Vulnerabilities > CVE-2017-5931 - Integer Overflow or Wraparound vulnerability in Qemu

047910
CVSS 8.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
qemu
CWE-190
nessus

Summary

Integer overflow in hw/virtio/virtio-crypto.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code on the host via a crafted virtio-crypto request, which triggers a heap-based buffer overflow.

Vulnerable Configurations

Part Description Count
Application
Qemu
236

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201702-28.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201702-28 (QEMU: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact : A local attacker could potentially execute arbitrary code with privileges of QEMU process on the host, gain privileges on the host system, cause a Denial of Service condition, or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id97271
    published2017-02-21
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97271
    titleGLSA-201702-28 : QEMU: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201702-28.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97271);
      script_version("3.11");
      script_cvs_date("Date: 2018/09/05 15:02:26");
    
      script_cve_id("CVE-2016-10155", "CVE-2017-2615", "CVE-2017-5525", "CVE-2017-5552", "CVE-2017-5578", "CVE-2017-5579", "CVE-2017-5667", "CVE-2017-5856", "CVE-2017-5857", "CVE-2017-5898", "CVE-2017-5931");
      script_xref(name:"GLSA", value:"201702-28");
      script_xref(name:"IAVB", value:"2017-B-0024");
    
      script_name(english:"GLSA-201702-28 : QEMU: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201702-28
    (QEMU: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in QEMU. Please review the
          CVE identifiers referenced below for details.
      
    Impact :
    
        A local attacker could potentially execute arbitrary code with
          privileges of QEMU process on the host, gain privileges on the host
          system, cause a Denial of Service condition, or obtain sensitive
          information.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201702-28"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All QEMU users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=app-emulation/qemu-2.8.0-r1'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:qemu");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/02/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/02/21");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"app-emulation/qemu", unaffected:make_list("ge 2.8.0-r1"), vulnerable:make_list("lt 2.8.0-r1"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "QEMU");
    }
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-4713.NASL
    descriptionDescription of changes: [15:3.1.0-5.el7] - Only enable the halt poll control MSR if it is supported by the host (Mark Kanda) [Orabug: 29946722] [15:3.1.0-4.el7] - kvm: i386: halt poll control MSR support (Marcelo Tosatti) [Orabug: 29933278] - Document CVEs as fixed: CVE-2017-9524, CVE-2017-6058, CVE-2017-5931 (Mark Kanda) [Orabug: 29886908] {CVE-2017-5931} {CVE-2017-6058} {CVE-2017-9524} - pvrdma: release device resources in case of an error (Prasad J Pandit) [Orabug: 29056678] {CVE-2018-20123} - qxl: check release info object (Prasad J Pandit) [Orabug: 29886906] {CVE-2019-12155} - target/i386: add MDS-NO feature (Paolo Bonzini) [Orabug: 29820428] {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091} - docs: recommend use of md-clear feature on all Intel CPUs (Daniel P. Berrang&eacute ) [Orabug: 29820428] {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091} - target/i386: define md-clear bit (Paolo Bonzini) [Orabug: 29820428] {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091} - pvh: block migration if booting using PVH (Liam Merwick) [Orabug: 29796676] - hw/i386/pc: run the multiboot loader before the PVH loader (Stefano Garzarella) [Orabug: 29796676] - optionrom/pvh: load initrd from fw_cfg (Stefano Garzarella) [Orabug: 29796676] - hw/i386/pc: use PVH option rom (Stefano Garzarella) [Orabug: 29796676] - qemu.spec: add pvh.bin to %files (Liam Merwick) [Orabug: 29796676] - optionrom: add new PVH option rom (Stefano Garzarella) [Orabug: 29796676] - linuxboot_dma: move common functions in a new header (Stefano Garzarella) [Orabug: 29796676] - linuxboot_dma: remove duplicate definitions of FW_CFG (Stefano Garzarella) [Orabug: 29796676] - pvh: load initrd and expose it through fw_cfg (Stefano Garzarella) [Orabug: 29796676] - pvh: Boot uncompressed kernel using direct boot ABI (Liam Merwick) [Orabug: 29796676] - pvh: Add x86/HVM direct boot ABI header file (Liam Merwick) [Orabug: 29796676] - elf-ops.h: Add get_elf_note_type() (Liam Merwick) [Orabug: 29796676] - elf: Add optional function ptr to load_elf() to parse ELF notes (Liam Merwick) [Orabug: 29796676]
    last seen2020-06-01
    modified2020-06-02
    plugin id126673
    published2019-07-15
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126673
    titleOracle Linux 7 : qemu (ELSA-2019-4713) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Oracle Linux Security Advisory ELSA-2019-4713.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(126673);
      script_version("1.3");
      script_cvs_date("Date: 2020/01/08");
    
      script_cve_id("CVE-2017-5931", "CVE-2017-6058", "CVE-2017-9524", "CVE-2018-12126", "CVE-2018-12127", "CVE-2018-12130", "CVE-2018-20123", "CVE-2019-11091", "CVE-2019-12155");
    
      script_name(english:"Oracle Linux 7 : qemu (ELSA-2019-4713) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Description of changes:
    
    [15:3.1.0-5.el7]
    - Only enable the halt poll control MSR if it is supported by the host (Mark
    Kanda) [Orabug: 29946722]
    
    [15:3.1.0-4.el7]
    - kvm: i386: halt poll control MSR support (Marcelo Tosatti) [Orabug: 
    29933278]
    - Document CVEs as fixed: CVE-2017-9524, CVE-2017-6058, CVE-2017-5931 
    (Mark Kanda) [Orabug: 29886908] {CVE-2017-5931} {CVE-2017-6058} 
    {CVE-2017-9524}
    - pvrdma: release device resources in case of an error (Prasad J Pandit) 
    [Orabug: 29056678] {CVE-2018-20123}
    - qxl: check release info object (Prasad J Pandit) [Orabug: 29886906] 
    {CVE-2019-12155}
    - target/i386: add MDS-NO feature (Paolo Bonzini) [Orabug: 29820428] 
    {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091}
    - docs: recommend use of md-clear feature on all Intel CPUs (Daniel P. 
    Berrang&eacute ) [Orabug: 29820428] {CVE-2018-12126} {CVE-2018-12127} 
    {CVE-2018-12130} {CVE-2019-11091}
    - target/i386: define md-clear bit (Paolo Bonzini) [Orabug: 29820428] 
    {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091}
    - pvh: block migration if booting using PVH (Liam Merwick) [Orabug: 
    29796676]
    - hw/i386/pc: run the multiboot loader before the PVH loader (Stefano 
    Garzarella) [Orabug: 29796676]
    - optionrom/pvh: load initrd from fw_cfg (Stefano Garzarella) [Orabug: 
    29796676]
    - hw/i386/pc: use PVH option rom (Stefano Garzarella) [Orabug: 29796676]
    - qemu.spec: add pvh.bin to %files (Liam Merwick) [Orabug: 29796676]
    - optionrom: add new PVH option rom (Stefano Garzarella) [Orabug: 29796676]
    - linuxboot_dma: move common functions in a new header (Stefano 
    Garzarella) [Orabug: 29796676]
    - linuxboot_dma: remove duplicate definitions of FW_CFG (Stefano 
    Garzarella) [Orabug: 29796676]
    - pvh: load initrd and expose it through fw_cfg (Stefano Garzarella) 
    [Orabug: 29796676]
    - pvh: Boot uncompressed kernel using direct boot ABI (Liam Merwick) 
    [Orabug: 29796676]
    - pvh: Add x86/HVM direct boot ABI header file (Liam Merwick) [Orabug: 
    29796676]
    - elf-ops.h: Add get_elf_note_type() (Liam Merwick) [Orabug: 29796676]
    - elf: Add optional function ptr to load_elf() to parse ELF notes (Liam 
    Merwick) [Orabug: 29796676]"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2019-July/008891.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected qemu packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-gluster");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-iscsi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-block-rbd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-img");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-kvm-core");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:qemu-system-x86-core");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/07/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/15");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-3.1.0-5.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-block-gluster-3.1.0-5.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-block-iscsi-3.1.0-5.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-block-rbd-3.1.0-5.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-common-3.1.0-5.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-img-3.1.0-5.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-kvm-3.1.0-5.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-kvm-core-3.1.0-5.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-system-x86-3.1.0-5.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"qemu-system-x86-core-3.1.0-5.el7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu / qemu-block-gluster / qemu-block-iscsi / qemu-block-rbd / etc");
    }