Vulnerabilities > CVE-2017-2615 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 9.1 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
HIGH
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
qemu
redhat
citrix
debian
xen
CWE-787
critical
nessus

Summary

Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host.

Vulnerable Configurations

Part Description Count
Application
Qemu
234
Application
Citrix
5
Application
Redhat
6
OS
Redhat
11
OS
Debian
1
OS
Xen
182

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0096.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0096 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id99977
    published2017-05-04
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99977
    titleOracleVM 3.2 : xen (OVMSA-2017-0096)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The package checks in this plugin were extracted from OracleVM
    # Security Advisory OVMSA-2017-0096.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99977);
      script_version("3.12");
      script_cvs_date("Date: 2019/09/27 13:00:35");
    
      script_cve_id("CVE-2014-8106", "CVE-2016-9603", "CVE-2017-2615", "CVE-2017-2620", "CVE-2017-7228");
      script_bugtraq_id(71477);
      script_xref(name:"IAVB", value:"2017-B-0024");
    
      script_name(english:"OracleVM 3.2 : xen (OVMSA-2017-0096)");
      script_summary(english:"Checks the RPM output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote OracleVM host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote OracleVM system is missing necessary patches to address
    critical security updates : please see Oracle VM Security Advisory
    OVMSA-2017-0096 for details."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/oraclevm-errata/2017-May/000691.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected xen / xen-devel / xen-tools packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:xen-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2014/12/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/05/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/04");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"OracleVM Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/OracleVM/release");
    if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM");
    if (! preg(pattern:"^OVS" + "3\.2" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.2", "OracleVM " + release);
    if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"OVS3.2", reference:"xen-4.1.3-25.el5.223.62")) flag++;
    if (rpm_check(release:"OVS3.2", reference:"xen-devel-4.1.3-25.el5.223.62")) flag++;
    if (rpm_check(release:"OVS3.2", reference:"xen-tools-4.1.3-25.el5.223.62")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen / xen-devel / xen-tools");
    }
    
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2017-0454.NASL
    descriptionAn update for kvm is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (for Kernel-based Virtual Machine) is a full virtualization solution for Linux on x86 hardware. Using KVM, one can run multiple virtual machines running unmodified Linux or Windows images. Each virtual machine has private virtualized hardware: a network card, disk, graphics adapter, etc. Security Fix(es) : * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) Red Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615. Note that Tenable Network Security has attempted to extract the preceding description block directly from the corresponding Red Hat security advisory. Virtuozzo provides no description for VZLSA advisories. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-03
    modified2017-07-13
    plugin id101434
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101434
    titleVirtuozzo 7 : kmod-kvm / kmod-kvm-debug / kvm / kvm-qemu-img / etc (VZLSA-2017-0454)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101434);
      script_version("1.59");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/14");
    
      script_cve_id(
        "CVE-2017-2615",
        "CVE-2017-2620"
      );
      script_xref(name:"IAVB", value:"2017-B-0024");
    
      script_name(english:"Virtuozzo 7 : kmod-kvm / kmod-kvm-debug / kvm / kvm-qemu-img / etc (VZLSA-2017-0454)");
      script_summary(english:"Checks the rpm output for the updated package.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Virtuozzo host is missing a security update.");
      script_set_attribute(attribute:"description", value:
    "An update for kvm is now available for Red Hat Enterprise Linux 5.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    KVM (for Kernel-based Virtual Machine) is a full virtualization
    solution for Linux on x86 hardware. Using KVM, one can run multiple
    virtual machines running unmodified Linux or Windows images. Each
    virtual machine has private virtualized hardware: a network card,
    disk, graphics adapter, etc.
    
    Security Fix(es) :
    
    * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator
    support is vulnerable to an out-of-bounds access issue. It could occur
    while copying VGA data via bitblt copy in backward mode. A privileged
    user inside a guest could use this flaw to crash the QEMU process
    resulting in DoS or potentially execute arbitrary code on the host
    with privileges of QEMU process on the host. (CVE-2017-2615)
    
    * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator
    support is vulnerable to an out-of-bounds access issue. The issue
    could occur while copying VGA data in cirrus_bitblt_cputovideo. A
    privileged user inside guest could use this flaw to crash the QEMU
    process OR potentially execute arbitrary code on host with privileges
    of the QEMU process. (CVE-2017-2620)
    
    Red Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang
    (360.cn Inc.) for reporting CVE-2017-2615.
    
    Note that Tenable Network Security has attempted to extract the
    preceding description block directly from the corresponding Red Hat
    security advisory. Virtuozzo provides no description for VZLSA
    advisories. Tenable has attempted to automatically clean and format
    it as much as possible without introducing additional issues.");
      # http://repo.virtuozzo.com/vzlinux/announcements/json/VZLSA-2017-0454.json
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5c8c608a");
      script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2017-0454");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kmod-kvm / kmod-kvm-debug / kvm / kvm-qemu-img / etc package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:U/RC:ND");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:U/RC:X");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:kmod-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:kmod-kvm-debug");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:kvm-qemu-img");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:virtuozzo:virtuozzo:kvm-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:virtuozzo:virtuozzo:7");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Virtuozzo Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Virtuozzo/release", "Host/Virtuozzo/rpm-list");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/Virtuozzo/release");
    if (isnull(release) || "Virtuozzo" >!< release) audit(AUDIT_OS_NOT, "Virtuozzo");
    os_ver = pregmatch(pattern: "Virtuozzo Linux release ([0-9]+\.[0-9])(\D|$)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Virtuozzo");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Virtuozzo 7.x", "Virtuozzo " + os_ver);
    
    if (!get_kb_item("Host/Virtuozzo/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Virtuozzo", cpu);
    
    flag = 0;
    
    pkgs = ["kmod-kvm-83-277.vl5",
            "kmod-kvm-debug-83-277.vl5",
            "kvm-83-277.vl5",
            "kvm-qemu-img-83-277.vl5",
            "kvm-tools-83-277.vl5"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"Virtuozzo-7", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kmod-kvm / kmod-kvm-debug / kvm / kvm-qemu-img / etc");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0661-1.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a memory leakage issue allowing a privileged user to leak host memory resulting in DoS (bsc#1023053) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-01
    modified2020-06-02
    plugin id97696
    published2017-03-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97696
    titleSUSE SLES12 Security Update : qemu (SUSE-SU-2017:0661-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:0661-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97696);
      script_version("3.16");
      script_cvs_date("Date: 2019/09/11 11:22:15");
    
      script_cve_id("CVE-2016-10155", "CVE-2016-9776", "CVE-2016-9907", "CVE-2016-9911", "CVE-2016-9921", "CVE-2016-9922", "CVE-2017-2615", "CVE-2017-2620", "CVE-2017-5667", "CVE-2017-5856", "CVE-2017-5898");
      script_xref(name:"IAVB", value:"2017-B-0024");
    
      script_name(english:"SUSE SLES12 Security Update : qemu (SUSE-SU-2017:0661-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for qemu fixes several issues. These security issues were
    fixed :
    
      - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the
        bitblit copy routine cirrus_bitblt_cputovideo failed to
        check the memory region, allowing for an out-of-bounds
        write that allows for privilege escalation (bsc#1024972)
    
      - CVE-2017-2615: An error in the bitblt copy operation
        could have allowed a malicious guest administrator to
        cause an out of bounds memory access, possibly leading
        to information disclosure or privilege escalation
        (bsc#1023004)
    
      - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter
        emulation support was vulnerable to a memory leakage
        issue allowing a privileged user to leak host memory
        resulting in DoS (bsc#1023053)
    
      - CVE-2016-9776: The ColdFire Fast Ethernet Controller
        emulator support was vulnerable to an infinite loop
        issue while receiving packets in 'mcf_fec_receive'. A
        privileged user/process inside guest could have used
        this issue to crash the Qemu process on the host leading
        to DoS (bsc#1013285)
    
      - CVE-2016-9911: The USB EHCI Emulation support was
        vulnerable to a memory leakage issue while processing
        packet data in 'ehci_init_transfer'. A guest
        user/process could have used this issue to leak host
        memory, resulting in DoS for the host (bsc#1014111)
    
      - CVE-2016-9907: The USB redirector usb-guest support was
        vulnerable to a memory leakage flaw when destroying the
        USB redirector in 'usbredir_handle_destroy'. A guest
        user/process could have used this issue to leak host
        memory, resulting in DoS for a host (bsc#1014109)
    
      - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support
        was vulnerable to a divide by zero issue while copying
        VGA data. A privileged user inside guest could have used
        this flaw to crash the process instance on the host,
        resulting in DoS (bsc#1014702)
    
      - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support
        was vulnerable to a divide by zero issue while copying
        VGA data. A privileged user inside guest could have used
        this flaw to crash the process instance on the host,
        resulting in DoS (bsc#1014702)
    
      - CVE-2017-5667: The SDHCI device emulation support was
        vulnerable to an OOB heap access issue allowing a
        privileged user inside the guest to crash the Qemu
        process resulting in DoS or potentially execute
        arbitrary code with privileges of the Qemu process on
        the host (bsc#1022541)
    
      - CVE-2017-5898: The CCID Card device emulator support was
        vulnerable to an integer overflow allowing a privileged
        user inside the guest to crash the Qemu process
        resulting in DoS (bnc#1023907)
    
      - CVE-2016-10155: The i6300esb watchdog emulation support
        was vulnerable to a memory leakage issue allowing a
        privileged user inside the guest to leak memory on the
        host resulting in DoS (bnc#1021129)
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1013285"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014109"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014111"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1014702"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1015048"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1015169"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1016779"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1021129"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1022541"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1023004"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1023053"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1023907"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1024972"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10155/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9776/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9907/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9911/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9921/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9922/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-2615/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-2620/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5667/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5856/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5898/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20170661-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?35846804"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server for SAP 12:zypper in -t patch
    SUSE-SLE-SAP-12-2017-366=1
    
    SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-2017-366=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-lang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-s390");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/23");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/13");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"qemu-block-rbd-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"qemu-block-rbd-debuginfo-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"qemu-x86-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"qemu-x86-debuginfo-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"s390x", reference:"qemu-s390-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"s390x", reference:"qemu-s390-debuginfo-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-block-curl-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-block-curl-debuginfo-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-debugsource-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-guest-agent-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-guest-agent-debuginfo-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-lang-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-tools-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-tools-debuginfo-2.0.2-48.31.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-kvm-2.0.2-48.31.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-CDB53B04E0.NASL
    descriptionQemu: net: mcf_fec: infinite loop while receiving data in mcf_fec_receive [CVE-2016-9776] Qemu: audio: memory leakage in ac97 [CVE-2017-5525] Qemu: audio: memory leakage in es1370 device [CVE-2017-5526] oob access in cirrus bitblt copy [XSA-208, CVE-2017-2615] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-02-15
    plugin id97179
    published2017-02-15
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97179
    titleFedora 25 : xen (2017-cdb53b04e0)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-cdb53b04e0.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97179);
      script_version("3.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-9776", "CVE-2017-2615", "CVE-2017-5525", "CVE-2017-5526");
      script_xref(name:"FEDORA", value:"2017-cdb53b04e0");
      script_xref(name:"IAVB", value:"2017-B-0024");
    
      script_name(english:"Fedora 25 : xen (2017-cdb53b04e0)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Qemu: net: mcf_fec: infinite loop while receiving data in
    mcf_fec_receive [CVE-2016-9776] Qemu: audio: memory leakage in ac97
    [CVE-2017-5525] Qemu: audio: memory leakage in es1370 device
    [CVE-2017-5526] oob access in cirrus bitblt copy [XSA-208,
    CVE-2017-2615]
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-cdb53b04e0"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected xen package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:xen");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/29");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/02/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"xen-4.7.1-7.fc25")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-0396.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) Red Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615. Bug Fix(es) : * When using the virtio-blk driver on a guest virtual machine with no space on the virtual hard drive, the guest terminated unexpectedly with a
    last seen2020-06-01
    modified2020-06-02
    plugin id97528
    published2017-03-06
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97528
    titleCentOS 7 : qemu-kvm (CESA-2017:0396)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2017:0396 and 
    # CentOS Errata and Security Advisory 2017:0396 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97528);
      script_version("3.10");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2017-2615", "CVE-2017-2620");
      script_xref(name:"RHSA", value:"2017:0396");
      script_xref(name:"IAVB", value:"2017-B-0024");
    
      script_name(english:"CentOS 7 : qemu-kvm (CESA-2017:0396)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for qemu-kvm is now available for Red Hat Enterprise Linux
    7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Kernel-based Virtual Machine (KVM) is a full virtualization solution
    for Linux on a variety of architectures. The qemu-kvm packages provide
    the user-space component for running virtual machines that use KVM.
    
    Security Fix(es) :
    
    * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator
    support is vulnerable to an out-of-bounds access issue. It could occur
    while copying VGA data via bitblt copy in backward mode. A privileged
    user inside a guest could use this flaw to crash the QEMU process
    resulting in DoS or potentially execute arbitrary code on the host
    with privileges of QEMU process on the host. (CVE-2017-2615)
    
    * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator
    support is vulnerable to an out-of-bounds access issue. The issue
    could occur while copying VGA data in cirrus_bitblt_cputovideo. A
    privileged user inside guest could use this flaw to crash the QEMU
    process OR potentially execute arbitrary code on host with privileges
    of the QEMU process. (CVE-2017-2620)
    
    Red Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang
    (360.cn Inc.) for reporting CVE-2017-2615.
    
    Bug Fix(es) :
    
    * When using the virtio-blk driver on a guest virtual machine with no
    space on the virtual hard drive, the guest terminated unexpectedly
    with a 'block I/O error in device' message and the qemu-kvm process
    exited with a segmentation fault. This update fixes how the
    system_reset QEMU signal is handled in the above scenario. As a
    result, if a guest crashes due to no space left on the device,
    qemu-kvm continues running and the guest can be reset as expected.
    (BZ#1420049)"
      );
      # https://lists.centos.org/pipermail/centos-announce/2017-March/022321.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?30ed98b0"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected qemu-kvm packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-2615");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-img");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-kvm-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-kvm-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/03");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/06");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"qemu-img-1.5.3-126.el7_3.5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"qemu-kvm-1.5.3-126.el7_3.5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"qemu-kvm-common-1.5.3-126.el7_3.5")) flag++;
    if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"qemu-kvm-tools-1.5.3-126.el7_3.5")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-img / qemu-kvm / qemu-kvm-common / qemu-kvm-tools");
    }
    
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-0309.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on the host with privileges of Qemu process on the host. (CVE-2017-2615) * An out-of-bounds read-access flaw was found in the QEMU emulator built with IP checksum routines. The flaw could occur when computing a TCP/UDP packet
    last seen2020-06-01
    modified2020-06-02
    plugin id97390
    published2017-02-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97390
    titleCentOS 6 : qemu-kvm (CESA-2017:0309)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2017:0309 and 
    # CentOS Errata and Security Advisory 2017:0309 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97390);
      script_version("3.9");
      script_cvs_date("Date: 2019/12/31");
    
      script_cve_id("CVE-2016-2857", "CVE-2017-2615");
      script_xref(name:"RHSA", value:"2017:0309");
      script_xref(name:"IAVB", value:"2017-B-0024");
    
      script_name(english:"CentOS 6 : qemu-kvm (CESA-2017:0309)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote CentOS host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "An update for qemu-kvm is now available for Red Hat Enterprise Linux
    6.
    
    Red Hat Product Security has rated this update as having a security
    impact of Important. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Kernel-based Virtual Machine (KVM) is a full virtualization solution
    for Linux on a variety of architectures. The qemu-kvm packages provide
    the user-space component for running virtual machines that use KVM.
    
    Security Fix(es) :
    
    * Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA emulator
    support is vulnerable to an out-of-bounds access issue. It could occur
    while copying VGA data via bitblt copy in backward mode. A privileged
    user inside a guest could use this flaw to crash the Qemu process
    resulting in DoS or potentially execute arbitrary code on the host
    with privileges of Qemu process on the host. (CVE-2017-2615)
    
    * An out-of-bounds read-access flaw was found in the QEMU emulator
    built with IP checksum routines. The flaw could occur when computing a
    TCP/UDP packet's checksum, because a QEMU function used the packet's
    payload length without checking against the data buffer's size. A user
    inside a guest could use this flaw to crash the QEMU process (denial
    of service). (CVE-2016-2857)
    
    Red Hat would like to thank Wjjzhang (Tencent.com Inc.) Li Qiang
    (360.cn Inc.) for reporting CVE-2017-2615 and Ling Liu (Qihoo 360
    Inc.) for reporting CVE-2016-2857.
    
    This update also fixes the following bug :
    
    * Previously, rebooting a guest virtual machine more than 128 times in
    a short period of time caused the guest to shut down instead of
    rebooting, because the virtqueue was not cleaned properly. This update
    ensures that the virtqueue is cleaned more reliably, which prevents
    the described problem from occurring. (BZ#1408389)
    
    All qemu-kvm users are advised to upgrade to these updated packages,
    which contain backported patches to correct these issues. After
    installing this update, shut down all running virtual machines. Once
    all virtual machines have shut down, start them again for this update
    to take effect."
      );
      # https://lists.centos.org/pipermail/centos-announce/2017-February/022287.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e79db88e"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected qemu-kvm packages."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-2615");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-guest-agent");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-img");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:qemu-kvm-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/02/24");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/27");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"CentOS Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/CentOS/release");
    if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS");
    os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS");
    os_ver = os_ver[1];
    if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x", "CentOS " + os_ver);
    
    if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"CentOS-6", reference:"qemu-guest-agent-0.12.1.2-2.491.el6_8.6")) flag++;
    if (rpm_check(release:"CentOS-6", cpu:"x86_64", reference:"qemu-img-0.12.1.2-2.491.el6_8.6")) flag++;
    if (rpm_check(release:"CentOS-6", cpu:"x86_64", reference:"qemu-kvm-0.12.1.2-2.491.el6_8.6")) flag++;
    if (rpm_check(release:"CentOS-6", cpu:"x86_64", reference:"qemu-kvm-tools-0.12.1.2-2.491.el6_8.6")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-guest-agent / qemu-img / qemu-kvm / qemu-kvm-tools");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-589.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a memory leakage issue allowing a privileged user to leak host memory resulting in DoS (bsc#1023053) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-05
    modified2017-05-17
    plugin id100232
    published2017-05-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100232
    titleopenSUSE Security Update : qemu (openSUSE-2017-589)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2017-0454.NASL
    descriptionAn update for kvm is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (for Kernel-based Virtual Machine) is a full virtualization solution for Linux on x86 hardware. Using KVM, one can run multiple virtual machines running unmodified Linux or Windows images. Each virtual machine has private virtualized hardware: a network card, disk, graphics adapter, etc. Security Fix(es) : * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) Red Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615.
    last seen2020-06-01
    modified2020-06-02
    plugin id97611
    published2017-03-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97611
    titleCentOS 5 : kvm (CESA-2017:0454)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0396.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) Red Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615. Bug Fix(es) : * When using the virtio-blk driver on a guest virtual machine with no space on the virtual hard drive, the guest terminated unexpectedly with a
    last seen2020-06-01
    modified2020-06-02
    plugin id97512
    published2017-03-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97512
    titleRHEL 7 : qemu-kvm (RHSA-2017:0396)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170307_KVM_ON_SL5_X.NASL
    descriptionSecurity Fix(es) : - Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) - Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620)
    last seen2020-03-18
    modified2017-03-08
    plugin id97597
    published2017-03-08
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97597
    titleScientific Linux Security Update : kvm on SL5.x x86_64 (20170307)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0043.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - kvm-cirrus_vga-fix-division-by-0-for-color-expansion-rop .patch - kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.p atch - kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.pa tch - kvm-display-cirrus-ignore-source-pitch-value-as-needed-i .patch - kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re .patch - kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops. patch - kvm-cirrus-fix-blit-address-mask-handling.patch [bz#1418230 bz#1419416] - kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch [bz#1418230 bz#1419416] - Resolves: bz#1418230 (CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-6.8.z]) - Resolves: bz#1419416 (CVE-2017-2615 qemu-kvm-rhev: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-6.8.z]) - kvm-net-check-packet-payload-length.patch [bz#1398213] - Resolves: bz#1398213 (CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate [rhel-6.8.z]) - kvm-virtio-introduce-virtqueue_unmap_sg.patch [bz#1408389] - kvm-virtio-introduce-virtqueue_discard.patch [bz#1408389] - kvm-virtio-decrement-vq-inuse-in-virtqueue_discard.patch [bz#1408389] - kvm-balloon-fix-segfault-and-harden-the-stats-queue.patc h [bz#1408389] - kvm-virtio-balloon-discard-virtqueue-element-on-reset.pa tch [bz#1408389] - kvm-virtio-zero-vq-inuse-in-virtio_reset.patch [bz#1408389] - Resolves: bz#1408389 ([RHEL6.8.z] KVM guest shuts itself down after 128th reboot)
    last seen2020-06-01
    modified2020-06-02
    plugin id97409
    published2017-02-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97409
    titleOracleVM 3.4 : qemu-kvm (OVMSA-2017-0043)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0153.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0153 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id103830
    published2017-10-13
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103830
    titleOracleVM 3.4 : xen (OVMSA-2017-0153)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170223_QEMU_KVM_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on the host with privileges of Qemu process on the host. (CVE-2017-2615) - An out-of-bounds read-access flaw was found in the QEMU emulator built with IP checksum routines. The flaw could occur when computing a TCP/UDP packet
    last seen2020-03-18
    modified2017-02-24
    plugin id97379
    published2017-02-24
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97379
    titleScientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64 (20170223)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1497.NASL
    descriptionSeveral vulnerabilities were found in qemu, a fast processor emulator : CVE-2015-8666 Heap-based buffer overflow in QEMU when built with the Q35-chipset-based PC system emulator CVE-2016-2198 NULL pointer dereference in ehci_caps_write in the USB EHCI support that may result in denial of service CVE-2016-6833 Use after free while writing in the vmxnet3 device that could be used to cause a denial of service CVE-2016-6835 Buffer overflow in vmxnet_tx_pkt_parse_headers() in vmxnet3 device that could result in denial of service CVE-2016-8576 Infinite loop vulnerability in xhci_ring_fetch in the USB xHCI support CVE-2016-8667 / CVE-2016-8669 Divide by zero errors in set_next_tick in the JAZZ RC4030 chipset emulator, and in serial_update_parameters of some serial devices, that could result in denial of service CVE-2016-9602 Improper link following with VirtFS CVE-2016-9603 Heap buffer overflow via vnc connection in the Cirrus CLGD 54xx VGA emulator support CVE-2016-9776 Infinite loop while receiving data in the ColdFire Fast Ethernet Controller emulator CVE-2016-9907 Memory leakage in the USB redirector usb-guest support CVE-2016-9911 Memory leakage in ehci_init_transfer in the USB EHCI support CVE-2016-9914 / CVE-2016-9915 / CVE-2016-9916 Plan 9 File System (9pfs): add missing cleanup operation in FileOperations, in the handle backend and in the proxy backend driver CVE-2016-9921 / CVE-2016-9922 Divide by zero in cirrus_do_copy in the Cirrus CLGD 54xx VGA Emulator support CVE-2016-10155 Memory leak in hw/watchdog/wdt_i6300esb.c allowing local guest OS privileged users to cause a denial of service via a large number of device unplug operations. CVE-2017-2615 / CVE-2017-2620 / CVE-2017-18030 / CVE-2018-5683 / CVE-2017-7718 Out-of-bounds access issues in the Cirrus CLGD 54xx VGA emulator support, that could result in denial of service CVE-2017-5525 / CVE-2017-5526 Memory leakage issues in the ac97 and es1370 device emulation CVE-2017-5579 Most memory leakage in the 16550A UART emulation CVE-2017-5667 Out-of-bounds access during multi block SDMA transfer in the SDHCI emulation support. CVE-2017-5715 Mitigations against the Spectre v2 vulnerability. For more information please refer to https://www.qemu.org/2018/01/04/spectre/ CVE-2017-5856 Memory leak in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support CVE-2017-5973 / CVE-2017-5987 / CVE-2017-6505 Infinite loop issues in the USB xHCI, in the transfer mode register of the SDHCI protocol, and the USB ohci_service_ed_list CVE-2017-7377 9pfs: host memory leakage via v9fs_create CVE-2017-7493 Improper access control issues in the host directory sharing via 9pfs support. CVE-2017-7980 Heap-based buffer overflow in the Cirrus VGA device that could allow local guest OS users to execute arbitrary code or cause a denial of service CVE-2017-8086 9pfs: host memory leakage via v9pfs_list_xattr CVE-2017-8112 Infinite loop in the VMWare PVSCSI emulation CVE-2017-8309 / CVE-2017-8379 Host memory leakage issues via the audio capture buffer and the keyboard input event handlers CVE-2017-9330 Infinite loop due to incorrect return value in USB OHCI that may result in denial of service CVE-2017-9373 / CVE-2017-9374 Host memory leakage during hot unplug in IDE AHCI and USB emulated devices that could result in denial of service CVE-2017-9503 NULL pointer dereference while processing megasas command CVE-2017-10806 Stack buffer overflow in USB redirector CVE-2017-10911 Xen disk may leak stack data via response ring CVE-2017-11434 Out-of-bounds read while parsing Slirp/DHCP options CVE-2017-14167 Out-of-bounds access while processing multiboot headers that could result in the execution of arbitrary code CVE-2017-15038 9pfs: information disclosure when reading extended attributes CVE-2017-15289 Out-of-bounds write access issue in the Cirrus graphic adaptor that could result in denial of service CVE-2017-16845 Information leak in the PS/2 mouse and keyboard emulation support that could be exploited during instance migration CVE-2017-18043 Integer overflow in the macro ROUND_UP (n, d) that could result in denial of service CVE-2018-7550 Incorrect handling of memory during multiboot that could may result in execution of arbitrary code For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id117351
    published2018-09-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117351
    titleDebian DLA-1497-1 : qemu security update (Spectre)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-0454.NASL
    descriptionFrom Red Hat Security Advisory 2017:0454 : An update for kvm is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (for Kernel-based Virtual Machine) is a full virtualization solution for Linux on x86 hardware. Using KVM, one can run multiple virtual machines running unmodified Linux or Windows images. Each virtual machine has private virtualized hardware: a network card, disk, graphics adapter, etc. Security Fix(es) : * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) Red Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615.
    last seen2020-06-01
    modified2020-06-02
    plugin id97593
    published2017-03-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97593
    titleOracle Linux 5 : kvm (ELSA-2017-0454)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2017-0309.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on the host with privileges of Qemu process on the host. (CVE-2017-2615) * An out-of-bounds read-access flaw was found in the QEMU emulator built with IP checksum routines. The flaw could occur when computing a TCP/UDP packet
    last seen2020-06-01
    modified2020-06-02
    plugin id101428
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101428
    titleVirtuozzo 6 : qemu-guest-agent / qemu-img / qemu-kvm / etc (VZLSA-2017-0309)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-349.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-5898: The CCID Card device emulator support was vulnerable to an integer overflow flaw allowing a privileged user to crash the Qemu process on the host resulting in DoS (bsc#1023907). - CVE-2017-5857: The Virtio GPU Device emulator support was vulnerable to a host memory leakage issue allowing a guest user to leak host memory resulting in DoS (bsc#1023073). - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a memory leakage issue allowing a privileged user to leak host memory resulting in DoS (bsc#1023053) - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support was vulnerable to a divide by zero issue while copying VGA data. A privileged user inside guest could have used this flaw to crash the process instance on the host, resulting in DoS (bsc#1014702) - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support was vulnerable to a divide by zero issue while copying VGA data. A privileged user inside guest could have used this flaw to crash the process instance on the host, resulting in DoS (bsc#1014702) - CVE-2016-10029: The Virtio GPU Device emulator support was vulnerable to an OOB read issue allowing a guest user to crash the Qemu process instance resulting in Dos (bsc#1017081). - CVE-2016-10028: The Virtio GPU Device emulator support was vulnerable to an out of bounds memory access issue allowing a guest user to crash the Qemu process instance on a host, resulting in DoS (bsc#1017084). - CVE-2016-10155: The virtual hardware watchdog
    last seen2020-06-05
    modified2017-03-17
    plugin id97791
    published2017-03-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97791
    titleopenSUSE Security Update : qemu (openSUSE-2017-349)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0718-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2016-10155: The virtual hardware watchdog
    last seen2020-06-01
    modified2020-06-02
    plugin id97828
    published2017-03-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97828
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2017:0718-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1037.NASL
    descriptionAccording to the versions of the qemu-kvm package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) - Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-03
    modified2017-05-01
    plugin id99882
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99882
    titleEulerOS 2.0 SP1 : qemu-kvm (EulerOS-SA-2017-1037)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0454.NASL
    descriptionAn update for kvm is now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (for Kernel-based Virtual Machine) is a full virtualization solution for Linux on x86 hardware. Using KVM, one can run multiple virtual machines running unmodified Linux or Windows images. Each virtual machine has private virtualized hardware: a network card, disk, graphics adapter, etc. Security Fix(es) : * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) Red Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615.
    last seen2020-06-01
    modified2020-06-02
    plugin id97594
    published2017-03-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97594
    titleRHEL 5 : kvm (RHSA-2017:0454)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0142.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0142 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id102835
    published2017-08-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102835
    titleOracleVM 3.4 : xen (OVMSA-2017-0142)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0108_QEMU-KVM.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has qemu-kvm packages installed that are affected by multiple vulnerabilities: - Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) - Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) - An out-of-bounds memory access issue was found in Quick Emulator (QEMU) in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the
    last seen2020-06-01
    modified2020-06-02
    plugin id127343
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127343
    titleNewStart CGSL MAIN 4.05 : qemu-kvm Multiple Vulnerabilities (NS-SA-2019-0108)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-329.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024834). - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004). - A malicious guest could have, by frequently rebooting over extended periods of time, run the host system out of memory, resulting in a Denial of Service (DoS) (bsc#1022871) - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support was vulnerable to a divide by zero issue while copying VGA data. A privileged user inside guest could have used this flaw to crash the process instance on the host, resulting in DoS (bsc#1015169 These non-security issues were fixed : - bsc#1000195: Prevent panic on CPU0 while booting on SLES 11 SP3 - bsc#1002496: Added support for reloading clvm in block-dmmd block-dmmd - bsc#1005028: Fixed building Xen RPMs from Sources This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2017-03-14
    plugin id97712
    published2017-03-14
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97712
    titleopenSUSE Security Update : xen (openSUSE-2017-329)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-0309.NASL
    descriptionFrom Red Hat Security Advisory 2017:0309 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on the host with privileges of Qemu process on the host. (CVE-2017-2615) * An out-of-bounds read-access flaw was found in the QEMU emulator built with IP checksum routines. The flaw could occur when computing a TCP/UDP packet
    last seen2020-06-01
    modified2020-06-02
    plugin id97372
    published2017-02-24
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97372
    titleOracle Linux 6 : qemu-kvm (ELSA-2017-0309)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0344.NASL
    descriptionAn update for qemu-kvm-rhev is now available for RHEV 3.X Hypervisor and Agents for RHEL-6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Security Fix(es) : * Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on the host with privileges of Qemu process on the host. (CVE-2017-2615) * An out-of-bounds read-access flaw was found in the QEMU emulator built with IP checksum routines. The flaw could occur when computing a TCP/UDP packet
    last seen2020-06-01
    modified2020-06-02
    plugin id97487
    published2017-03-02
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97487
    titleRHEL 6 : qemu-kvm-rhev (RHSA-2017:0344)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0309.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick emulator (Qemu) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on the host with privileges of Qemu process on the host. (CVE-2017-2615) * An out-of-bounds read-access flaw was found in the QEMU emulator built with IP checksum routines. The flaw could occur when computing a TCP/UDP packet
    last seen2020-06-01
    modified2020-06-02
    plugin id97374
    published2017-02-24
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97374
    titleRHEL 6 : qemu-kvm (RHSA-2017:0309)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2018-0248.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2018-0248 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id111992
    published2018-08-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111992
    titleOracleVM 3.4 : xen (OVMSA-2018-0248) (Bunker Buster) (Foreshadow) (Meltdown) (POODLE) (Spectre)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0571-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024834). - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004). - A malicious guest could have, by frequently rebooting over extended periods of time, run the host system out of memory, resulting in a Denial of Service (DoS) (bsc#1022871) - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support was vulnerable to a divide by zero issue while copying VGA data. A privileged user inside guest could have used this flaw to crash the process instance on the host, resulting in DoS (bsc#1015169 The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id97433
    published2017-02-28
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97433
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:0571-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-31B976672B.NASL
    description - CVE-2016-7907: net: imx: infinite loop (bz #1381182) - CVE-2017-5525: audio: memory leakage in ac97 (bz #1414110) - CVE-2017-5526: audio: memory leakage in es1370 (bz #1414210) - CVE-2016-10155 watchdog: memory leakage in i6300esb (bz #1415200) - CVE-2017-5552: virtio-gpu-3d: memory leakage (bz #1415283) - CVE-2017-5578: virtio-gpu: memory leakage (bz #1415797) - CVE-2017-5667: sd: sdhci OOB access during multi block transfer (bz #1417560) - CVE-2017-5856: scsi: megasas: memory leakage (bz #1418344) - CVE-2017-5857: virtio-gpu-3d: host memory leakage in virgl_cmd_resource_unref (bz #1418383) - CVE-2017-5898: usb: integer overflow in emulated_apdu_from_guest (bz #1419700) - CVE-2017-5987: sd: infinite loop issue in multi block transfers (bz #1422001) - CVE-2017-6058: vmxnet3: OOB access when doing vlan stripping (bz #1423359) - CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list (bz #1429434) - CVE-2017-2615: cirrus: oob access while doing bitblt copy backward (bz #1418206) - CVE-2017-2620: cirrus: potential arbitrary code execution (bz #1425419) - Fix spice GL with new mesa/libglvnd (bz #1431905) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-03-20
    plugin id97804
    published2017-03-20
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97804
    titleFedora 25 : 2:qemu (2017-31b976672b)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0647-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025188) - CVE-2016-10155: The virtual hardware watchdog
    last seen2020-06-01
    modified2020-06-02
    plugin id97657
    published2017-03-10
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97657
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2017:0647-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0570-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025188). - CVE-2016-10155: The virtual hardware watchdog
    last seen2020-06-01
    modified2020-06-02
    plugin id97432
    published2017-02-28
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97432
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:0570-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1241-1.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a memory leakage issue allowing a privileged user to leak host memory resulting in DoS (bsc#1023053) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-01
    modified2020-06-02
    plugin id100149
    published2017-05-12
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100149
    titleSUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:1241-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2017-0350.NASL
    descriptionAn update for qemu-kvm-rhev is now available for RHEV 3.X Hypervisor and Agents for RHEL-7 and RHEV 4.X RHEV-H and Agents for RHEL-7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Security Fix(es) : * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) * An out-of-bounds read-access flaw was found in the QEMU emulator built with IP checksum routines. The flaw could occur when computing a TCP/UDP packet
    last seen2020-06-01
    modified2020-06-02
    plugin id97488
    published2017-03-02
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97488
    titleRHEL 7 : qemu-kvm-rhev (RHSA-2017:0350)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-845.NASL
    descriptionSeveral vulnerabilities were discovered in qemu, a fast processor emulator. The Common Vulnerabilities and Exposures project identifies the following problems : CVE-2017-2615 The Cirrus CLGD 54xx VGA Emulator in qemu is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on the host with privileges of Qemu process on the host. CVE-2017-2620 The Cirrus CLGD 54xx VGA Emulator in qemu is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on the host with privileges of Qemu process on the host. CVE-2017-5898 The CCID Card device emulator support is vulnerable to an integer overflow flaw. It could occur while passing message via command/responses packets to and from the host. A privileged user inside guest could use this flaw to crash the Qemu process on host resulting in DoS. CVE-2017-5973 The USB xHCI controller emulator support in qemu is vulnerable to an infinite loop issue. It could occur while processing control transfer descriptors
    last seen2020-03-17
    modified2017-03-02
    plugin id97473
    published2017-03-02
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97473
    titleDebian DLA-845-1 : qemu security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-62AC1230F7.NASL
    description - CVE-2017-5525: audio: memory leakage in ac97 (bz #1414110) - CVE-2017-5526: audio: memory leakage in es1370 (bz #1414210) - CVE-2016-10155 watchdog: memory leakage in i6300esb (bz #1415200) - CVE-2017-5552: virtio-gpu-3d: memory leakage (bz #1415283) - CVE-2017-5667: sd: sdhci OOB access during multi block transfer (bz #1417560) - CVE-2017-5857: virtio-gpu-3d: host memory leakage in virgl_cmd_resource_unref (bz #1418383) - CVE-2017-5856: scsi: megasas: memory leakage (bz #1418344) - CVE-2017-5898: usb: integer overflow in emulated_apdu_from_guest (bz #1419700) - CVE-2017-5987: sd: infinite loop issue in multi block transfers (bz #1422001) - CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list (bz #1429434) - CVE-2017-2615: cirrus: oob access while doing bitblt copy backward (bz #1418206) - CVE-2017-2620: cirrus: potential arbitrary code execution (bz #1425419) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-03-22
    plugin id97865
    published2017-03-22
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97865
    titleFedora 24 : 2:qemu (2017-62ac1230f7)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1038.NASL
    descriptionAccording to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) - Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-21
    modified2017-05-01
    plugin id99883
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99883
    titleEulerOS 2.0 SP2 : qemu-kvm (EulerOS-SA-2017-1038)
  • NASL familyVirtuozzo Local Security Checks
    NASL idVIRTUOZZO_VZLSA-2017-0396.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) Red Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615. Bug Fix(es) : * When using the virtio-blk driver on a guest virtual machine with no space on the virtual hard drive, the guest terminated unexpectedly with a
    last seen2020-06-10
    modified2017-07-13
    plugin id101433
    published2017-07-13
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101433
    titleVirtuozzo 7 : qemu-img / qemu-kvm / qemu-kvm-common / etc (VZLSA-2017-0396)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-3084-1.NASL
    descriptionThis update for kvm fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-01
    modified2020-06-02
    plugin id104780
    published2017-11-27
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104780
    titleSUSE SLES11 Security Update : kvm (SUSE-SU-2017:3084-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-D4EE7018C1.NASL
    descriptionmemory leak when destroying guest without PT devices [XSA-207] (#1422492) update patches for XSA-208 after upstream revision (no functional change) ---- Qemu: net: mcf_fec: infinite loop while receiving data in mcf_fec_receive [CVE-2016-9776] Qemu: audio: memory leakage in ac97 [CVE-2017-5525] (#1414111) Qemu: audio: memory leakage in es1370 device [CVE-2017-5526] (#1414211) oob access in cirrus bitblt copy [XSA-208, CVE-2017-2615] (#1418243) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-02-28
    plugin id97430
    published2017-02-28
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97430
    titleFedora 24 : xen (2017-d4ee7018c1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3261-1.NASL
    descriptionZhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10028, CVE-2016-10029) Li Qiang discovered that QEMU incorrectly handled the 6300esb watchdog. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-10155) Li Qiang discovered that QEMU incorrectly handled the i.MX Fast Ethernet Controller. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7907) It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8667) It was discovered that QEMU incorrectly handled the 16550A UART device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8669) It was discovered that QEMU incorrectly handled the shared rings when used with Xen. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. (CVE-2016-9381) Jann Horn discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to access files on the host file system outside of the shared directory and possibly escalate their privileges. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9602) Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA device when being used with a VNC connection. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9603) It was discovered that QEMU incorrectly handled the ColdFire Fast Ethernet Controller. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9776) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9845, CVE-2016-9908) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9846, CVE-2016-9912, CVE-2017-5552, CVE-2017-5578, CVE-2017-5857) Li Qiang discovered that QEMU incorrectly handled the USB redirector. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9907) Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9911) Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9913, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916) Qinghao Tang, Li Qiang, and Jiangxin discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9921, CVE-2016-9922) Wjjzhang and Li Qiang discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-2615) It was discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-2620) It was discovered that QEMU incorrectly handled VNC connections. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-2633) Li Qiang discovered that QEMU incorrectly handled the ac97 audio device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5525) Li Qiang discovered that QEMU incorrectly handled the es1370 audio device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5526) Li Qiang discovered that QEMU incorrectly handled the 16550A UART device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5579) Jiang Xin discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-5667) Li Qiang discovered that QEMU incorrectly handled the MegaRAID SAS device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5856) Li Qiang discovered that QEMU incorrectly handled the CCID Card device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5898) Li Qiang discovered that QEMU incorrectly handled USB xHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5973) Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5987) Li Qiang discovered that QEMU incorrectly handled USB OHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2017-6505). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99581
    published2017-04-21
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99581
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 : qemu vulnerabilities (USN-3261-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201702-28.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201702-28 (QEMU: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact : A local attacker could potentially execute arbitrary code with privileges of QEMU process on the host, gain privileges on the host system, cause a Denial of Service condition, or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id97271
    published2017-02-21
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97271
    titleGLSA-201702-28 : QEMU: Multiple vulnerabilities
  • NASL familyMisc.
    NASL idCITRIX_XENSERVER_CTX220771.NASL
    descriptionThe version of Citrix XenServer running on the remote host is missing a security hotfix. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the blit_region_is_unsafe() function within file hw/display/cirrus_vga.c when handling a backward mode bitblt copy. A guest attacker with administrative privileges can exploit this to crash the QEMU process or potentially execute arbitrary code with elevated privileges. (CVE-2017-2615) - A flaw exists in the cirrus_bitblt_cputovideo() function within file hw/display/cirrus_vga.c when running in CIRRUS_BLTMODE_MEMSYSSRC mode due to improper memory region checks. A guest attacker with administrative privileges can exploit this to crash the QEMU process or potentially execute arbitrary code with elevated privileges. (CVE-2017-2620)
    last seen2020-06-01
    modified2020-06-02
    plugin id97525
    published2017-03-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97525
    titleCitrix XenServer Multiple Vulnerabilities (CTX220771)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20170302_QEMU_KVM_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) - Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) Bug Fix(es) : - When using the virtio-blk driver on a guest virtual machine with no space on the virtual hard drive, the guest terminated unexpectedly with a
    last seen2020-03-18
    modified2017-03-03
    plugin id97517
    published2017-03-03
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97517
    titleScientific Linux Security Update : qemu-kvm on SL7.x x86_64 (20170302)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_A73ABA9AEFFE11E6AE1B002590263BF5.NASL
    descriptionThe Xen Project reports : When doing bitblt copy backwards, qemu should negate the blit width. This avoids an oob access before the start of video memory. A malicious guest administrator can cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation.
    last seen2020-06-01
    modified2020-06-02
    plugin id97109
    published2017-02-13
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97109
    titleFreeBSD : xen-tools -- oob access in cirrus bitblt copy (a73aba9a-effe-11e6-ae1b-002590263bf5)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0095.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0095 for details.
    last seen2020-06-01
    modified2020-06-02
    plugin id99976
    published2017-05-04
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99976
    titleOracleVM 3.3 : xen (OVMSA-2017-0095)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0625-1.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-5898: The CCID Card device emulator support was vulnerable to an integer overflow flaw allowing a privileged user to crash the Qemu process on the host resulting in DoS (bsc#1023907). - CVE-2017-5857: The Virtio GPU Device emulator support was vulnerable to a host memory leakage issue allowing a guest user to leak host memory resulting in DoS (bsc#1023073). - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a memory leakage issue allowing a privileged user to leak host memory resulting in DoS (bsc#1023053) - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support was vulnerable to a divide by zero issue while copying VGA data. A privileged user inside guest could have used this flaw to crash the process instance on the host, resulting in DoS (bsc#1014702) - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support was vulnerable to a divide by zero issue while copying VGA data. A privileged user inside guest could have used this flaw to crash the process instance on the host, resulting in DoS (bsc#1014702) - CVE-2016-10029: The Virtio GPU Device emulator support was vulnerable to an OOB read issue allowing a guest user to crash the Qemu process instance resulting in Dos (bsc#1017081). - CVE-2016-10028: The Virtio GPU Device emulator support was vulnerable to an out of bounds memory access issue allowing a guest user to crash the Qemu process instance on a host, resulting in DoS (bsc#1017084). - CVE-2016-10155: The virtual hardware watchdog
    last seen2020-06-01
    modified2020-06-02
    plugin id97599
    published2017-03-08
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97599
    titleSUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:0625-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0582-1.NASL
    descriptionThis update for xen fixes several issues. These security issues were fixed : - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025188) - CVE-2016-10155: The virtual hardware watchdog
    last seen2020-06-01
    modified2020-06-02
    plugin id97467
    published2017-03-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97467
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2017:0582-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2017-0055.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - kvm-cirrus-fix-patterncopy-checks.patch [bz#1420487 bz#1420489] - kvm-Revert-cirrus-allow-zero-source-pitch-in-pattern-fil .patch - kvm-cirrus-add-blit_is_unsafe-call-to-cirrus_bitblt_cput .patch - Resolves: bz#1420487 (EMBARGOED CVE-2017-2620 qemu-kvm: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-6.9]) - Resolves: bz#1420489 (EMBARGOED CVE-2017-2620 qemu-kvm-rhev: Qemu: display: cirrus: potential arbitrary code execution via cirrus_bitblt_cputovideo [rhel-6.9]) - kvm-cirrus_vga-fix-division-by-0-for-color-expansion-rop .patch - kvm-cirrus_vga-fix-off-by-one-in-blit_region_is_unsafe.p atch - kvm-display-cirrus-check-vga-bits-per-pixel-bpp-value.pa tch - kvm-display-cirrus-ignore-source-pitch-value-as-needed-i .patch - kvm-cirrus-handle-negative-pitch-in-cirrus_invalidate_re .patch - kvm-cirrus-allow-zero-source-pitch-in-pattern-fill-rops. patch - kvm-cirrus-fix-blit-address-mask-handling.patch [bz#1418231 bz#1419417] - kvm-cirrus-fix-oob-access-issue-CVE-2017-2615.patch [bz#1418231 bz#1419417] - Resolves: bz#1418231 (CVE-2017-2615 qemu-kvm: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-6.9]) - Resolves: bz#1419417 (CVE-2017-2615 qemu-kvm-rhev: Qemu: display: cirrus: oob access while doing bitblt copy backward mode [rhel-6.9]) - kvm-Revert-iotests-Use-_img_info.patch [bz#1405882] - kvm-Revert-block-commit-speed-is-an-optional-parameter.p atch [bz#1405882] - kvm-Revert-iotests-Disable-086.patch [bz#1405882] - kvm-Revert-iotests-Fix-049-s-reference-output.patch [bz#1405882] - kvm-Revert-iotests-Fix-026-s-reference-output.patch [bz#1405882] - kvm-Revert-qcow2-Support-exact-L1-table-growth.patch [bz#1405882] - kvm-Revert-qcow2-Free-allocated-L2-cluster-on-error.patc h [bz#1405882] - kvm-net-check-packet-payload-length.patch [bz#1398214] - Resolves: bz#1398214 (CVE-2016-2857 qemu-kvm: Qemu: net: out of bounds read in net_checksum_calculate [rhel-6.9]) - Reverts: bz#1405882 (test cases 026 030 049 086 and 095 of qemu-iotests fail for qcow2 with qemu-kvm-rhev-0.12.1.2-2.498.el6) - kvm-qcow2-Free-allocated-L2-cluster-on-error.patch [bz#1405882] - kvm-qcow2-Support-exact-L1-table-growth.patch [bz#1405882] - kvm-iotests-Fix-026-s-reference-output.patch [bz#1405882] - kvm-iotests-Fix-049-s-reference-output.patch [bz#1405882] - kvm-iotests-Disable-086.patch [bz#1405882] - kvm-block-commit-speed-is-an-optional-parameter.patch [bz#1405882] - kvm-iotests-Use-_img_info.patch [bz#1405882] - Resolves: bz#1405882 (test cases 026 030 049 086 and 095 of qemu-iotests fail for qcow2 with qemu-kvm-rhev-0.12.1.2-2.498.el6) - kvm-rename-qemu_aio_context-to-match-upstream.patch [bz#876993] - kvm-block-stop-relying-on-io_flush-in-bdrv_drain_all.pat ch [bz#876993] - kvm-block-add-bdrv_drain.patch [bz#876993] - kvm-block-avoid-very-long-pauses-at-the-end-of-mirroring .patch [bz#876993] - Resolves: bz#876993 (qemu-kvm: vm
    last seen2020-06-01
    modified2020-06-02
    plugin id99082
    published2017-03-30
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99082
    titleOracleVM 3.4 : qemu-kvm (OVMSA-2017-0055)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1135-1.NASL
    descriptionThis update for kvm fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
    last seen2020-06-01
    modified2020-06-02
    plugin id99758
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99758
    titleSUSE SLES11 Security Update : kvm (SUSE-SU-2017:1135-1)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2017-0396.NASL
    descriptionFrom Red Hat Security Advisory 2017:0396 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) * Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) Red Hat would like to thank Wjjzhang (Tencent.com Inc.) and Li Qiang (360.cn Inc.) for reporting CVE-2017-2615. Bug Fix(es) : * When using the virtio-blk driver on a guest virtual machine with no space on the virtual hard drive, the guest terminated unexpectedly with a
    last seen2020-06-01
    modified2020-06-02
    plugin id97508
    published2017-03-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97508
    titleOracle Linux 7 : qemu-kvm (ELSA-2017-0396)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201702-27.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201702-27 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers and Xen Security Advisory referenced below for details. Impact : A local attacker could potentially execute arbitrary code with privileges of Xen (QEMU) process on the host, gain privileges on the host system, cause a Denial of Service condition, or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id97270
    published2017-02-21
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97270
    titleGLSA-201702-27 : Xen: Multiple vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-842.NASL
    descriptionSeveral vulnerabilities were discovered in qemu-kvm, a full virtualization solution for Linux hosts on x86 hardware with x86 guests. CVE-2017-2615 The Cirrus CLGD 54xx VGA Emulator in qemu-kvm is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on the host with privileges of qemu-kvm process on the host. CVE-2017-2620 The Cirrus CLGD 54xx VGA Emulator in qemu-kvm is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on the host with privileges of qemu-kvm process on the host. CVE-2017-5898 The CCID Card device emulator support is vulnerable to an integer overflow flaw. It could occur while passing message via command/responses packets to and from the host. A privileged user inside guest could use this flaw to crash the qemu-kvm process on the host resulting in a DoS. This issue does not affect the qemu-kvm binaries in Debian but we apply the patch to the sources to stay in sync with the qemu package. CVE-2017-5973 The USB xHCI controller emulator support in qemu-kvm is vulnerable to an infinite loop issue. It could occur while processing control transfer descriptors
    last seen2020-03-17
    modified2017-03-01
    plugin id97439
    published2017-03-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97439
    titleDebian DLA-842-1 : qemu-kvm security update

Redhat

advisories
  • bugzilla
    id1418200
    titleCVE-2017-2615 Qemu: display: cirrus: oob access while doing bitblt copy backward mode
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • commentqemu-guest-agent is earlier than 2:0.12.1.2-2.491.el6_8.6
            ovaloval:com.redhat.rhsa:tst:20170309001
          • commentqemu-guest-agent is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20121234002
        • AND
          • commentqemu-kvm is earlier than 2:0.12.1.2-2.491.el6_8.6
            ovaloval:com.redhat.rhsa:tst:20170309003
          • commentqemu-kvm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345004
        • AND
          • commentqemu-kvm-tools is earlier than 2:0.12.1.2-2.491.el6_8.6
            ovaloval:com.redhat.rhsa:tst:20170309005
          • commentqemu-kvm-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345002
        • AND
          • commentqemu-img is earlier than 2:0.12.1.2-2.491.el6_8.6
            ovaloval:com.redhat.rhsa:tst:20170309007
          • commentqemu-img is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345006
    rhsa
    idRHSA-2017:0309
    released2017-02-23
    severityImportant
    titleRHSA-2017:0309: qemu-kvm security and bug fix update (Important)
  • rhsa
    idRHSA-2017:0328
  • rhsa
    idRHSA-2017:0329
  • rhsa
    idRHSA-2017:0330
  • rhsa
    idRHSA-2017:0331
  • rhsa
    idRHSA-2017:0332
  • rhsa
    idRHSA-2017:0333
  • rhsa
    idRHSA-2017:0334
  • rhsa
    idRHSA-2017:0344
  • rhsa
    idRHSA-2017:0350
  • rhsa
    idRHSA-2017:0396
  • rhsa
    idRHSA-2017:0454
rpms
  • qemu-guest-agent-2:0.12.1.2-2.491.el6_8.6
  • qemu-img-2:0.12.1.2-2.491.el6_8.6
  • qemu-kvm-2:0.12.1.2-2.491.el6_8.6
  • qemu-kvm-debuginfo-2:0.12.1.2-2.491.el6_8.6
  • qemu-kvm-tools-2:0.12.1.2-2.491.el6_8.6
  • qemu-img-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-common-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-rhev-debuginfo-10:2.6.0-28.el7_3.6
  • qemu-kvm-tools-rhev-10:2.6.0-28.el7_3.6
  • qemu-img-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-common-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-rhev-debuginfo-10:2.6.0-28.el7_3.6
  • qemu-kvm-tools-rhev-10:2.6.0-28.el7_3.6
  • qemu-img-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-common-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-rhev-debuginfo-10:2.6.0-28.el7_3.6
  • qemu-kvm-tools-rhev-10:2.6.0-28.el7_3.6
  • qemu-img-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-common-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-rhev-debuginfo-10:2.6.0-28.el7_3.6
  • qemu-kvm-tools-rhev-10:2.6.0-28.el7_3.6
  • qemu-img-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-common-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-rhev-debuginfo-10:2.6.0-28.el7_3.6
  • qemu-kvm-tools-rhev-10:2.6.0-28.el7_3.6
  • qemu-img-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-common-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-rhev-debuginfo-10:2.6.0-28.el7_3.6
  • qemu-kvm-tools-rhev-10:2.6.0-28.el7_3.6
  • qemu-img-rhev-2:0.12.1.2-2.491.el6_8.7
  • qemu-kvm-rhev-2:0.12.1.2-2.491.el6_8.7
  • qemu-kvm-rhev-debuginfo-2:0.12.1.2-2.491.el6_8.7
  • qemu-kvm-rhev-tools-2:0.12.1.2-2.491.el6_8.7
  • qemu-img-rhev-2:0.12.1.2-2.491.el6_8.6
  • qemu-kvm-rhev-2:0.12.1.2-2.491.el6_8.6
  • qemu-kvm-rhev-debuginfo-2:0.12.1.2-2.491.el6_8.6
  • qemu-kvm-rhev-tools-2:0.12.1.2-2.491.el6_8.6
  • qemu-img-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-common-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-rhev-10:2.6.0-28.el7_3.6
  • qemu-kvm-rhev-debuginfo-10:2.6.0-28.el7_3.6
  • qemu-kvm-tools-rhev-10:2.6.0-28.el7_3.6
  • qemu-img-10:1.5.3-126.el7_3.5
  • qemu-kvm-10:1.5.3-126.el7_3.5
  • qemu-kvm-common-10:1.5.3-126.el7_3.5
  • qemu-kvm-debuginfo-10:1.5.3-126.el7_3.5
  • qemu-kvm-tools-10:1.5.3-126.el7_3.5
  • kmod-kvm-0:83-277.el5_11
  • kmod-kvm-debug-0:83-277.el5_11
  • kvm-0:83-277.el5_11
  • kvm-debuginfo-0:83-277.el5_11
  • kvm-qemu-img-0:83-277.el5_11
  • kvm-tools-0:83-277.el5_11