dfsg-3ubuntu2.4")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-s390x", pkgver:"1:2.8+dfsg-3ubuntu2.4")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-sparc", pkgver:"1:2.8+dfsg-3ubuntu2.4")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-x86", pkgver:"1:2.8+dfsg-3ubuntu2.4")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-system / qemu-system-aarch64 / qemu-system-arm / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2339-1.NASL
    descriptionThis update for xen fixes the following issues : - CVE-2017-12855: Premature clearing of GTF_writing / GTF_reading lead to potentially leaking sensitive information (XSA-230, bsc#1052686). - CVE-2017-12135: Unbounded recursion in grant table code allowed a malicious guest to crash the host or potentially escalate privileges/leak information (XSA-226, bsc#1051787). - CVE-2017-12137: Incorrectly-aligned updates to pagetables allowed for privilege escalation (XSA-227, bsc#1051788). - CVE-2017-11334: The address_space_write_continue function in exec.c allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048920). - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049578). - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046637). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102954
    published2017-09-05
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102954
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2017:2339-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2969-1.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122) - CVE-2017-2633: The VNC display driver support was vulnerable to an out-of-bounds memory access issue. A user/process inside guest could use this flaw to cause DoS (bsc#1026612) - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069) - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585) - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334) - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c allowed local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer (bsc#1025311) - CVE-2017-6505: The ohci_service_ed_list function allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count (bsc#1036211) - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800) - CVE-2017-9373: The IDE AHCI Emulation support was vulnerable to a host memory leakage issue, which allowed a privileged user inside guest to leak host memory resulting in DoS (bsc#1042801) - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value (bsc#1042159) - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture (bsc#1037242) - CVE-2017-7493: The VirtFS, host directory sharing via Plan 9 File System(9pfs) support, was vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could have used this flaw to escalate their privileges inside guest (bsc#1039495) - CVE-2016-9602: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper link following issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1020427) - CVE-2017-5579: The 16550A UART serial device emulation support was vulnerable to a memory leakage issue allowing a privileged user to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1021741) - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a NULL pointer dereference issue which allowed a privileged user inside guest to crash the Qemu process on the host resulting in DoS (bsc#1043296) - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046636) - CVE-2017-10806: Stack-based buffer overflow allowed local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages (bsc#1047674) - CVE-2016-9602: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper link following issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1020427) - CVE-2017-7377: The v9fs_create and v9fs_lcreate functions in hw/9pfs/9p.c allowed local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid (bsc#1032075) - CVE-2017-8086: A memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c allowed local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable (bsc#1035950) - CVE-2017-7471: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper access control issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1034866) - CVE-2016-6834: A infinite loop during packet fragmentation in the VMWARE VMXNET3 NIC device support allowed privileged user inside guest to crash the Qemu instance resulting in DoS (bsc#994418) - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC device support, causing an OOB read access (bsc#994605) - Fix privilege escalation in TCG mode (bsc#1030624) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104495
    published2017-11-10
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104495
    titleSUSE SLES12 Security Update : qemu (SUSE-SU-2017:2969-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2319-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2017-12135: Unbounded recursion in grant table code allowed a malicious guest to crash the host or potentially escalate privileges/leak information (XSA-226, bsc#1051787). - CVE-2017-12137: Incorrectly-aligned updates to pagetables allowed for privilege escalation (XSA-227, bsc#1051788). - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049578). - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046637). - CVE-2017-11334: The address_space_write_continue function in exec.c allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048920). - CVE-2017-10806: Stack-based buffer overflow in hw/usb/redirect.c allowed local guest OS users to cause a denial of service via vectors related to logging debug messages (bsc#1047675). - bsc#1052686: Premature clearing of GTF_writing / GTF_reading lead to potentially leaking sensitive information (XSA-230). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102913
    published2017-09-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102913
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2017:2319-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1599.NASL
    descriptionSeveral vulnerabilities were found in QEMU, a fast processor emulator : CVE-2016-2391 Zuozhi Fzz discovered that eof_times in USB OHCI emulation support could be used to cause a denial of service, via a NULL pointer dereference. CVE-2016-2392 / CVE-2016-2538 Qinghao Tang found a NULL pointer dereference and multiple integer overflows in the USB Net device support that could allow local guest OS administrators to cause a denial of service. These issues related to remote NDIS control message handling. CVE-2016-2841 Yang Hongke reported an infinite loop vulnerability in the NE2000 NIC emulation support. CVE-2016-2857 Liu Ling found a flaw in QEMU IP checksum routines. Attackers could take advantage of this issue to cause QEMU to crash. CVE-2016-2858 Arbitrary stack based allocation in the Pseudo Random Number Generator (PRNG) back-end support. CVE-2016-4001 / CVE-2016-4002 Oleksandr Bazhaniuk reported buffer overflows in the Stellaris and the MIPSnet ethernet controllers emulation. Remote malicious users could use these issues to cause QEMU to crash. CVE-2016-4020 Donghai Zdh reported that QEMU incorrectly handled the access to the Task Priority Register (TPR), allowing local guest OS administrators to obtain sensitive information from host stack memory. CVE-2016-4037 Du Shaobo found an infinite loop vulnerability in the USB EHCI emulation support. CVE-2016-4439 / CVE-2016-4441 / CVE-2016-5238 / CVE-2016-5338 / CVE-2016-6351 Li Qiang found different issues in the QEMU 53C9X Fast SCSI Controller (FSC) emulation support, that made it possible for local guest OS privileged users to cause denials of service or potentially execute arbitrary code. CVE-2016-4453 / CVE-2016-4454 Li Qiang reported issues in the QEMU VMWare VGA module handling, that may be used to cause QEMU to crash, or to obtain host sensitive information. CVE-2016-4952 / CVE-2016-7421 / CVE-2016-7156 Li Qiang reported flaws in the VMware paravirtual SCSI bus emulation support. These issues concern an out-of-bounds access and infinite loops, that allowed local guest OS privileged users to cause a denial of service. CVE-2016-5105 / CVE-2016-5106 / CVE-2016-5107 / CVE-2016-5337 Li Qiang discovered several issues in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. These issues include stack information leakage while reading configuration and out-of-bounds write and read. CVE-2016-6834 Li Qiang reported an infinite loop vulnerability during packet fragmentation in the network transport abstraction layer support. Local guest OS privileged users could made use of this flaw to cause a denial of service. CVE-2016-6836 / CVE-2016-6888 Li Qiang found issues in the VMWare VMXNET3 network card emulation support, relating to information leak and integer overflow in packet initialisation. CVE-2016-7116 Felix Wilhel discovered a directory traversal flaw in the Plan 9 File System (9pfs), exploitable by local guest OS privileged users. CVE-2016-7155 Tom Victor and Li Qiang reported an out-of-bounds read and an infinite loop in the VMware paravirtual SCSI bus emulation support. CVE-2016-7161 Hu Chaojian reported a heap overflow in the xlnx.xps-ethernetlite emulation support. Privileged users in local guest OS could made use of this to cause QEMU to crash. CVE-2016-7170 Qinghao Tang and Li Qiang reported a flaw in the QEMU VMWare VGA module, that could be used by privileged user in local guest OS to cause QEMU to crash via an out-of-bounds stack memory access. CVE-2016-7908 / CVE-2016-7909 Li Qiang reported infinite loop vulnerabilities in the ColdFire Fast Ethernet Controller and the AMD PC-Net II (Am79C970A) emulations. These flaws allowed local guest OS administrators to cause a denial of service. CVE-2016-8909 Huawei PSIRT found an infinite loop vulnerability in the Intel HDA emulation support, relating to DMA buffer stream processing. Privileged users in local guest OS could made use of this to cause a denial of service. CVE-2016-8910 Andrew Henderson reported an infinite loop in the RTL8139 ethernet controller emulation support. Privileged users inside a local guest OS could made use of this to cause a denial of service. CVE-2016-9101 Li Qiang reported a memory leakage in the i8255x (PRO100) ethernet controller emulation support. CVE-2016-9102 / CVE-2016-9103 / CVE-2016-9104 / CVE-2016-9105 / CVE-2016-9106 / CVE-2016-8577 / CVE-2016-8578 Li Qiang reported various Plan 9 File System (9pfs) security issues, including host memory leakage and denial of service. CVE-2017-10664 Denial of service in the qemu-nbd (QEMU Disk Network Block Device) Server. CVE-2018-10839 / CVE-2018-17962 / CVE-2018-17963 Daniel Shapira reported several integer overflows in the packet handling in ethernet controllers emulated by QEMU. These issues could lead to denial of service. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id119310
    published2018-12-01
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119310
    titleDebian DLA-1599-1 : qemu security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2936-1.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-15268: Qemu allowed remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c (bsc#1062942). - CVE-2017-9524: The qemu-nbd server when built with the Network Block Device (NBD) Server support allowed remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs talking to a client in the nbd_negotiate function (bsc#1043808). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122) - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069) - CVE-2017-10911: The make_response function in the Linux kernel allowed guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures (bsc#1057378) - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive (bsc#1054724) - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046636) - CVE-2017-10806: Stack-based buffer overflow allowed local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages (bsc#1047674) - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585) - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104429
    published2017-11-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104429
    titleSUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:2936-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2946-1.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-10911: The make_response function in the Linux kernel allowed guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures (bsc#1057378). - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive (bsc#1054724). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122) - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069) - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585) - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334) - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c allowed local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer (bsc#1025311) - CVE-2017-6505: The ohci_service_ed_list function allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count (bsc#1036211) - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800) - CVE-2017-9374: Missing free of
    last seen2020-06-01
    modified2020-06-02
    plugin id104471
    published2017-11-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104471
    titleSUSE SLES12 Security Update : qemu (SUSE-SU-2017:2946-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1072.NASL
    descriptionThis update for qemu fixes the following issues : Security issues fixed : - CVE-2017-10664: Fix DOS vulnerability in qemu-nbd (bsc#1046636) - CVE-2017-10806: Fix DOS from stack overflow in debug messages of usb redirection support (bsc#1047674) - CVE-2017-11334: Fix OOB access during DMA operation (bsc#1048902) - CVE-2017-11434: Fix OOB access parsing dhcp slirp options (bsc#1049381) Following non-security issues were fixed : - Postrequire acl for setfacl - Prerequire shadow for groupadd - The recent security fix for CVE-2017-11334 adversely affects Xen. Include two additional patches to make sure Xen is going to be OK. - Pre-add group kvm for qemu-tools (bsc#1011144) - Fixed a few more inaccuracies in the support docs. - Fix support docs to indicate ARM64 is now fully L3 supported in SLES 12 SP3. Apply a few additional clarifications in the support docs. (bsc#1050268) - Adjust to libvdeplug-devel package naming changes. - Fix migration with xhci (bsc#1048296) - Increase VNC delay to fix missing keyboard input events (bsc#1031692) - Remove build dependency package iasl used for seabios This update was imported from the SUSE:SLE-12-SP3:Update update project.
    last seen2020-06-05
    modified2017-09-18
    plugin id103292
    published2017-09-18
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/103292
    titleopenSUSE Security Update : qemu (openSUSE-2017-1072)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2326-1.NASL
    descriptionThis update for xen to version 4.7.3 fixes several issues. These security issues were fixed : - CVE-2017-12135: Unbounded recursion in grant table code allowed a malicious guest to crash the host or potentially escalate privileges/leak information (XSA-226, bsc#1051787). - CVE-2017-12137: Incorrectly-aligned updates to pagetables allowed for privilege escalation (XSA-227, bsc#1051788). - CVE-2017-12136: Race conditions with maptrack free list handling allows a malicious guest administrator to crash the host or escalate their privilege to that of the host (XSA-228, bsc#1051789). - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049578). - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046637). - CVE-2017-12855: Premature clearing of GTF_writing / GTF_reading lead to potentially leaking sensitive information (XSA-230 CVE-2017-12855). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102952
    published2017-09-05
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102952
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:2326-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1071.NASL
    descriptionMultiple vulnerabilities were discovered in qemu-kvm, a full virtualization solution for Linux hosts on x86 hardware with x86 guests based on the Quick Emulator(Qemu). CVE-2017-6505 Denial of service via infinite loop in the USB OHCI emulation CVE-2017-8309 Denial of service via VNC audio capture CVE-2017-10664 Denial of service in qemu-nbd server, qemu-io and qemu-img. CVE-2017-11434 Denial of service via a crafted DHCP options string For Debian 7
    last seen2020-03-17
    modified2017-08-29
    plugin id102805
    published2017-08-29
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/102805
    titleDebian DLA-1071-1 : qemu-kvm security update
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3920.NASL
    descriptionMultiple vulnerabilities were found in qemu, a fast processor emulator : - CVE-2017-9310 Denial of service via infinite loop in e1000e NIC emulation. - CVE-2017-9330 Denial of service via infinite loop in USB OHCI emulation. - CVE-2017-9373 Denial of service via memory leak in IDE AHCI emulation. - CVE-2017-9374 Denial of service via memory leak in USB EHCI emulation. - CVE-2017-10664 Denial of service in qemu-nbd server. - CVE-2017-10911 Information leak in Xen blkif response handling.
    last seen2020-06-01
    modified2020-06-02
    plugin id101985
    published2017-07-27
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101985
    titleDebian DSA-3920-1 : qemu - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-B7F1197C23.NASL
    descriptionQemu: usb: ohci: infinite loop due to incorrect return value [CVE-2017-9330] (#1457698) Qemu: nbd: segmentation fault due to client non-negotiation [CVE-2017-9524] (#1460173) Qemu: qemu-nbd: server breaks with SIGPIPE upon client abort [CVE-2017-10664] (#1466466) Qemu: exec: oob access during dma operation [CVE-2017-11334] (#1471640) revised full fix for XSA-226 (regressed 32-bit Dom0 or backend domains) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-09-05
    plugin id102938
    published2017-09-05
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102938
    titleFedora 26 : xen (2017-b7f1197c23)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-908F063BB6.NASL
    descriptionQemu: usb: ohci: infinite loop due to incorrect return value [CVE-2017-9330] (#1457698) Qemu: nbd: segmentation fault due to client non-negotiation [CVE-2017-9524] (#1460173) Qemu: qemu-nbd: server breaks with SIGPIPE upon client abort [CVE-2017-10664] (#1466466) Qemu: exec: oob access during dma operation [CVE-2017-11334] (#1471640) revised full fix for XSA-226 (regressed 32-bit Dom0 or backend domains) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-15
    plugin id105929
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105929
    titleFedora 27 : xen (2017-908f063bb6)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2445.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick Emulator (QEMU) built with the Network Block Device (NBD) Server support is vulnerable to a crash via a SIGPIPE signal. The crash can occur if a client aborts a connection due to any failure during negotiation or read operation. A remote user/process could use this flaw to crash the qemu-nbd server resulting in a DoS. (CVE-2017-10664)
    last seen2020-06-01
    modified2020-06-02
    plugin id102306
    published2017-08-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102306
    titleRHEL 7 : qemu-kvm (RHSA-2017:2445)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3414-2.NASL
    descriptionUSN-3414-1 fixed vulnerabilities in QEMU. The patch backport for CVE-2017-9375 was incomplete and caused a regression in the USB xHCI controller emulation support. This update fixes the problem. We apologize for the inconvenience. Leo Gaspard discovered that QEMU incorrectly handled VirtFS access control. A guest attacker could use this issue to elevate privileges inside the guest. (CVE-2017-7493) Li Qiang discovered that QEMU incorrectly handled VMware PVSCSI emulation. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources or crash, resulting in a denial of service. (CVE-2017-8112) It was discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly to obtain sensitive host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-8380) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. This issue only affected Ubuntu 17.04. (CVE-2017-9060) Li Qiang discovered that QEMU incorrectly handled the e1000e device. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. This issue only affected Ubuntu 17.04. (CVE-2017-9310) Li Qiang discovered that QEMU incorrectly handled USB OHCI emulation support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9330) Li Qiang discovered that QEMU incorrectly handled IDE AHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9373) Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9374) Li Qiang discovered that QEMU incorrectly handled USB xHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2017-9375) Zhangyanyu discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9503) It was discovered that the QEMU qemu-nbd server incorrectly handled initialization. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-9524) It was discovered that the QEMU qemu-nbd server incorrectly handled signals. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-10664) Li Qiang discovered that the QEMU USB redirector incorrectly handled logging debug messages. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-10806) Anthony Perard discovered that QEMU incorrectly handled Xen block-interface responses. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. (CVE-2017-10911) Reno Robert discovered that QEMU incorrectly handled certain DHCP options strings. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-11434) Ryan Salsamendi discovered that QEMU incorrectly handled empty CDROM device drives. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-12809). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id103372
    published2017-09-21
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103372
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 : qemu regression (USN-3414-2)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1249.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-15268: Qemu allowed remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c (bsc#1062942). - CVE-2017-9524: The qemu-nbd server when built with the Network Block Device (NBD) Server support allowed remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs talking to a client in the nbd_negotiate function (bsc#1043808). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122) - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069) - CVE-2017-10911: The make_response function in the Linux kernel allowed guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures (bsc#1057378) - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive (bsc#1054724) - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046636) - CVE-2017-10806: Stack-based buffer overflow allowed local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages (bsc#1047674) - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585) - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334) These non-security issues were fixed : - Fixed not being able to build from rpm sources due to undefined macro (bsc#1057966) - Fixed wrong permissions for kvm_stat.1 file - Fixed KVM lun resize not working as expected on SLES12 SP2 HV (bsc#1043176) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2017-11-07
    plugin id104424
    published2017-11-07
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104424
    titleopenSUSE Security Update : qemu (openSUSE-2017-1249)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2963-1.NASL
    descriptionThis update for kvm fixes several issues. These security issues were fixed : - CVE-2016-9602: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper link following issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1020427) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046636) - CVE-2017-10806: Stack-based buffer overflow allowed local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages (bsc#1047674). - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902). - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334). - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585). - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122). - CVE-2017-5579: The 16550A UART serial device emulation support was vulnerable to a memory leakage issue allowing a privileged user to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1021741) - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-6505: The ohci_service_ed_list function allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2017-7471: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper access control issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1034866) - CVE-2017-7493: The VirtFS, host directory sharing via Plan 9 File System(9pfs) support, was vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could have used this flaw to escalate their privileges inside guest (bsc#1039495) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8086: A memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c allowed local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable (bsc#1035950) - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture (bsc#1037242) - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value (bsc#1042159) - CVE-2017-9373: The IDE AHCI Emulation support was vulnerable to a host memory leakage issue, which allowed a privileged user inside guest to leak host memory resulting in DoS (bsc#1042801) - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800) - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a NULL pointer dereference issue which allowed a privileged user inside guest to crash the Qemu process on the host resulting in DoS (bsc#1043296) - Privilege escalation in TCG mode (bsc#1030624) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104494
    published2017-11-10
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104494
    titleSUSE SLES11 Security Update : kvm (SUSE-SU-2017:2963-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2541-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2017-12135: Unbounded recursion in grant table code allowed a malicious guest to crash the host or potentially escalate privileges/leak information (XSA-226, bsc#1051787). - CVE-2017-12137: Incorrectly-aligned updates to pagetables allowed for privilege escalation (XSA-227, bsc#1051788). - CVE-2017-11334: The address_space_write_continue function in exec.c allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048920). - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049578). - CVE-2017-10806: Stack-based buffer overflow in hw/usb/redirect.c allowed local guest OS users to cause a denial of service via vectors related to logging debug messages (bsc#1047675). - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046637). - CVE-2017-12855: Premature clearing of GTF_writing / GTF_reading lead to potentially leaking sensitive information (XSA-230, bsc#1052686). - CVE-2017-14316: Missing bound check in function `alloc_heap_pages` for an internal array allowed attackers using crafted hypercalls to execute arbitrary code within Xen (XSA-231, bsc#1056278) - CVE-2017-14317: A race in cxenstored may have cause a double-free allowind for DoS of the xenstored daemon (XSA-233, bsc#1056281). - CVE-2017-14319: An error while handling grant mappings allowed malicious or buggy x86 PV guest to escalate its privileges or crash the hypervisor (XSA-234, bsc#1056282). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id103412
    published2017-09-22
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103412
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2017:2541-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2416-1.NASL
    descriptionThis update for qemu fixes the following issues: Security issues fixed : - CVE-2017-10664: Fix DOS vulnerability in qemu-nbd (bsc#1046636) - CVE-2017-10806: Fix DOS from stack overflow in debug messages of usb redirection support (bsc#1047674) - CVE-2017-11334: Fix OOB access during DMA operation (bsc#1048902) - CVE-2017-11434: Fix OOB access parsing dhcp slirp options (bsc#1049381) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id103120
    published2017-09-12
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103120
    titleSUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:2416-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-3084-1.NASL
    descriptionThis update for kvm fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-01
    modified2020-06-02
    plugin id104780
    published2017-11-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104780
    titleSUSE SLES11 Security Update : kvm (SUSE-SU-2017:3084-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1023.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2017-12135: Unbounded recursion in grant table code allowed a malicious guest to crash the host or potentially escalate privileges/leak information (XSA-226, bsc#1051787). - CVE-2017-12137: Incorrectly-aligned updates to pagetables allowed for privilege escalation (XSA-227, bsc#1051788). - CVE-2017-12136: Race conditions with maptrack free list handling allows a malicious guest administrator to crash the host or escalate their privilege to that of the host (XSA-228, bsc#1051789). - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049578). - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046637). - CVE-2017-12855: Premature clearing of GTF_writing / GTF_reading lead to potentially leaking sensitive information (XSA-230 bsc#1052686. These non-security issues were fixed : - bsc#1055695: XEN: 11SP4 and 12SP3 HVM guests can not be restored after the save using xl stack - bsc#1035231: Migration of HVM domU did not use superpages on destination dom0 - bsc#1002573: Optimized LVM functions in block-dmmd block-dmmd This update was imported from the SUSE:SLE-12-SP3:Update update project.
    last seen2020-06-05
    modified2017-09-13
    plugin id103159
    published2017-09-13
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/103159
    titleopenSUSE Security Update : xen (openSUSE-2017-1023)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1224.NASL
    descriptionAccording to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An out-of-bounds memory access issue was found in Quick Emulator (QEMU) in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the
    last seen2020-05-06
    modified2017-09-11
    plugin id103082
    published2017-09-11
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103082
    titleEulerOS 2.0 SP2 : qemu-kvm (EulerOS-SA-2017-1224)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2327-2.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2017-12135: Unbounded recursion in grant table code allowed a malicious guest to crash the host or potentially escalate privileges/leak information (XSA-226, bsc#1051787). - CVE-2017-12137: Incorrectly-aligned updates to pagetables allowed for privilege escalation (XSA-227, bsc#1051788). - CVE-2017-12136: Race conditions with maptrack free list handling allows a malicious guest administrator to crash the host or escalate their privilege to that of the host (XSA-228, bsc#1051789). - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049578). - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046637). - CVE-2017-12855: Premature clearing of GTF_writing / GTF_reading lead to potentially leaking sensitive information (XSA-230 bsc#1052686. The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104649
    published2017-11-17
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104649
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2017:2327-2)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2327-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2017-12135: Unbounded recursion in grant table code allowed a malicious guest to crash the host or potentially escalate privileges/leak information (XSA-226, bsc#1051787). - CVE-2017-12137: Incorrectly-aligned updates to pagetables allowed for privilege escalation (XSA-227, bsc#1051788). - CVE-2017-12136: Race conditions with maptrack free list handling allows a malicious guest administrator to crash the host or escalate their privilege to that of the host (XSA-228, bsc#1051789). - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049578). - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046637). - CVE-2017-12855: Premature clearing of GTF_writing / GTF_reading lead to potentially leaking sensitive information (XSA-230 bsc#1052686. The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102953
    published2017-09-05
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102953
    titleSUSE SLED12 Security Update : xen (SUSE-SU-2017:2327-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-2445.NASL
    descriptionFrom Red Hat Security Advisory 2017:2445 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick Emulator (QEMU) built with the Network Block Device (NBD) Server support is vulnerable to a crash via a SIGPIPE signal. The crash can occur if a client aborts a connection due to any failure during negotiation or read operation. A remote user/process could use this flaw to crash the qemu-nbd server resulting in a DoS. (CVE-2017-10664)
    last seen2020-06-01
    modified2020-06-02
    plugin id102347
    published2017-08-10
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102347
    titleOracle Linux 7 : qemu-kvm (ELSA-2017-2445)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-2390.NASL
    descriptionAn update for qemu-kvm-rhev is now available for RHEV 3.X Hypervisor and Agents for RHEL-7 and RHEV 4.X RHEV-H and Agents for RHEL-7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Security Fix(es) : * Quick Emulator (QEMU) built with the Network Block Device (NBD) Server support is vulnerable to a crash via a SIGPIPE signal. The crash can occur if a client aborts a connection due to any failure during negotiation or read operation. A remote user/process could use this flaw to crash the qemu-nbd server resulting in a DoS. (CVE-2017-10664)
    last seen2020-06-01
    modified2020-06-02
    plugin id102157
    published2017-08-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102157
    titleRHEL 7 : qemu-kvm-rhev (RHSA-2017:2390)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-2445.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick Emulator (QEMU) built with the Network Block Device (NBD) Server support is vulnerable to a crash via a SIGPIPE signal. The crash can occur if a client aborts a connection due to any failure during negotiation or read operation. A remote user/process could use this flaw to crash the qemu-nbd server resulting in a DoS. (CVE-2017-10664)
    last seen2020-06-01
    modified2020-06-02
    plugin id102763
    published2017-08-25
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102763
    titleCentOS 7 : qemu-kvm (CESA-2017:2445)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1223.NASL
    descriptionAccording to the versions of the qemu-kvm package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An out-of-bounds memory access issue was found in Quick Emulator (QEMU) in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the
    last seen2020-05-06
    modified2017-09-11
    plugin id103081
    published2017-09-11
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103081
    titleEulerOS 2.0 SP1 : qemu-kvm (EulerOS-SA-2017-1223)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-ED735463E3.NASL
    descriptionQemu: usb: ohci: infinite loop due to incorrect return value [CVE-2017-9330] (#1457698) Qemu: qemu-nbd: server breaks with SIGPIPE upon client abort [CVE-2017-10664] (#1466466) revised full fix for XSA-226 (regressed 32-bit Dom0 or backend domains) ---- full fix for XSA-226, replacing workaround drop conflict of xendomain and libvirtd as can cause problems (#1398590) add-to-physmap error paths fail to release lock on ARM [XSA-235] (#1484476) Qemu: audio: host memory leakage via capture buffer [CVE-2017-8309] (#1446521) Qemu: input: host memory leakage via keyboard events [CVE-2017-8379] (#1446561) ---- Qemu: serial: host memory leakage 16550A UART emulation [CVE-2017-5579] (#1416162) Qemu: display: cirrus: OOB read access issue [CVE-2017-7718] (#1443444) xen: various flaws (#1481765) multiple problems with transitive grants [XSA-226, CVE-2017-12135] x86: PV privilege escalation via map_grant_ref [XSA-227, CVE-2017-12137] grant_table: Race conditions with maptrack free list handling [XSA-228, CVE-2017-12136] grant_table: possibly premature clearing of GTF_writing / GTF_reading [XSA-230, CVE-2017-12855] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-09-20
    plugin id103342
    published2017-09-20
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103342
    titleFedora 25 : xen (2017-ed735463e3)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1022.NASL
    descriptionThis update for xen to version 4.7.3 fixes several issues. These security issues were fixed : - CVE-2017-12135: Unbounded recursion in grant table code allowed a malicious guest to crash the host or potentially escalate privileges/leak information (XSA-226, bsc#1051787). - CVE-2017-12137: Incorrectly-aligned updates to pagetables allowed for privilege escalation (XSA-227, bsc#1051788). - CVE-2017-12136: Race conditions with maptrack free list handling allows a malicious guest administrator to crash the host or escalate their privilege to that of the host (XSA-228, bsc#1051789). - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049578). - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046637). - CVE-2017-12855: Premature clearing of GTF_writing / GTF_reading lead to potentially leaking sensitive information (XSA-230 CVE-2017-12855). These non-security issues were fixed : - bsc#1055695: XEN: 11SP4 and 12SP3 HVM guests can not be restored after the save using xl stack - bsc#1035231: Migration of HVM domU did not use superpages on destination dom0 - bsc#1002573: Optimized LVM functions in block-dmmd block-dmmd - bsc#1037840: Xen-detect always showed HVM for PV guests This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2017-09-13
    plugin id103158
    published2017-09-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103158
    titleopenSUSE Security Update : xen (openSUSE-2017-1022)

Redhat

advisories
  • bugzilla
    id1466190
    titleCVE-2017-10664 Qemu: qemu-nbd: server breaks with SIGPIPE upon client abort
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentqemu-img is earlier than 10:1.5.3-141.el7_4.1
            ovaloval:com.redhat.rhsa:tst:20172445001
          • commentqemu-img is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345006
        • AND
          • commentqemu-kvm is earlier than 10:1.5.3-141.el7_4.1
            ovaloval:com.redhat.rhsa:tst:20172445003
          • commentqemu-kvm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345004
        • AND
          • commentqemu-kvm-common is earlier than 10:1.5.3-141.el7_4.1
            ovaloval:com.redhat.rhsa:tst:20172445005
          • commentqemu-kvm-common is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140704004
        • AND
          • commentqemu-kvm-tools is earlier than 10:1.5.3-141.el7_4.1
            ovaloval:com.redhat.rhsa:tst:20172445007
          • commentqemu-kvm-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345002
    rhsa
    idRHSA-2017:2445
    released2017-08-08
    severityModerate
    titleRHSA-2017:2445: qemu-kvm security update (Moderate)
  • rhsa
    idRHSA-2017:2390
  • rhsa
    idRHSA-2017:3466
  • rhsa
    idRHSA-2017:3470
  • rhsa
    idRHSA-2017:3471
  • rhsa
    idRHSA-2017:3472
  • rhsa
    idRHSA-2017:3473
  • rhsa
    idRHSA-2017:3474
rpms
  • qemu-img-rhev-10:2.9.0-16.el7_4.3
  • qemu-kvm-common-rhev-10:2.9.0-16.el7_4.3
  • qemu-kvm-rhev-10:2.9.0-16.el7_4.3
  • qemu-kvm-rhev-debuginfo-10:2.9.0-16.el7_4.3
  • qemu-kvm-tools-rhev-10:2.9.0-16.el7_4.3
  • qemu-img-10:1.5.3-141.el7_4.1
  • qemu-kvm-10:1.5.3-141.el7_4.1
  • qemu-kvm-common-10:1.5.3-141.el7_4.1
  • qemu-kvm-debuginfo-10:1.5.3-141.el7_4.1
  • qemu-kvm-tools-10:1.5.3-141.el7_4.1
  • qemu-img-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-common-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-debuginfo-10:2.9.0-16.el7_4.11
  • qemu-kvm-tools-rhev-10:2.9.0-16.el7_4.11
  • qemu-img-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-common-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-debuginfo-10:2.9.0-16.el7_4.11
  • qemu-kvm-tools-rhev-10:2.9.0-16.el7_4.11
  • qemu-img-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-common-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-debuginfo-10:2.9.0-16.el7_4.11
  • qemu-kvm-tools-rhev-10:2.9.0-16.el7_4.11
  • qemu-img-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-common-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-debuginfo-10:2.9.0-16.el7_4.11
  • qemu-kvm-tools-rhev-10:2.9.0-16.el7_4.11
  • qemu-img-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-common-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-debuginfo-10:2.9.0-16.el7_4.11
  • qemu-kvm-tools-rhev-10:2.9.0-16.el7_4.11
  • qemu-img-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-common-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-debuginfo-10:2.9.0-16.el7_4.11
  • qemu-kvm-tools-rhev-10:2.9.0-16.el7_4.11