Vulnerabilities > CVE-2017-5931 - Integer Overflow or Wraparound vulnerability in Qemu
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based buffer overflow.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201702-28.NASL description The remote host is affected by the vulnerability described in GLSA-201702-28 (QEMU: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact : A local attacker could potentially execute arbitrary code with privileges of QEMU process on the host, gain privileges on the host system, cause a Denial of Service condition, or obtain sensitive information. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 97271 published 2017-02-21 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97271 title GLSA-201702-28 : QEMU: Multiple vulnerabilities code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 201702-28. # # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(97271); script_version("3.11"); script_cvs_date("Date: 2018/09/05 15:02:26"); script_cve_id("CVE-2016-10155", "CVE-2017-2615", "CVE-2017-5525", "CVE-2017-5552", "CVE-2017-5578", "CVE-2017-5579", "CVE-2017-5667", "CVE-2017-5856", "CVE-2017-5857", "CVE-2017-5898", "CVE-2017-5931"); script_xref(name:"GLSA", value:"201702-28"); script_xref(name:"IAVB", value:"2017-B-0024"); script_name(english:"GLSA-201702-28 : QEMU: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-201702-28 (QEMU: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact : A local attacker could potentially execute arbitrary code with privileges of QEMU process on the host, gain privileges on the host system, cause a Denial of Service condition, or obtain sensitive information. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/201702-28" ); script_set_attribute( attribute:"solution", value: "All QEMU users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-emulation/qemu-2.8.0-r1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:qemu"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2017/02/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/21"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-emulation/qemu", unaffected:make_list("ge 2.8.0-r1"), vulnerable:make_list("lt 2.8.0-r1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "QEMU"); }NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-4713.NASL description Description of changes: [15:3.1.0-5.el7] - Only enable the halt poll control MSR if it is supported by the host (Mark Kanda) [Orabug: 29946722] [15:3.1.0-4.el7] - kvm: i386: halt poll control MSR support (Marcelo Tosatti) [Orabug: 29933278] - Document CVEs as fixed: CVE-2017-9524, CVE-2017-6058, CVE-2017-5931 (Mark Kanda) [Orabug: 29886908] {CVE-2017-5931} {CVE-2017-6058} {CVE-2017-9524} - pvrdma: release device resources in case of an error (Prasad J Pandit) [Orabug: 29056678] {CVE-2018-20123} - qxl: check release info object (Prasad J Pandit) [Orabug: 29886906] {CVE-2019-12155} - target/i386: add MDS-NO feature (Paolo Bonzini) [Orabug: 29820428] {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091} - docs: recommend use of md-clear feature on all Intel CPUs (Daniel P. Berrangé ) [Orabug: 29820428] {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091} - target/i386: define md-clear bit (Paolo Bonzini) [Orabug: 29820428] {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091} - pvh: block migration if booting using PVH (Liam Merwick) [Orabug: 29796676] - hw/i386/pc: run the multiboot loader before the PVH loader (Stefano Garzarella) [Orabug: 29796676] - optionrom/pvh: load initrd from fw_cfg (Stefano Garzarella) [Orabug: 29796676] - hw/i386/pc: use PVH option rom (Stefano Garzarella) [Orabug: 29796676] - qemu.spec: add pvh.bin to %files (Liam Merwick) [Orabug: 29796676] - optionrom: add new PVH option rom (Stefano Garzarella) [Orabug: 29796676] - linuxboot_dma: move common functions in a new header (Stefano Garzarella) [Orabug: 29796676] - linuxboot_dma: remove duplicate definitions of FW_CFG (Stefano Garzarella) [Orabug: 29796676] - pvh: load initrd and expose it through fw_cfg (Stefano Garzarella) [Orabug: 29796676] - pvh: Boot uncompressed kernel using direct boot ABI (Liam Merwick) [Orabug: 29796676] - pvh: Add x86/HVM direct boot ABI header file (Liam Merwick) [Orabug: 29796676] - elf-ops.h: Add get_elf_note_type() (Liam Merwick) [Orabug: 29796676] - elf: Add optional function ptr to load_elf() to parse ELF notes (Liam Merwick) [Orabug: 29796676] last seen 2020-06-01 modified 2020-06-02 plugin id 126673 published 2019-07-15 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126673 title Oracle Linux 7 : qemu (ELSA-2019-4713) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Oracle Linux Security Advisory ELSA-2019-4713. # include("compat.inc"); if (description) { script_id(126673); script_version("1.3"); script_cvs_date("Date: 2020/01/08"); script_cve_id("CVE-2017-5931", "CVE-2017-6058", "CVE-2017-9524", "CVE-2018-12126", "CVE-2018-12127", "CVE-2018-12130", "CVE-2018-20123", "CVE-2019-11091", "CVE-2019-12155"); script_name(english:"Oracle Linux 7 : qemu (ELSA-2019-4713) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Description of changes: [15:3.1.0-5.el7] - Only enable the halt poll control MSR if it is supported by the host (Mark Kanda) [Orabug: 29946722] [15:3.1.0-4.el7] - kvm: i386: halt poll control MSR support (Marcelo Tosatti) [Orabug: 29933278] - Document CVEs as fixed: CVE-2017-9524, CVE-2017-6058, CVE-2017-5931 (Mark Kanda) [Orabug: 29886908] {CVE-2017-5931} {CVE-2017-6058} {CVE-2017-9524} - pvrdma: release device resources in case of an error (Prasad J Pandit) [Orabug: 29056678] {CVE-2018-20123} - qxl: check release info object (Prasad J Pandit) [Orabug: 29886906] {CVE-2019-12155} - target/i386: add MDS-NO feature (Paolo Bonzini) [Orabug: 29820428] {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091} - docs: recommend use of md-clear feature on all Intel CPUs (Daniel P. Berrangé ) [Orabug: 29820428] {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091} - target/i386: define md-clear bit (Paolo Bonzini) [Orabug: 29820428] {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091} - pvh: block migration if booting using PVH (Liam Merwick) [Orabug: 29796676] - hw/i386/pc: run the multiboot loader before the PVH loader (Stefano Garzarella) [Orabug: 29796676] - optionrom/pvh: load initrd from fw_cfg (Stefano Garzarella) [Orabug: 29796676] - hw/i386/pc: use PVH option rom (Stefano Garzarella) [Orabug: 29796676] - qemu.spec: add pvh.bin to %files (Liam Merwick) [Orabug: 29796676] - optionrom: add new PVH option rom (Stefano Garzarella) [Orabug: 29796676] - linuxboot_dma: move common functions in a new header (Stefano Garzarella) [Orabug: 29796676] - linuxboot_dma: remove duplicate definitions of FW_CFG (Stefano Garzarella) [Orabug: 29796676] - pvh: load initrd and expose it through fw_cfg (Stefano Garzarella) [Orabug: 29796676] - pvh: Boot uncompressed kernel using direct boot ABI (Liam Merwick) [Orabug: 29796676] - pvh: Add x86/HVM direct boot ABI header file (Liam Merwick) [Orabug: 29796676] - elf-ops.h: Add get_elf_note_type() (Liam Merwick) [Orabug: 29796676] - elf: Add optional function ptr to load_elf() to parse ELF notes (Liam Merwick) [Orabug: 29796676]" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2019-July/008891.html" ); script_set_attribute(attribute:"solution", value:"Update the affected qemu packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-gluster"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-iscsi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-rbd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-img"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm-core"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-x86"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-x86-core"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/20"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/15"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-3.1.0-5.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-block-gluster-3.1.0-5.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-block-iscsi-3.1.0-5.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-block-rbd-3.1.0-5.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-common-3.1.0-5.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-img-3.1.0-5.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-kvm-3.1.0-5.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-kvm-core-3.1.0-5.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-system-x86-3.1.0-5.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-system-x86-core-3.1.0-5.el7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu / qemu-block-gluster / qemu-block-iscsi / qemu-block-rbd / etc"); }
References
- https://lists.nongnu.org/archive/html/qemu-devel/2017-01/msg01368.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1420092
- http://www.securityfocus.com/bid/96141
- http://www.openwall.com/lists/oss-security/2017/02/08/2
- https://security.gentoo.org/glsa/201702-28
- http://git.qemu-project.org/?p=qemu.git%3Ba=commit%3Bh=a08aaff811fb194950f79711d2afe5a892ae03a4