Vulnerabilities > CVE-2017-15289 - Out-of-bounds Write vulnerability in Qemu

047910
CVSS 6.0 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
low complexity
qemu
CWE-787
nessus

Summary

The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation.

Vulnerable Configurations

Part Description Count
Application
Qemu
254

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0238.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - qemu-kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018 -3639.patch - qemu-kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-i t-CVE.patch - qemu-kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit -CVE-.patch - Resolves: bz#1574074 (CVE-2018-3639 qemu-kvm: hw: cpu: speculative store bypass [rhel-6.10.z]) - kvm-vga-add-share_surface-flag.patch [bz#1553674] - kvm-vga-add-sanity-checks.patch [bz#1553674] - Resolves: bz#1553674 (CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-6]) - kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch [bz#1525939 bz#1528024] - kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran .patch - kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran .patch - kvm-cirrus-fix-oob-access-in-mode4and5-write-functions.p atch [bz#1501298] - kvm-vga-stop-passing-pointers-to-vga_draw_line-functions .patch - kvm-vga-check-the-validation-of-memory-addr-when-draw-te .patch - Resolves: bz#1486641 (CVE-2017-13672 qemu-kvm-rhev: Qemu: vga: OOB read access during display update [rhel-6.10]) - Resolves: bz#1501298 (CVE-2017-15289 qemu-kvm: Qemu: cirrus: OOB access issue in mode4and5 write functions [rhel-6.10]) - Resolves: bz#1525939 (CVE-2017-5715 qemu-kvm: hw: cpu: speculative execution branch target injection [rhel-6.10]) - Resolves: bz#1528024 (CVE-2017-5715 qemu-kvm-rhev: hw: cpu: speculative execution branch target injection [rhel-6.10]) - Resolves: bz#1534692 (CVE-2018-5683 qemu-kvm: Qemu: Out-of-bounds read in vga_draw_text routine [rhel-6.10]) - Resolves: bz#1549152 (qemu-kvm-rhev: remove unused patch file [rhel-6.10]) - kvm-vns-tls-don-t-use-depricated-gnutls-functions.patch [bz#1428750] - kvm-vnc-apply-display-size-limits.patch [bz#1430616 bz#1430617] - kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f .patch - kvm-cirrus-vnc-zap-bitblit-support-from-console-code.pat ch [bz#1443448 bz#1443450 bz#1447542 bz#1447545] - kvm-cirrus-avoid-write-only-variables.patch [bz#1444378 bz#1444380] - kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt .patch - kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt .patch - kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran .patch - kvm-cirrus-fix-PUTPIXEL-macro.patch [bz#1444378 bz#1444380] - Resolves: bz#1428750 (Fails to build in brew) - Resolves: bz#1430616 (CVE-2017-2633 qemu-kvm: Qemu: VNC: memory corruption due to unchecked resolution limit [rhel-6.10]) - Resolves: bz#1430617 (CVE-2017-2633 qemu-kvm-rhev: Qemu: VNC: memory corruption due to unchecked resolution limit [rhel-6.10]) - Resolves: bz#1443448 (CVE-2017-7718 qemu-kvm: Qemu: display: cirrus: OOB read access issue [rhel-6.10]) - Resolves: bz#1443450 (CVE-2017-7718 qemu-kvm-rhev: Qemu: display: cirrus: OOB read access issue [rhel-6.10]) - Resolves: bz#1444378 (CVE-2017-7980 qemu-kvm: Qemu: display: cirrus: OOB r/w access issues in bitblt routines [rhel-6.10]) - Resolves: bz#1444380 (CVE-2017-7980 qemu-kvm-rhev: Qemu: display: cirrus: OOB r/w access issues in bitblt routines [rhel-6.10]) - Resolves: bz#1447542 (CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-6.10]) - Resolves: bz#1447545 (CVE-2016-9603 qemu-kvm-rhev: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-6.10])
    last seen2020-06-01
    modified2020-06-02
    plugin id111023
    published2018-07-12
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111023
    titleOracleVM 3.4 : qemu-kvm (OVMSA-2018-0238) (Spectre)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The package checks in this plugin were extracted from OracleVM
    # Security Advisory OVMSA-2018-0238.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(111023);
      script_version("1.8");
      script_cvs_date("Date: 2019/09/27 13:00:35");
    
      script_cve_id("CVE-2016-9603", "CVE-2017-13672", "CVE-2017-15289", "CVE-2017-2633", "CVE-2017-5715", "CVE-2017-7718", "CVE-2017-7980", "CVE-2018-3639", "CVE-2018-5683", "CVE-2018-7858");
    
      script_name(english:"OracleVM 3.4 : qemu-kvm (OVMSA-2018-0238) (Spectre)");
      script_summary(english:"Checks the RPM output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote OracleVM host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote OracleVM system is missing necessary patches to address
    critical security updates :
    
      -
        qemu-kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018
        -3639.patch 
    
      -
        qemu-kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-i
        t-CVE.patch 
    
      -
        qemu-kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit
        -CVE-.patch 
    
      - Resolves: bz#1574074 (CVE-2018-3639 qemu-kvm: hw: cpu:
        speculative store bypass [rhel-6.10.z])
    
      - kvm-vga-add-share_surface-flag.patch [bz#1553674]
    
      - kvm-vga-add-sanity-checks.patch [bz#1553674]
    
      - Resolves: bz#1553674 (CVE-2018-7858 qemu-kvm: Qemu:
        cirrus: OOB access when updating vga display [rhel-6])
    
      - kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch
        [bz#1525939 bz#1528024]
    
      -
        kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran
        .patch 
    
      -
        kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran
        .patch 
    
      -
        kvm-cirrus-fix-oob-access-in-mode4and5-write-functions.p
        atch [bz#1501298]
    
      -
        kvm-vga-stop-passing-pointers-to-vga_draw_line-functions
        .patch 
    
      -
        kvm-vga-check-the-validation-of-memory-addr-when-draw-te
        .patch 
    
      - Resolves: bz#1486641 (CVE-2017-13672 qemu-kvm-rhev:
        Qemu: vga: OOB read access during display update
        [rhel-6.10])
    
      - Resolves: bz#1501298 (CVE-2017-15289 qemu-kvm: Qemu:
        cirrus: OOB access issue in mode4and5 write functions
        [rhel-6.10])
    
      - Resolves: bz#1525939 (CVE-2017-5715 qemu-kvm: hw: cpu:
        speculative execution branch target injection
        [rhel-6.10])
    
      - Resolves: bz#1528024 (CVE-2017-5715 qemu-kvm-rhev: hw:
        cpu: speculative execution branch target injection
        [rhel-6.10])
    
      - Resolves: bz#1534692 (CVE-2018-5683 qemu-kvm: Qemu:
        Out-of-bounds read in vga_draw_text routine [rhel-6.10])
    
      - Resolves: bz#1549152 (qemu-kvm-rhev: remove unused patch
        file [rhel-6.10])
    
      - kvm-vns-tls-don-t-use-depricated-gnutls-functions.patch
        [bz#1428750]
    
      - kvm-vnc-apply-display-size-limits.patch [bz#1430616
        bz#1430617]
    
      -
        kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f
        .patch 
    
      -
        kvm-cirrus-vnc-zap-bitblit-support-from-console-code.pat
        ch [bz#1443448 bz#1443450 bz#1447542 bz#1447545]
    
      - kvm-cirrus-avoid-write-only-variables.patch [bz#1444378
        bz#1444380]
    
      -
        kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt
        .patch 
    
      -
        kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt
        .patch 
    
      -
        kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran
        .patch 
    
      - kvm-cirrus-fix-PUTPIXEL-macro.patch [bz#1444378
        bz#1444380]
    
      - Resolves: bz#1428750 (Fails to build in brew)
    
      - Resolves: bz#1430616 (CVE-2017-2633 qemu-kvm: Qemu: VNC:
        memory corruption due to unchecked resolution limit
        [rhel-6.10])
    
      - Resolves: bz#1430617 (CVE-2017-2633 qemu-kvm-rhev: Qemu:
        VNC: memory corruption due to unchecked resolution limit
        [rhel-6.10])
    
      - Resolves: bz#1443448 (CVE-2017-7718 qemu-kvm: Qemu:
        display: cirrus: OOB read access issue [rhel-6.10])
    
      - Resolves: bz#1443450 (CVE-2017-7718 qemu-kvm-rhev: Qemu:
        display: cirrus: OOB read access issue [rhel-6.10])
    
      - Resolves: bz#1444378 (CVE-2017-7980 qemu-kvm: Qemu:
        display: cirrus: OOB r/w access issues in bitblt
        routines [rhel-6.10])
    
      - Resolves: bz#1444380 (CVE-2017-7980 qemu-kvm-rhev: Qemu:
        display: cirrus: OOB r/w access issues in bitblt
        routines [rhel-6.10])
    
      - Resolves: bz#1447542 (CVE-2016-9603 qemu-kvm: Qemu:
        cirrus: heap buffer overflow via vnc connection
        [rhel-6.10])
    
      - Resolves: bz#1447545 (CVE-2016-9603 qemu-kvm-rhev: Qemu:
        cirrus: heap buffer overflow via vnc connection
        [rhel-6.10])"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/oraclevm-errata/2018-July/000873.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected qemu-img package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:qemu-img");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/07/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/12");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"OracleVM Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/OracleVM/release");
    if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
    if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release);
    if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"OVS3.4", reference:"qemu-img-0.12.1.2-2.506.el6_10.1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-img");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-3368.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host. (CVE-2017-14167) * Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). (CVE-2017-15289) Red Hat would like to thank Thomas Garnier (Google.com) for reporting CVE-2017-14167 and Guoxiang Niu (Huawei.com) for reporting CVE-2017-15289.
    last seen2020-06-01
    modified2020-06-02
    plugin id104951
    published2017-12-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104951
    titleRHEL 7 : qemu-kvm (RHSA-2017:3368)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2017:3368. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104951);
      script_version("3.12");
      script_cvs_date("Date: 2019/10/24 15:35:44");
    
      script_cve_id("CVE-2017-14167", "CVE-2017-15289");
      script_xref(name:"RHSA", value:"2017:3368");
    
      script_name(english:"RHEL 7 : qemu-kvm (RHSA-2017:3368)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for qemu-kvm is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Kernel-based Virtual Machine (KVM) is a full virtualization solution
    for Linux on a variety of architectures. The qemu-kvm package provides
    the user-space component for running virtual machines that use KVM.
    
    Security Fix(es) :
    
    * Quick Emulator (QEMU), compiled with the PC System Emulator with
    multiboot feature support, is vulnerable to an OOB r/w memory access
    issue. The issue could occur due to an integer overflow while loading
    a kernel image during a guest boot. A user or process could use this
    flaw to potentially achieve arbitrary code execution on a host.
    (CVE-2017-14167)
    
    * Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA
    Emulator support, is vulnerable to an OOB write access issue. The
    issue could occur while writing to VGA memory via mode4and5 write
    functions. A privileged user inside guest could use this flaw to crash
    the QEMU process resulting in Denial of Serivce (DoS).
    (CVE-2017-15289)
    
    Red Hat would like to thank Thomas Garnier (Google.com) for reporting
    CVE-2017-14167 and Guoxiang Niu (Huawei.com) for reporting
    CVE-2017-15289."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2017:3368"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-14167"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2017-15289"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-img");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/09/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/11/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/01");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2017:3368";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"qemu-img-1.5.3-141.el7_4.4")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"qemu-kvm-1.5.3-141.el7_4.4")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"qemu-kvm-common-1.5.3-141.el7_4.4")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"qemu-kvm-debuginfo-1.5.3-141.el7_4.4")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"qemu-kvm-tools-1.5.3-141.el7_4.4")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-img / qemu-kvm / qemu-kvm-common / qemu-kvm-debuginfo / etc");
      }
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3575-1.NASL
    descriptionIt was discovered that QEMU incorrectly handled guest ram. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-11334) David Buchanan discovered that QEMU incorrectly handled the VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue was only addressed in Ubuntu 17.10. (CVE-2017-13672) Thomas Garnier discovered that QEMU incorrectly handled multiboot. An attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-14167) Tuomas Tynkkynen discovered that QEMU incorrectly handled VirtFS directory sharing. An attacker could use this issue to obtain sensitive information from host memory. (CVE-2017-15038) Eric Blake discovered that QEMU incorrectly handled memory in the NBD server. An attacker could use this issue to cause the NBD server to crash, resulting in a denial of service. This issue only affected Ubuntu 17.10. (CVE-2017-15118) Eric Blake discovered that QEMU incorrectly handled certain options to the NBD server. An attacker could use this issue to cause the NBD server to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15119) Daniel Berrange discovered that QEMU incorrectly handled the VNC server. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. This issue was only addressed in Ubuntu 17.10. (CVE-2017-15124) Carl Brassey discovered that QEMU incorrectly handled certain websockets. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. This issue only affected Ubuntu 17.10. (CVE-2017-15268) Guoxiang Niu discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-15289) Cyrille Chatras discovered that QEMU incorrectly handled certain PS2 values during migration. An attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-16845) It was discovered that QEMU incorrectly handled the Virtio Vring implementation. An attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-17381) Eric Blake discovered that QEMU incorrectly handled certain rounding operations. An attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-18043) Jiang Xin and Lin ZheCheng discovered that QEMU incorrectly handled the VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-5683). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id106927
    published2018-02-21
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106927
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.10 : qemu vulnerabilities (USN-3575-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3575-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(106927);
      script_version("3.7");
      script_cvs_date("Date: 2019/09/18 12:31:48");
    
      script_cve_id("CVE-2017-11334", "CVE-2017-13672", "CVE-2017-14167", "CVE-2017-15038", "CVE-2017-15118", "CVE-2017-15119", "CVE-2017-15124", "CVE-2017-15268", "CVE-2017-15289", "CVE-2017-16845", "CVE-2017-17381", "CVE-2017-18043", "CVE-2018-5683");
      script_xref(name:"USN", value:"3575-1");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : qemu vulnerabilities (USN-3575-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "It was discovered that QEMU incorrectly handled guest ram. A
    privileged attacker inside the guest could use this issue to cause
    QEMU to crash, resulting in a denial of service. This issue only
    affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-11334)
    
    David Buchanan discovered that QEMU incorrectly handled the VGA
    device. A privileged attacker inside the guest could use this issue to
    cause QEMU to crash, resulting in a denial of service. This issue was
    only addressed in Ubuntu 17.10. (CVE-2017-13672)
    
    Thomas Garnier discovered that QEMU incorrectly handled multiboot. An
    attacker could use this issue to cause QEMU to crash, resulting in a
    denial of service, or possibly execute arbitrary code on the host. In
    the default installation, when QEMU is used with libvirt, attackers
    would be isolated by the libvirt AppArmor profile. This issue only
    affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-14167)
    
    Tuomas Tynkkynen discovered that QEMU incorrectly handled VirtFS
    directory sharing. An attacker could use this issue to obtain
    sensitive information from host memory. (CVE-2017-15038)
    
    Eric Blake discovered that QEMU incorrectly handled memory in the NBD
    server. An attacker could use this issue to cause the NBD server to
    crash, resulting in a denial of service. This issue only affected
    Ubuntu 17.10. (CVE-2017-15118)
    
    Eric Blake discovered that QEMU incorrectly handled certain options to
    the NBD server. An attacker could use this issue to cause the NBD
    server to crash, resulting in a denial of service. This issue only
    affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15119)
    
    Daniel Berrange discovered that QEMU incorrectly handled the VNC
    server. A remote attacker could possibly use this issue to consume
    memory, resulting in a denial of service. This issue was only
    addressed in Ubuntu 17.10. (CVE-2017-15124)
    
    Carl Brassey discovered that QEMU incorrectly handled certain
    websockets. A remote attacker could possibly use this issue to consume
    memory, resulting in a denial of service. This issue only affected
    Ubuntu 17.10. (CVE-2017-15268)
    
    Guoxiang Niu discovered that QEMU incorrectly handled the Cirrus VGA
    device. A privileged attacker inside the guest could use this issue to
    cause QEMU to crash, resulting in a denial of service.
    (CVE-2017-15289)
    
    Cyrille Chatras discovered that QEMU incorrectly handled certain PS2
    values during migration. An attacker could possibly use this issue to
    cause QEMU to crash, resulting in a denial of service, or possibly
    execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and
    Ubuntu 17.10. (CVE-2017-16845)
    
    It was discovered that QEMU incorrectly handled the Virtio Vring
    implementation. An attacker could possibly use this issue to cause
    QEMU to crash, resulting in a denial of service. This issue only
    affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-17381)
    
    Eric Blake discovered that QEMU incorrectly handled certain rounding
    operations. An attacker could possibly use this issue to cause QEMU to
    crash, resulting in a denial of service. This issue only affected
    Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-18043)
    
    Jiang Xin and Lin ZheCheng discovered that QEMU incorrectly handled
    the VGA device. A privileged attacker inside the guest could use this
    issue to cause QEMU to crash, resulting in a denial of service.
    (CVE-2018-5683).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3575-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/02/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04|17\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 17.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system", pkgver:"2.0.0+dfsg-2ubuntu1.39")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-aarch64", pkgver:"2.0.0+dfsg-2ubuntu1.39")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-arm", pkgver:"2.0.0+dfsg-2ubuntu1.39")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-mips", pkgver:"2.0.0+dfsg-2ubuntu1.39")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-misc", pkgver:"2.0.0+dfsg-2ubuntu1.39")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-ppc", pkgver:"2.0.0+dfsg-2ubuntu1.39")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-sparc", pkgver:"2.0.0+dfsg-2ubuntu1.39")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-x86", pkgver:"2.0.0+dfsg-2ubuntu1.39")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system", pkgver:"1:2.5+dfsg-5ubuntu10.22")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-aarch64", pkgver:"1:2.5+dfsg-5ubuntu10.22")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-arm", pkgver:"1:2.5+dfsg-5ubuntu10.22")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-mips", pkgver:"1:2.5+dfsg-5ubuntu10.22")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-misc", pkgver:"1:2.5+dfsg-5ubuntu10.22")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-ppc", pkgver:"1:2.5+dfsg-5ubuntu10.22")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-s390x", pkgver:"1:2.5+dfsg-5ubuntu10.22")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-sparc", pkgver:"1:2.5+dfsg-5ubuntu10.22")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-x86", pkgver:"1:2.5+dfsg-5ubuntu10.22")) flag++;
    if (ubuntu_check(osver:"17.10", pkgname:"qemu-system", pkgver:"1:2.10+dfsg-0ubuntu3.5")) flag++;
    if (ubuntu_check(osver:"17.10", pkgname:"qemu-system-aarch64", pkgver:"1:2.10+dfsg-0ubuntu3.5")) flag++;
    if (ubuntu_check(osver:"17.10", pkgname:"qemu-system-arm", pkgver:"1:2.10+dfsg-0ubuntu3.5")) flag++;
    if (ubuntu_check(osver:"17.10", pkgname:"qemu-system-mips", pkgver:"1:2.10+dfsg-0ubuntu3.5")) flag++;
    if (ubuntu_check(osver:"17.10", pkgname:"qemu-system-misc", pkgver:"1:2.10+dfsg-0ubuntu3.5")) flag++;
    if (ubuntu_check(osver:"17.10", pkgname:"qemu-system-ppc", pkgver:"1:2.10+dfsg-0ubuntu3.5")) flag++;
    if (ubuntu_check(osver:"17.10", pkgname:"qemu-system-s390x", pkgver:"1:2.10+dfsg-0ubuntu3.5")) flag++;
    if (ubuntu_check(osver:"17.10", pkgname:"qemu-system-sparc", pkgver:"1:2.10+dfsg-0ubuntu3.5")) flag++;
    if (ubuntu_check(osver:"17.10", pkgname:"qemu-system-x86", pkgver:"1:2.10+dfsg-0ubuntu3.5")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-system / qemu-system-aarch64 / qemu-system-arm / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1248.NASL
    descriptionThis update for qemu to version 2.9.1 fixes several issues. It also announces that the qed storage format will be no longer supported in Leap 15.0. These security issues were fixed : - CVE-2017-15268: Qemu allowed remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c (bsc#1062942) - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122) - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069) - CVE-2017-10911: The make_response function in the Linux kernel allowed guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures (bsc#1057378) - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive (bsc#1054724) - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334) - CVE-2017-13711: Use-after-free vulnerability allowed attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets (bsc#1056291). These non-security issues were fixed : - Fixed not being able to build from rpm sources due to undefined macro (bsc#1057966) - Fiedx package build failure against new glibc (bsc#1055587) This update was imported from the SUSE:SLE-12-SP3:Update update project.
    last seen2020-06-05
    modified2017-11-07
    plugin id104423
    published2017-11-07
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104423
    titleopenSUSE Security Update : qemu (openSUSE-2017-1248)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2017-1248.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104423);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-10911", "CVE-2017-12809", "CVE-2017-13672", "CVE-2017-13711", "CVE-2017-14167", "CVE-2017-15038", "CVE-2017-15268", "CVE-2017-15289");
    
      script_name(english:"openSUSE Security Update : qemu (openSUSE-2017-1248)");
      script_summary(english:"Check for the openSUSE-2017-1248 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for qemu to version 2.9.1 fixes several issues.
    
    It also announces that the qed storage format will be no longer
    supported in Leap 15.0.
    
    These security issues were fixed :
    
      - CVE-2017-15268: Qemu allowed remote attackers to cause a
        memory leak by triggering slow data-channel read
        operations, related to io/channel-websock.c
        (bsc#1062942)
    
      - CVE-2017-15289: The mode4and5 write functions allowed
        local OS guest privileged users to cause a denial of
        service (out-of-bounds write access and Qemu process
        crash) via vectors related to dst calculation
        (bsc#1063122)
    
      - CVE-2017-15038: Race condition in the v9fs_xattrwalk
        function local guest OS users to obtain sensitive
        information from host heap memory via vectors related to
        reading extended attributes (bsc#1062069)
    
      - CVE-2017-10911: The make_response function in the Linux
        kernel allowed guest OS users to obtain sensitive
        information from host OS (or other guest OS) kernel
        memory by leveraging the copying of uninitialized
        padding fields in Xen block-interface response
        structures (bsc#1057378)
    
      - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator
        support allowed local guest OS privileged users to cause
        a denial of service (NULL pointer dereference and QEMU
        process crash) by flushing an empty CDROM device drive
        (bsc#1054724)
    
      - CVE-2017-14167: Integer overflow in the load_multiboot
        function allowed local guest OS users to execute
        arbitrary code on the host via crafted multiboot header
        address values, which trigger an out-of-bounds write
        (bsc#1057585)
    
      - CVE-2017-13672: The VGA display emulator support allowed
        local guest OS privileged users to cause a denial of
        service (out-of-bounds read and QEMU process crash) via
        vectors involving display update (bsc#1056334)
    
      - CVE-2017-13711: Use-after-free vulnerability allowed
        attackers to cause a denial of service (QEMU instance
        crash) by leveraging failure to properly clear ifq_so
        from pending packets (bsc#1056291).
    
    These non-security issues were fixed :
    
      - Fixed not being able to build from rpm sources due to
        undefined macro (bsc#1057966)
    
      - Fiedx package build failure against new glibc
        (bsc#1055587)
    
    This update was imported from the SUSE:SLE-12-SP3:Update update
    project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1054724"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1055587"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1056291"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1056334"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1057378"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1057585"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1057966"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1062069"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1062942"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1063122"
      );
      # https://features.opensuse.org/324200
      script_set_attribute(
        attribute:"see_also",
        value:"https://features.opensuse.org/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected qemu packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-arm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-curl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-dmg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-dmg-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-iscsi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-iscsi-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-rbd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-rbd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-ssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-ssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-extra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-extra-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-guest-agent");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-guest-agent-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-ipxe");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-ksm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-lang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-linux-user");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-linux-user-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-linux-user-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-ppc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-ppc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-s390");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-s390-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-seabios");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-sgabios");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-testsuite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-vgabios");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-x86-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/11/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/07");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.3", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.3", reference:"qemu-ipxe-1.0.0-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"qemu-linux-user-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"qemu-linux-user-debuginfo-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"qemu-linux-user-debugsource-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"qemu-seabios-1.10.2-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"qemu-sgabios-8-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", reference:"qemu-vgabios-1.10.2-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-arm-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-arm-debuginfo-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-block-curl-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-block-curl-debuginfo-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-block-dmg-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-block-dmg-debuginfo-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-block-iscsi-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-block-iscsi-debuginfo-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-block-rbd-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-block-rbd-debuginfo-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-block-ssh-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-block-ssh-debuginfo-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-debugsource-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-extra-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-extra-debuginfo-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-guest-agent-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-guest-agent-debuginfo-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-ksm-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-kvm-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-lang-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-ppc-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-ppc-debuginfo-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-s390-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-s390-debuginfo-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-testsuite-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-tools-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-tools-debuginfo-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-x86-2.9.1-35.1") ) flag++;
    if ( rpm_check(release:"SUSE42.3", cpu:"x86_64", reference:"qemu-x86-debuginfo-2.9.1-35.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-linux-user / qemu-linux-user-debuginfo / etc");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-3368.NASL
    descriptionFrom Red Hat Security Advisory 2017:3368 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host. (CVE-2017-14167) * Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). (CVE-2017-15289) Red Hat would like to thank Thomas Garnier (Google.com) for reporting CVE-2017-14167 and Guoxiang Niu (Huawei.com) for reporting CVE-2017-15289.
    last seen2020-06-01
    modified2020-06-02
    plugin id104948
    published2017-12-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104948
    titleOracle Linux 7 : qemu-kvm (ELSA-2017-3368)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-934.NASL
    descriptionQuick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host. (CVE-2017-14167) Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). (CVE-2017-15289)
    last seen2020-06-01
    modified2020-06-02
    plugin id105419
    published2017-12-26
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/105419
    titleAmazon Linux AMI : qemu-kvm (ALAS-2017-934)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0125_QEMU-KVM.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has qemu-kvm packages installed that are affected by a vulnerability: - Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). (CVE-2017-15289) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127374
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127374
    titleNewStart CGSL MAIN 4.05 : qemu-kvm Vulnerability (NS-SA-2019-0125)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-3242-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - bsc#1068187: Failure to recognize errors in the Populate on Demand (PoD) code allowed for DoS (XSA-246) - bsc#1068191: Missing p2m error checking in PoD code allowed unprivileged guests to retain a writable mapping of freed memory leading to information leaks, privilege escalation or DoS (XSA-247). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063123) - CVE-2017-15597: A grant copy operation being done on a grant of a dying domain allowed a malicious guest administrator to corrupt hypervisor memory, allowing for DoS or potentially privilege escalation and information leaks (bsc#1061075). - CVE-2017-15595: x86 PV guest OS users were able to cause a DoS (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking (bsc#1061081). - CVE-2017-15592: x86 HVM guest OS users were able to cause a DoS (hypervisor crash) or possibly gain privileges because self-linear shadow mappings were mishandled for translated guests (bsc#1061086). - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056336) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id105149
    published2017-12-11
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105149
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2017:3242-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-0516.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * Qemu: cirrus: OOB access issue in mode4and5 write functions (CVE-2017-15289) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id108343
    published2018-03-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108343
    titleCentOS 6 : qemu-kvm (CESA-2018:0516)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2969-1.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122) - CVE-2017-2633: The VNC display driver support was vulnerable to an out-of-bounds memory access issue. A user/process inside guest could use this flaw to cause DoS (bsc#1026612) - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069) - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585) - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334) - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c allowed local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer (bsc#1025311) - CVE-2017-6505: The ohci_service_ed_list function allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count (bsc#1036211) - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800) - CVE-2017-9373: The IDE AHCI Emulation support was vulnerable to a host memory leakage issue, which allowed a privileged user inside guest to leak host memory resulting in DoS (bsc#1042801) - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value (bsc#1042159) - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture (bsc#1037242) - CVE-2017-7493: The VirtFS, host directory sharing via Plan 9 File System(9pfs) support, was vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could have used this flaw to escalate their privileges inside guest (bsc#1039495) - CVE-2016-9602: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper link following issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1020427) - CVE-2017-5579: The 16550A UART serial device emulation support was vulnerable to a memory leakage issue allowing a privileged user to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1021741) - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a NULL pointer dereference issue which allowed a privileged user inside guest to crash the Qemu process on the host resulting in DoS (bsc#1043296) - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046636) - CVE-2017-10806: Stack-based buffer overflow allowed local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages (bsc#1047674) - CVE-2016-9602: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper link following issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1020427) - CVE-2017-7377: The v9fs_create and v9fs_lcreate functions in hw/9pfs/9p.c allowed local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid (bsc#1032075) - CVE-2017-8086: A memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c allowed local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable (bsc#1035950) - CVE-2017-7471: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper access control issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1034866) - CVE-2016-6834: A infinite loop during packet fragmentation in the VMWARE VMXNET3 NIC device support allowed privileged user inside guest to crash the Qemu instance resulting in DoS (bsc#994418) - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC device support, causing an OOB read access (bsc#994605) - Fix privilege escalation in TCG mode (bsc#1030624) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104495
    published2017-11-10
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104495
    titleSUSE SLES12 Security Update : qemu (SUSE-SU-2017:2969-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1322.NASL
    descriptionThis update for xen to version 4.7.4 (bsc#1027519) fixes several issues. This new feature was added : - Support migration of HVM domains larger than 1 TB These security issues were fixed : - bsc#1068187: Failure to recognize errors in the Populate on Demand (PoD) code allowed for DoS (XSA-246) - bsc#1068191: Missing p2m error checking in PoD code allowed unprivileged guests to retain a writable mapping of freed memory leading to information leaks, privilege escalation or DoS (XSA-247). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063123) - CVE-2017-15597: A grant copy operation being done on a grant of a dying domain allowed a malicious guest administrator to corrupt hypervisor memory, allowing for DoS or potentially privilege escalation and information leaks (bsc#1061075). This non-security issue was fixed : - bsc#1055047: Fixed --initrd-inject option in virt-install This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2017-12-14
    plugin id105222
    published2017-12-14
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105222
    titleopenSUSE Security Update : xen (openSUSE-2017-1322)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0516.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * Qemu: cirrus: OOB access issue in mode4and5 write functions (CVE-2017-15289) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id108331
    published2018-03-14
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108331
    titleRHEL 6 : qemu-kvm (RHSA-2018:0516)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1497.NASL
    descriptionSeveral vulnerabilities were found in qemu, a fast processor emulator : CVE-2015-8666 Heap-based buffer overflow in QEMU when built with the Q35-chipset-based PC system emulator CVE-2016-2198 NULL pointer dereference in ehci_caps_write in the USB EHCI support that may result in denial of service CVE-2016-6833 Use after free while writing in the vmxnet3 device that could be used to cause a denial of service CVE-2016-6835 Buffer overflow in vmxnet_tx_pkt_parse_headers() in vmxnet3 device that could result in denial of service CVE-2016-8576 Infinite loop vulnerability in xhci_ring_fetch in the USB xHCI support CVE-2016-8667 / CVE-2016-8669 Divide by zero errors in set_next_tick in the JAZZ RC4030 chipset emulator, and in serial_update_parameters of some serial devices, that could result in denial of service CVE-2016-9602 Improper link following with VirtFS CVE-2016-9603 Heap buffer overflow via vnc connection in the Cirrus CLGD 54xx VGA emulator support CVE-2016-9776 Infinite loop while receiving data in the ColdFire Fast Ethernet Controller emulator CVE-2016-9907 Memory leakage in the USB redirector usb-guest support CVE-2016-9911 Memory leakage in ehci_init_transfer in the USB EHCI support CVE-2016-9914 / CVE-2016-9915 / CVE-2016-9916 Plan 9 File System (9pfs): add missing cleanup operation in FileOperations, in the handle backend and in the proxy backend driver CVE-2016-9921 / CVE-2016-9922 Divide by zero in cirrus_do_copy in the Cirrus CLGD 54xx VGA Emulator support CVE-2016-10155 Memory leak in hw/watchdog/wdt_i6300esb.c allowing local guest OS privileged users to cause a denial of service via a large number of device unplug operations. CVE-2017-2615 / CVE-2017-2620 / CVE-2017-18030 / CVE-2018-5683 / CVE-2017-7718 Out-of-bounds access issues in the Cirrus CLGD 54xx VGA emulator support, that could result in denial of service CVE-2017-5525 / CVE-2017-5526 Memory leakage issues in the ac97 and es1370 device emulation CVE-2017-5579 Most memory leakage in the 16550A UART emulation CVE-2017-5667 Out-of-bounds access during multi block SDMA transfer in the SDHCI emulation support. CVE-2017-5715 Mitigations against the Spectre v2 vulnerability. For more information please refer to https://www.qemu.org/2018/01/04/spectre/ CVE-2017-5856 Memory leak in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support CVE-2017-5973 / CVE-2017-5987 / CVE-2017-6505 Infinite loop issues in the USB xHCI, in the transfer mode register of the SDHCI protocol, and the USB ohci_service_ed_list CVE-2017-7377 9pfs: host memory leakage via v9fs_create CVE-2017-7493 Improper access control issues in the host directory sharing via 9pfs support. CVE-2017-7980 Heap-based buffer overflow in the Cirrus VGA device that could allow local guest OS users to execute arbitrary code or cause a denial of service CVE-2017-8086 9pfs: host memory leakage via v9pfs_list_xattr CVE-2017-8112 Infinite loop in the VMWare PVSCSI emulation CVE-2017-8309 / CVE-2017-8379 Host memory leakage issues via the audio capture buffer and the keyboard input event handlers CVE-2017-9330 Infinite loop due to incorrect return value in USB OHCI that may result in denial of service CVE-2017-9373 / CVE-2017-9374 Host memory leakage during hot unplug in IDE AHCI and USB emulated devices that could result in denial of service CVE-2017-9503 NULL pointer dereference while processing megasas command CVE-2017-10806 Stack buffer overflow in USB redirector CVE-2017-10911 Xen disk may leak stack data via response ring CVE-2017-11434 Out-of-bounds read while parsing Slirp/DHCP options CVE-2017-14167 Out-of-bounds access while processing multiboot headers that could result in the execution of arbitrary code CVE-2017-15038 9pfs: information disclosure when reading extended attributes CVE-2017-15289 Out-of-bounds write access issue in the Cirrus graphic adaptor that could result in denial of service CVE-2017-16845 Information leak in the PS/2 mouse and keyboard emulation support that could be exploited during instance migration CVE-2017-18043 Integer overflow in the macro ROUND_UP (n, d) that could result in denial of service CVE-2018-7550 Incorrect handling of memory during multiboot that could may result in execution of arbitrary code For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id117351
    published2018-09-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117351
    titleDebian DLA-1497-1 : qemu security update (Spectre)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2936-1.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-15268: Qemu allowed remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c (bsc#1062942). - CVE-2017-9524: The qemu-nbd server when built with the Network Block Device (NBD) Server support allowed remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs talking to a client in the nbd_negotiate function (bsc#1043808). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122) - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069) - CVE-2017-10911: The make_response function in the Linux kernel allowed guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures (bsc#1057378) - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive (bsc#1054724) - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046636) - CVE-2017-10806: Stack-based buffer overflow allowed local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages (bsc#1047674) - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585) - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104429
    published2017-11-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104429
    titleSUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:2936-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2946-1.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-10911: The make_response function in the Linux kernel allowed guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures (bsc#1057378). - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive (bsc#1054724). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122) - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069) - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585) - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334) - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c allowed local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer (bsc#1025311) - CVE-2017-6505: The ohci_service_ed_list function allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count (bsc#1036211) - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800) - CVE-2017-9374: Missing free of
    last seen2020-06-01
    modified2020-06-02
    plugin id104471
    published2017-11-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104471
    titleSUSE SLES12 Security Update : qemu (SUSE-SU-2017:2946-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-3369.NASL
    descriptionAn update for qemu-kvm-rhev is now available for Red Hat Enterprise Virtualization (RHEV) 4.X, Red Hat Enterprise Virtualization Hypervisor (RHEV-H) and Agents for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Security Fix(es) : * Quick Emulator (QEMU), compiled with qemu_map_ram_ptr to access guests
    last seen2020-06-01
    modified2020-06-02
    plugin id104987
    published2017-12-04
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104987
    titleRHEL 7 : qemu-kvm-rhev (RHSA-2017:3369)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20171130_QEMU_KVM_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host. (CVE-2017-14167) - Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). (CVE-2017-15289)
    last seen2020-03-18
    modified2017-12-04
    plugin id104990
    published2017-12-04
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104990
    titleScientific Linux Security Update : qemu-kvm on SL7.x x86_64 (20171130)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1320.NASL
    descriptionAccording to the versions of the qemu-kvm package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host. (CVE-2017-14167) - Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). (CVE-2017-15289) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-12-18
    plugin id105301
    published2017-12-18
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105301
    titleEulerOS 2.0 SP1 : qemu-kvm (EulerOS-SA-2017-1320)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-3115-1.NASL
    descriptionThis update for xen to version 4.9.1 (bsc#1027519) fixes several issues. This new feature was added : - Support migration of HVM domains larger than 1 TB These security issues were fixed : - bsc#1068187: Failure to recognize errors in the Populate on Demand (PoD) code allowed for DoS (XSA-246) - bsc#1068191: Missing p2m error checking in PoD code allowed unprivileged guests to retain a writable mapping of freed memory leading to information leaks, privilege escalation or DoS (XSA-247). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063123) - CVE-2017-15597: A grant copy operation being done on a grant of a dying domain allowed a malicious guest administrator to corrupt hypervisor memory, allowing for DoS or potentially privilege escalation and information leaks (bsc#1061075). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104870
    published2017-11-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104870
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:3115-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180313_QEMU_KVM_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - Qemu: cirrus: OOB access issue in mode4and5 write functions (CVE-2017-15289)
    last seen2020-03-18
    modified2018-03-15
    plugin id108366
    published2018-03-15
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108366
    titleScientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64 (20180313)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1321.NASL
    descriptionThis update for xen to version 4.9.1 (bsc#1027519) fixes several issues. This new feature was added : - Support migration of HVM domains larger than 1 TB These security issues were fixed : - bsc#1068187: Failure to recognize errors in the Populate on Demand (PoD) code allowed for DoS (XSA-246) - bsc#1068191: Missing p2m error checking in PoD code allowed unprivileged guests to retain a writable mapping of freed memory leading to information leaks, privilege escalation or DoS (XSA-247). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063123) - CVE-2017-15597: A grant copy operation being done on a grant of a dying domain allowed a malicious guest administrator to corrupt hypervisor memory, allowing for DoS or potentially privilege escalation and information leaks (bsc#1061075). This non-security issue was fixed : - bsc#1055047: Fixed --initrd-inject option in virt-install This update was imported from the SUSE:SLE-12-SP3:Update update project.
    last seen2020-06-05
    modified2017-12-14
    plugin id105221
    published2017-12-14
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105221
    titleopenSUSE Security Update : xen (openSUSE-2017-1321)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-3239-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - bsc#1068187: Failure to recognize errors in the Populate on Demand (PoD) code allowed for DoS (XSA-246) - bsc#1068191: Missing p2m error checking in PoD code allowed unprivileged guests to retain a writable mapping of freed memory leading to information leaks, privilege escalation or DoS (XSA-247). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063123) - CVE-2017-15597: A grant copy operation being done on a grant of a dying domain allowed a malicious guest administrator to corrupt hypervisor memory, allowing for DoS or potentially privilege escalation and information leaks (bsc#1061075). - CVE-2017-15595: x86 PV guest OS users were able to cause a DoS (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking (bsc#1061081). - CVE-2017-15592: x86 HVM guest OS users were able to cause a DoS (hypervisor crash) or possibly gain privileges because self-linear shadow mappings were mishandled for translated guests (bsc#1061086). - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056336) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id105148
    published2017-12-11
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105148
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2017:3239-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1249.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-15268: Qemu allowed remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c (bsc#1062942). - CVE-2017-9524: The qemu-nbd server when built with the Network Block Device (NBD) Server support allowed remote attackers to cause a denial of service (segmentation fault and server crash) by leveraging failure to ensure that all initialization occurs talking to a client in the nbd_negotiate function (bsc#1043808). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122) - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069) - CVE-2017-10911: The make_response function in the Linux kernel allowed guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures (bsc#1057378) - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive (bsc#1054724) - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046636) - CVE-2017-10806: Stack-based buffer overflow allowed local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages (bsc#1047674) - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585) - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334) These non-security issues were fixed : - Fixed not being able to build from rpm sources due to undefined macro (bsc#1057966) - Fixed wrong permissions for kvm_stat.1 file - Fixed KVM lun resize not working as expected on SLES12 SP2 HV (bsc#1043176) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2017-11-07
    plugin id104424
    published2017-11-07
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104424
    titleopenSUSE Security Update : qemu (openSUSE-2017-1249)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2963-1.NASL
    descriptionThis update for kvm fixes several issues. These security issues were fixed : - CVE-2016-9602: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper link following issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1020427) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046636) - CVE-2017-10806: Stack-based buffer overflow allowed local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages (bsc#1047674). - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902). - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334). - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585). - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122). - CVE-2017-5579: The 16550A UART serial device emulation support was vulnerable to a memory leakage issue allowing a privileged user to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1021741) - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-6505: The ohci_service_ed_list function allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2017-7471: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper access control issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1034866) - CVE-2017-7493: The VirtFS, host directory sharing via Plan 9 File System(9pfs) support, was vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could have used this flaw to escalate their privileges inside guest (bsc#1039495) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8086: A memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c allowed local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable (bsc#1035950) - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture (bsc#1037242) - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value (bsc#1042159) - CVE-2017-9373: The IDE AHCI Emulation support was vulnerable to a host memory leakage issue, which allowed a privileged user inside guest to leak host memory resulting in DoS (bsc#1042801) - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800) - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a NULL pointer dereference issue which allowed a privileged user inside guest to crash the Qemu process on the host resulting in DoS (bsc#1043296) - Privilege escalation in TCG mode (bsc#1030624) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104494
    published2017-11-10
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104494
    titleSUSE SLES11 Security Update : kvm (SUSE-SU-2017:2963-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-3178-1.NASL
    descriptionThis update for xen to version 4.7.4 (bsc#1027519) fixes several issues. This new feature was added : - Support migration of HVM domains larger than 1 TB These security issues were fixed : - bsc#1068187: Failure to recognize errors in the Populate on Demand (PoD) code allowed for DoS (XSA-246) - bsc#1068191: Missing p2m error checking in PoD code allowed unprivileged guests to retain a writable mapping of freed memory leading to information leaks, privilege escalation or DoS (XSA-247). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063123) - CVE-2017-15597: A grant copy operation being done on a grant of a dying domain allowed a malicious guest administrator to corrupt hypervisor memory, allowing for DoS or potentially privilege escalation and information leaks (bsc#1061075). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104992
    published2017-12-04
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104992
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:3178-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0025.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - kvm-cirrus-fix-oob-access-in-mode4and5-write-functions.p atch [bz#1501296] - Resolves: bz#1501296 &nbsp (CVE-2017-15289 qemu-kvm: Qemu: cirrus: OOB access issue in mode4and5 write functions [rhel-6.9.z])
    last seen2020-06-01
    modified2020-06-02
    plugin id108360
    published2018-03-15
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108360
    titleOracleVM 3.4 : qemu-kvm (OVMSA-2018-0025)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-3236-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - bsc#1068187: Failure to recognize errors in the Populate on Demand (PoD) code allowed for DoS (XSA-246) - bsc#1068191: Missing p2m error checking in PoD code allowed unprivileged guests to retain a writable mapping of freed memory leading to information leaks, privilege escalation or DoS (XSA-247). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063123) - CVE-2017-15597: A grant copy operation being done on a grant of a dying domain allowed a malicious guest administrator to corrupt hypervisor memory, allowing for DoS or potentially privilege escalation and information leaks (bsc#1061075). - CVE-2017-15595: x86 PV guest OS users were able to cause a DoS (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking (bsc#1061081). - CVE-2017-15592: x86 HVM guest OS users were able to cause a DoS (hypervisor crash) or possibly gain privileges because self-linear shadow mappings were mishandled for translated guests (bsc#1061086). - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056336) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id105098
    published2017-12-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105098
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2017:3236-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1321.NASL
    descriptionAccording to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host. (CVE-2017-14167) - Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). (CVE-2017-15289) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-12-18
    plugin id105302
    published2017-12-18
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105302
    titleEulerOS 2.0 SP2 : qemu-kvm (EulerOS-SA-2017-1321)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0005_QEMU-KVM.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 5.04, has qemu-kvm packages installed that are affected by multiple vulnerabilities: - Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host. (CVE-2017-14167) - Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). (CVE-2017-15289) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id127149
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127149
    titleNewStart CGSL MAIN 5.04 : qemu-kvm Multiple Vulnerabilities (NS-SA-2019-0005)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-3084-1.NASL
    descriptionThis update for kvm fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-01
    modified2020-06-02
    plugin id104780
    published2017-11-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104780
    titleSUSE SLES11 Security Update : kvm (SUSE-SU-2017:3084-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-3212-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - bsc#1068187: Failure to recognize errors in the Populate on Demand (PoD) code allowed for DoS (XSA-246) - bsc#1068191: Missing p2m error checking in PoD code allowed unprivileged guests to retain a writable mapping of freed memory leading to information leaks, privilege escalation or DoS (XSA-247). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063123) - CVE-2017-15597: A grant copy operation being done on a grant of a dying domain allowed a malicious guest administrator to corrupt hypervisor memory, allowing for DoS or potentially privilege escalation and information leaks (bsc#1061075). - CVE-2017-15595: x86 PV guest OS users were able to cause a DoS (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking (bsc#1061081). - CVE-2017-15592: x86 HVM guest OS users were able to cause a DoS (hypervisor crash) or possibly gain privileges because self-linear shadow mappings were mishandled for translated guests (bsc#1061086). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id105033
    published2017-12-06
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105033
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2017:3212-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3575-2.NASL
    descriptionUSN-3575-1 fixed vulnerabilities in QEMU. The fix for CVE-2017-11334 caused a regression in Xen environments. This update removes the problematic fix pending further investigation. We apologize for the inconvenience. Original advisory details : It was discovered that QEMU incorrectly handled guest ram. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-11334) David Buchanan discovered that QEMU incorrectly handled the VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue was only addressed in Ubuntu 17.10. (CVE-2017-13672) Thomas Garnier discovered that QEMU incorrectly handled multiboot. An attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-14167) Tuomas Tynkkynen discovered that QEMU incorrectly handled VirtFS directory sharing. An attacker could use this issue to obtain sensitive information from host memory. (CVE-2017-15038) Eric Blake discovered that QEMU incorrectly handled memory in the NBD server. An attacker could use this issue to cause the NBD server to crash, resulting in a denial of service. This issue only affected Ubuntu 17.10. (CVE-2017-15118) Eric Blake discovered that QEMU incorrectly handled certain options to the NBD server. An attacker could use this issue to cause the NBD server to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15119) Daniel Berrange discovered that QEMU incorrectly handled the VNC server. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. This issue was only addressed in Ubuntu 17.10. (CVE-2017-15124) Carl Brassey discovered that QEMU incorrectly handled certain websockets. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. This issue only affected Ubuntu 17.10. (CVE-2017-15268) Guoxiang Niu discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-15289) Cyrille Chatras discovered that QEMU incorrectly handled certain PS2 values during migration. An attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-16845) It was discovered that QEMU incorrectly handled the Virtio Vring implementation. An attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-17381) Eric Blake discovered that QEMU incorrectly handled certain rounding operations. An attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-18043) Jiang Xin and Lin ZheCheng discovered that QEMU incorrectly handled the VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-5683). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id107145
    published2018-03-06
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107145
    titleUbuntu 14.04 LTS / 16.04 LTS : qemu regression (USN-3575-2)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-0516.NASL
    descriptionFrom Red Hat Security Advisory 2018:0516 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * Qemu: cirrus: OOB access issue in mode4and5 write functions (CVE-2017-15289) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id108321
    published2018-03-14
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108321
    titleOracle Linux 6 : qemu-kvm (ELSA-2018-0516)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4213.NASL
    descriptionSeveral vulnerabilities were discovered in qemu, a fast processor emulator. - CVE-2017-15038 Tuomas Tynkkynen discovered an information leak in 9pfs. - CVE-2017-15119 Eric Blake discovered that the NBD server insufficiently restricts large option requests, resulting in denial of service. - CVE-2017-15124 Daniel Berrange discovered that the integrated VNC server insufficiently restricted memory allocation, which could result in denial of service. - CVE-2017-15268 A memory leak in websockets support may result in denial of service. - CVE-2017-15289 Guoxiang Niu discovered an OOB write in the emulated Cirrus graphics adaptor which could result in denial of service. - CVE-2017-16845 Cyrille Chatras discovered an information leak in PS/2 mouse and keyboard emulation which could be exploited during instance migration. - CVE-2017-17381 Dengzhan Heyuandong Bijunhua and Liweichao discovered that an implementation error in the virtio vring implementation could result in denial of service. - CVE-2017-18043 Eric Blake discovered an integer overflow in an internally used macro which could result in denial of service. - CVE-2018-5683 Jiang Xin and Lin ZheCheng discovered an OOB memory access in the emulated VGA adaptor which could result in denial of service. - CVE-2018-7550 Cyrille Chatras discovered that an OOB memory write when using multiboot could result in the execution of arbitrary code. This update also backports a number of mitigations against the Spectre v2 vulnerability affecting modern CPUs (CVE-2017-5715 ). For additional information please refer to https://www.qemu.org/2018/01/04/spectre/
    last seen2020-06-01
    modified2020-06-02
    plugin id110208
    published2018-05-30
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110208
    titleDebian DSA-4213-1 : qemu - security update (Spectre)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2924-1.NASL
    descriptionThis update for qemu to version 2.9.1 fixes several issues. It also announces that the qed storage format will be no longer supported in SLE 15 (fate#324200). These security issues were fixed : - CVE-2017-15268: Qemu allowed remote attackers to cause a memory leak by triggering slow data-channel read operations, related to io/channel-websock.c (bsc#1062942) - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122) - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069) - CVE-2017-10911: The make_response function in the Linux kernel allowed guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures (bsc#1057378) - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive (bsc#1054724) - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334) - CVE-2017-13711: Use-after-free vulnerability allowed attackers to cause a denial of service (QEMU instance crash) by leveraging failure to properly clear ifq_so from pending packets (bsc#1056291). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104376
    published2017-11-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104376
    titleSUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:2924-1)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-3368.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host. (CVE-2017-14167) * Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). (CVE-2017-15289) Red Hat would like to thank Thomas Garnier (Google.com) for reporting CVE-2017-14167 and Guoxiang Niu (Huawei.com) for reporting CVE-2017-15289.
    last seen2020-06-01
    modified2020-06-02
    plugin id105057
    published2017-12-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105057
    titleCentOS 7 : qemu-kvm (CESA-2017:3368)

Redhat

advisories
  • bugzilla
    id1501290
    titleCVE-2017-15289 Qemu: cirrus: OOB access issue in mode4and5 write functions
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentqemu-kvm-tools is earlier than 10:1.5.3-141.el7_4.4
            ovaloval:com.redhat.rhsa:tst:20173368001
          • commentqemu-kvm-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345002
        • AND
          • commentqemu-kvm-common is earlier than 10:1.5.3-141.el7_4.4
            ovaloval:com.redhat.rhsa:tst:20173368003
          • commentqemu-kvm-common is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140704004
        • AND
          • commentqemu-kvm is earlier than 10:1.5.3-141.el7_4.4
            ovaloval:com.redhat.rhsa:tst:20173368005
          • commentqemu-kvm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345004
        • AND
          • commentqemu-img is earlier than 10:1.5.3-141.el7_4.4
            ovaloval:com.redhat.rhsa:tst:20173368007
          • commentqemu-img is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345006
    rhsa
    idRHSA-2017:3368
    released2017-11-30
    severityModerate
    titleRHSA-2017:3368: qemu-kvm security update (Moderate)
  • bugzilla
    id1501290
    titleCVE-2017-15289 Qemu: cirrus: OOB access issue in mode4and5 write functions
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • commentqemu-guest-agent is earlier than 2:0.12.1.2-2.503.el6_9.5
            ovaloval:com.redhat.rhsa:tst:20180516001
          • commentqemu-guest-agent is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20121234002
        • AND
          • commentqemu-img is earlier than 2:0.12.1.2-2.503.el6_9.5
            ovaloval:com.redhat.rhsa:tst:20180516003
          • commentqemu-img is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345006
        • AND
          • commentqemu-kvm-tools is earlier than 2:0.12.1.2-2.503.el6_9.5
            ovaloval:com.redhat.rhsa:tst:20180516005
          • commentqemu-kvm-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345002
        • AND
          • commentqemu-kvm is earlier than 2:0.12.1.2-2.503.el6_9.5
            ovaloval:com.redhat.rhsa:tst:20180516007
          • commentqemu-kvm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345004
    rhsa
    idRHSA-2018:0516
    released2018-03-13
    severityModerate
    titleRHSA-2018:0516: qemu-kvm security update (Moderate)
  • rhsa
    idRHSA-2017:3369
  • rhsa
    idRHSA-2017:3466
  • rhsa
    idRHSA-2017:3470
  • rhsa
    idRHSA-2017:3471
  • rhsa
    idRHSA-2017:3472
  • rhsa
    idRHSA-2017:3473
  • rhsa
    idRHSA-2017:3474
rpms
  • qemu-img-10:1.5.3-141.el7_4.4
  • qemu-kvm-10:1.5.3-141.el7_4.4
  • qemu-kvm-common-10:1.5.3-141.el7_4.4
  • qemu-kvm-debuginfo-10:1.5.3-141.el7_4.4
  • qemu-kvm-tools-10:1.5.3-141.el7_4.4
  • qemu-img-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-common-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-debuginfo-10:2.9.0-16.el7_4.11
  • qemu-kvm-tools-rhev-10:2.9.0-16.el7_4.11
  • qemu-img-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-common-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-debuginfo-10:2.9.0-16.el7_4.11
  • qemu-kvm-tools-rhev-10:2.9.0-16.el7_4.11
  • qemu-img-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-common-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-debuginfo-10:2.9.0-16.el7_4.11
  • qemu-kvm-tools-rhev-10:2.9.0-16.el7_4.11
  • qemu-img-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-common-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-debuginfo-10:2.9.0-16.el7_4.11
  • qemu-kvm-tools-rhev-10:2.9.0-16.el7_4.11
  • qemu-img-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-common-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-debuginfo-10:2.9.0-16.el7_4.11
  • qemu-kvm-tools-rhev-10:2.9.0-16.el7_4.11
  • qemu-img-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-common-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-debuginfo-10:2.9.0-16.el7_4.11
  • qemu-kvm-tools-rhev-10:2.9.0-16.el7_4.11
  • qemu-img-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-common-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-10:2.9.0-16.el7_4.11
  • qemu-kvm-rhev-debuginfo-10:2.9.0-16.el7_4.11
  • qemu-kvm-tools-rhev-10:2.9.0-16.el7_4.11
  • qemu-guest-agent-2:0.12.1.2-2.503.el6_9.5
  • qemu-img-2:0.12.1.2-2.503.el6_9.5
  • qemu-kvm-2:0.12.1.2-2.503.el6_9.5
  • qemu-kvm-debuginfo-2:0.12.1.2-2.503.el6_9.5
  • qemu-kvm-tools-2:0.12.1.2-2.503.el6_9.5

References