Vulnerabilities > CVE-2017-5987 - Infinite Loop vulnerability in multiple products

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
local
low complexity
qemu
debian
CWE-835
nessus

Summary

The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer.

Vulnerable Configurations

Part Description Count
Application
Qemu
241
OS
Debian
1

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2227.NASL
    descriptionAccording to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.(CVE-2019-6778) - The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method.(CVE-2015-7549) - The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTOP registers, involving ring buffer control.(CVE-2016-2841) - Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device.(CVE-2017-9374) - Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allows a user to cause a denial of service (Qemu process crash).(CVE-2017-18043) - Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.(CVE-2017-5579) - The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program.(CVE-2015-4037) - The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.(CVE-2016-7908) - hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information.(CVE-2013-4544) - Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function.(CVE-2016-2538) - Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.(CVE-2018-10839) - Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device.(CVE-2017-9373) - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.(CVE-2019-9824) - QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing.(CVE-2017-9503) - Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports.(CVE-2013-4526) - Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image.(CVE-2013-4530) - Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image.(CVE-2013-4539) - Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image.(CVE-2013-4540) - The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer.(CVE-2017-5987) - Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12126) - Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12127) - Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12130) - Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2019-11091) - interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NULL pointer dereference.(CVE-2019-12155) - Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.(CVE-2016-7161) - Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets.(CVE-2015-5279) - The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds heap access and crash) or execute arbitrary code on the QEMU host via vectors involving the data transfer length.(CVE-2017-5667) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-11-08
    plugin id130689
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130689
    titleEulerOS 2.0 SP5 : qemu-kvm (EulerOS-SA-2019-2227)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130689);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2013-4526",
        "CVE-2013-4530",
        "CVE-2013-4539",
        "CVE-2013-4540",
        "CVE-2013-4544",
        "CVE-2015-4037",
        "CVE-2015-5279",
        "CVE-2015-7549",
        "CVE-2016-2538",
        "CVE-2016-2841",
        "CVE-2016-7161",
        "CVE-2016-7908",
        "CVE-2017-18043",
        "CVE-2017-5579",
        "CVE-2017-5667",
        "CVE-2017-5987",
        "CVE-2017-9373",
        "CVE-2017-9374",
        "CVE-2017-9503",
        "CVE-2018-10839",
        "CVE-2018-12126",
        "CVE-2018-12127",
        "CVE-2018-12130",
        "CVE-2019-11091",
        "CVE-2019-12155",
        "CVE-2019-6778",
        "CVE-2019-9824"
      );
      script_bugtraq_id(
        66955,
        67483,
        74809
      );
    
      script_name(english:"EulerOS 2.0 SP5 : qemu-kvm (EulerOS-SA-2019-2227)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the qemu-kvm packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a
        heap-based buffer overflow.(CVE-2019-6778)
    
      - The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka
        Quick Emulator) allows local guest OS privileged users
        to cause a denial of service (NULL pointer dereference
        and QEMU process crash) by leveraging failure to define
        the .write method.(CVE-2015-7549)
    
      - The ne2000_receive function in the NE2000 NIC emulation
        support (hw/net/ne2000.c) in QEMU before 2.5.1 allows
        local guest OS administrators to cause a denial of
        service (infinite loop and QEMU process crash) via
        crafted values for the PSTART and PSTOP registers,
        involving ring buffer control.(CVE-2016-2841)
    
      - Memory leak in QEMU (aka Quick Emulator), when built
        with USB EHCI Emulation support, allows local guest OS
        privileged users to cause a denial of service (memory
        consumption) by repeatedly hot-unplugging the
        device.(CVE-2017-9374)
    
      - Integer overflow in the macro ROUND_UP (n, d) in Quick
        Emulator (Qemu) allows a user to cause a denial of
        service (Qemu process crash).(CVE-2017-18043)
    
      - Memory leak in the serial_exit_core function in
        hw/char/serial.c in QEMU (aka Quick Emulator) allows
        local guest OS privileged users to cause a denial of
        service (host memory consumption and QEMU process
        crash) via a large number of device unplug
        operations.(CVE-2017-5579)
    
      - The slirp_smb function in net/slirp.c in QEMU 2.3.0 and
        earlier creates temporary files with predictable names,
        which allows local users to cause a denial of service
        (instantiation failure) by creating /tmp/qemu-smb.*-*
        files before the program.(CVE-2015-4037)
    
      - The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU
        (aka Quick Emulator) does not properly limit the buffer
        descriptor count when transmitting packets, which
        allows local guest OS administrators to cause a denial
        of service (infinite loop and QEMU process crash) via
        vectors involving a buffer descriptor with a length of
        0 and crafted values in bd.flags.(CVE-2016-7908)
    
      - hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier
        allows local guest users to cause a denial of service
        or possibly execute arbitrary code via vectors related
        to (1) RX or (2) TX queue numbers or (3) interrupt
        indices. NOTE: some of these details are obtained from
        third party information.(CVE-2013-4544)
    
      - Multiple integer overflows in the USB Net device
        emulator (hw/usb/dev-network.c) in QEMU before 2.5.1
        allow local guest OS administrators to cause a denial
        of service (QEMU process crash) or obtain sensitive
        host memory information via a remote NDIS control
        message packet that is mishandled in the (1)
        rndis_query_response, (2) rndis_set_response, or (3)
        usb_net_handle_dataout function.(CVE-2016-2538)
    
      - Qemu emulator <= 3.0.0 built with the NE2000 NIC
        emulation support is vulnerable to an integer overflow,
        which could lead to buffer overflow issue. It could
        occur when receiving packets over the network. A user
        inside guest could use this flaw to crash the Qemu
        process resulting in DoS.(CVE-2018-10839)
    
      - Memory leak in QEMU (aka Quick Emulator), when built
        with IDE AHCI Emulation support, allows local guest OS
        privileged users to cause a denial of service (memory
        consumption) by repeatedly hot-unplugging the AHCI
        device.(CVE-2017-9373)
    
      - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c)
        in QEMU 3.0.0 uses uninitialized data in an snprintf
        call, leading to Information disclosure.(CVE-2019-9824)
    
      - QEMU (aka Quick Emulator), when built with MegaRAID SAS
        8708EM2 Host Bus Adapter emulation support, allows
        local guest OS privileged users to cause a denial of
        service (NULL pointer dereference and QEMU process
        crash) via vectors involving megasas command
        processing.(CVE-2017-9503)
    
      - Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2
        allows remote attackers to cause a denial of service
        and possibly execute arbitrary code via vectors related
        to migrating ports.(CVE-2013-4526)
    
      - Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2
        allows remote attackers to cause a denial of service or
        possibly execute arbitrary code via crafted
        tx_fifo_head and rx_fifo_head values in a savevm
        image.(CVE-2013-4530)
    
      - Multiple buffer overflows in the tsc210x_load function
        in hw/input/tsc210x.c in QEMU before 1.7.2 might allow
        remote attackers to execute arbitrary code via a
        crafted (1) precision, (2) nextprecision, (3) function,
        or (4) nextfunction value in a savevm
        image.(CVE-2013-4539)
    
      - Buffer overflow in scoop_gpio_handler_update in QEMU
        before 1.7.2 might allow remote attackers to execute
        arbitrary code via a large (1) prev_level, (2)
        gpio_level, or (3) gpio_dir value in a savevm
        image.(CVE-2013-4540)
    
      - The sdhci_sdma_transfer_multi_blocks function in
        hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local
        OS guest privileged users to cause a denial of service
        (infinite loop and QEMU process crash) via vectors
        involving the transfer mode register during multi block
        transfer.(CVE-2017-5987)
    
      - Microarchitectural Store Buffer Data Sampling (MSBDS):
        Store buffers on some microprocessors utilizing
        speculative execution may allow an authenticated user
        to potentially enable information disclosure via a side
        channel with local access. A list of impacted products
        can be found here:
        https://www.intel.com/content/dam/www/public/us/en/docu
        ments/corporate-information/SA00233-microcode-update-gu
        idance_05132019.pdf(CVE-2018-12126)
    
      - Microarchitectural Load Port Data Sampling (MLPDS):
        Load ports on some microprocessors utilizing
        speculative execution may allow an authenticated user
        to potentially enable information disclosure via a side
        channel with local access. A list of impacted products
        can be found here:
        https://www.intel.com/content/dam/www/public/us/en/docu
        ments/corporate-information/SA00233-microcode-update-gu
        idance_05132019.pdf(CVE-2018-12127)
    
      - Microarchitectural Fill Buffer Data Sampling (MFBDS):
        Fill buffers on some microprocessors utilizing
        speculative execution may allow an authenticated user
        to potentially enable information disclosure via a side
        channel with local access. A list of impacted products
        can be found here:
        https://www.intel.com/content/dam/www/public/us/en/docu
        ments/corporate-information/SA00233-microcode-update-gu
        idance_05132019.pdf(CVE-2018-12130)
    
      - Microarchitectural Data Sampling Uncacheable Memory
        (MDSUM): Uncacheable memory on some microprocessors
        utilizing speculative execution may allow an
        authenticated user to potentially enable information
        disclosure via a side channel with local access. A list
        of impacted products can be found here:
        https://www.intel.com/content/dam/www/public/us/en/docu
        ments/corporate-information/SA00233-microcode-update-gu
        idance_05132019.pdf(CVE-2019-11091)
    
      - interface_release_resource in hw/display/qxl.c in QEMU
        4.0.0 has a NULL pointer dereference.(CVE-2019-12155)
    
      - Heap-based buffer overflow in the .receive callback of
        xlnx.xps-ethernetlite in QEMU (aka Quick Emulator)
        allows attackers to execute arbitrary code on the QEMU
        host via a large ethlite packet.(CVE-2016-7161)
    
      - Heap-based buffer overflow in the ne2000_receive
        function in hw/net/ne2000.c in QEMU before 2.4.0.1
        allows guest OS users to cause a denial of service
        (instance crash) or possibly execute arbitrary code via
        vectors related to receiving packets.(CVE-2015-5279)
    
      - The sdhci_sdma_transfer_multi_blocks function in
        hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local
        guest OS privileged users to cause a denial of service
        (out-of-bounds heap access and crash) or execute
        arbitrary code on the QEMU host via vectors involving
        the data transfer length.(CVE-2017-5667)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2227
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?95b359a0");
      script_set_attribute(attribute:"solution", value:
    "Update the affected qemu-kvm packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-img");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm-common");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["qemu-img-1.5.3-156.5.h14.eulerosv2r7",
            "qemu-kvm-1.5.3-156.5.h14.eulerosv2r7",
            "qemu-kvm-common-1.5.3-156.5.h14.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-kvm");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2969-1.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122) - CVE-2017-2633: The VNC display driver support was vulnerable to an out-of-bounds memory access issue. A user/process inside guest could use this flaw to cause DoS (bsc#1026612) - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069) - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585) - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334) - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c allowed local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer (bsc#1025311) - CVE-2017-6505: The ohci_service_ed_list function allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count (bsc#1036211) - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800) - CVE-2017-9373: The IDE AHCI Emulation support was vulnerable to a host memory leakage issue, which allowed a privileged user inside guest to leak host memory resulting in DoS (bsc#1042801) - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value (bsc#1042159) - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture (bsc#1037242) - CVE-2017-7493: The VirtFS, host directory sharing via Plan 9 File System(9pfs) support, was vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could have used this flaw to escalate their privileges inside guest (bsc#1039495) - CVE-2016-9602: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper link following issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1020427) - CVE-2017-5579: The 16550A UART serial device emulation support was vulnerable to a memory leakage issue allowing a privileged user to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1021741) - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a NULL pointer dereference issue which allowed a privileged user inside guest to crash the Qemu process on the host resulting in DoS (bsc#1043296) - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046636) - CVE-2017-10806: Stack-based buffer overflow allowed local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages (bsc#1047674) - CVE-2016-9602: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper link following issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1020427) - CVE-2017-7377: The v9fs_create and v9fs_lcreate functions in hw/9pfs/9p.c allowed local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid (bsc#1032075) - CVE-2017-8086: A memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c allowed local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable (bsc#1035950) - CVE-2017-7471: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper access control issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1034866) - CVE-2016-6834: A infinite loop during packet fragmentation in the VMWARE VMXNET3 NIC device support allowed privileged user inside guest to crash the Qemu instance resulting in DoS (bsc#994418) - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC device support, causing an OOB read access (bsc#994605) - Fix privilege escalation in TCG mode (bsc#1030624) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id104495
    published2017-11-10
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104495
    titleSUSE SLES12 Security Update : qemu (SUSE-SU-2017:2969-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:2969-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104495);
      script_version("3.10");
      script_cvs_date("Date: 2019/09/11 11:22:16");
    
      script_cve_id("CVE-2016-6834", "CVE-2016-6835", "CVE-2016-9602", "CVE-2016-9603", "CVE-2017-10664", "CVE-2017-10806", "CVE-2017-11334", "CVE-2017-11434", "CVE-2017-13672", "CVE-2017-14167", "CVE-2017-15038", "CVE-2017-15289", "CVE-2017-2633", "CVE-2017-5579", "CVE-2017-5973", "CVE-2017-5987", "CVE-2017-6505", "CVE-2017-7377", "CVE-2017-7471", "CVE-2017-7493", "CVE-2017-7718", "CVE-2017-7980", "CVE-2017-8086", "CVE-2017-8112", "CVE-2017-8309", "CVE-2017-9330", "CVE-2017-9373", "CVE-2017-9375", "CVE-2017-9503");
    
      script_name(english:"SUSE SLES12 Security Update : qemu (SUSE-SU-2017:2969-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for qemu fixes several issues. These security issues were
    fixed :
    
      - CVE-2017-15289: The mode4and5 write functions allowed
        local OS guest privileged users to cause a denial of
        service (out-of-bounds write access and Qemu process
        crash) via vectors related to dst calculation
        (bsc#1063122)
    
      - CVE-2017-2633: The VNC display driver support was
        vulnerable to an out-of-bounds memory access issue. A
        user/process inside guest could use this flaw to cause
        DoS (bsc#1026612)
    
      - CVE-2017-15038: Race condition in the v9fs_xattrwalk
        function local guest OS users to obtain sensitive
        information from host heap memory via vectors related to
        reading extended attributes (bsc#1062069)
    
      - CVE-2017-14167: Integer overflow in the load_multiboot
        function allowed local guest OS users to execute
        arbitrary code on the host via crafted multiboot header
        address values, which trigger an out-of-bounds write
        (bsc#1057585)
    
      - CVE-2017-11434: The dhcp_decode function in
        slirp/bootp.c allowed local guest OS users to cause a
        denial of service (out-of-bounds read) via a crafted
        DHCP options string (bsc#1049381)
    
      - CVE-2017-11334: The address_space_write_continue
        function allowed local guest OS privileged users to
        cause a denial of service (out-of-bounds access and
        guest instance crash) by leveraging use of
        qemu_map_ram_ptr to access guest ram block area
        (bsc#1048902)
    
      - CVE-2017-13672: The VGA display emulator support allowed
        local guest OS privileged users to cause a denial of
        service (out-of-bounds read and QEMU process crash) via
        vectors involving display update (bsc#1056334)
    
      - CVE-2017-5973: A infinite loop while doing control
        transfer in xhci_kick_epctx allowed privileged user
        inside the guest to crash the host process resulting in
        DoS (bsc#1025109)
    
      - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks
        function in hw/sd/sdhci.c allowed local OS guest
        privileged users to cause a denial of service (infinite
        loop and QEMU process crash) via vectors involving the
        transfer mode register during multi block transfer
        (bsc#1025311)
    
      - CVE-2017-6505: The ohci_service_ed_list function allowed
        local guest OS users to cause a denial of service
        (infinite loop) via vectors involving the number of link
        endpoint list descriptors (bsc#1028184)
    
      - CVE-2016-9603: A privileged user within the guest VM
        could have caused a heap overflow in the device model
        process, potentially escalating their privileges to that
        of the device model process (bsc#1028656)
    
      - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local
        guest OS privileged users to cause a denial of service
        (out-of-bounds read and QEMU process crash) via vectors
        related to copying VGA data via the
        cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_
        functions (bsc#1034908)
    
      - CVE-2017-7980: An out-of-bounds r/w access issues in the
        Cirrus CLGD 54xx VGA Emulator support allowed privileged
        user inside guest to use this flaw to crash the Qemu
        process resulting in DoS or potentially execute
        arbitrary code on a host with privileges of Qemu process
        on the host (bsc#1035406)
    
      - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest
        OS privileged users to cause a denial of service
        (infinite loop and CPU consumption) via the message ring
        page count (bsc#1036211)
    
      - CVE-2017-9375: The USB xHCI controller emulator support
        was vulnerable to an infinite recursive call loop issue,
        which allowed a privileged user inside guest to crash
        the Qemu process resulting in DoS (bsc#1042800)
    
      - CVE-2017-9373: The IDE AHCI Emulation support was
        vulnerable to a host memory leakage issue, which allowed
        a privileged user inside guest to leak host memory
        resulting in DoS (bsc#1042801)
    
      - CVE-2017-9330: USB OHCI Emulation in qemu allowed local
        guest OS users to cause a denial of service (infinite
        loop) by leveraging an incorrect return value
        (bsc#1042159)
    
      - CVE-2017-8309: Memory leak in the audio/audio.c allowed
        remote attackers to cause a denial of service (memory
        consumption) by repeatedly starting and stopping audio
        capture (bsc#1037242)
    
      - CVE-2017-7493: The VirtFS, host directory sharing via
        Plan 9 File System(9pfs) support, was vulnerable to an
        improper access control issue. It could occur while
        accessing virtfs metadata files in mapped-file security
        mode. A guest user could have used this flaw to escalate
        their privileges inside guest (bsc#1039495)
    
      - CVE-2016-9602: The VirtFS host directory sharing via
        Plan 9 File System(9pfs) support was vulnerable to an
        improper link following issue which allowed a privileged
        user inside guest to access host file system beyond the
        shared folder and potentially escalating their
        privileges on a host (bsc#1020427)
    
      - CVE-2017-5579: The 16550A UART serial device emulation
        support was vulnerable to a memory leakage issue
        allowing a privileged user to cause a DoS and/or
        potentially crash the Qemu process on the host
        (bsc#1021741)
    
      - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter
        emulation support was vulnerable to a NULL pointer
        dereference issue which allowed a privileged user inside
        guest to crash the Qemu process on the host resulting in
        DoS (bsc#1043296)
    
      - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which
        allowed remote attackers to cause a denial of service
        (daemon crash) by disconnecting during a
        server-to-client reply attempt (bsc#1046636)
    
      - CVE-2017-10806: Stack-based buffer overflow allowed
        local guest OS users to cause a denial of service (QEMU
        process crash) via vectors related to logging debug
        messages (bsc#1047674)
    
      - CVE-2016-9602: The VirtFS host directory sharing via
        Plan 9 File System(9pfs) support was vulnerable to an
        improper link following issue which allowed a privileged
        user inside guest to access host file system beyond the
        shared folder and potentially escalating their
        privileges on a host (bsc#1020427)
    
      - CVE-2017-7377: The v9fs_create and v9fs_lcreate
        functions in hw/9pfs/9p.c allowed local guest OS
        privileged users to cause a denial of service (file
        descriptor or memory consumption) via vectors related to
        an already in-use fid (bsc#1032075)
    
      - CVE-2017-8086: A memory leak in the v9fs_list_xattr
        function in hw/9pfs/9p-xattr.c allowed local guest OS
        privileged users to cause a denial of service (memory
        consumption) via vectors involving the orig_value
        variable (bsc#1035950)
    
      - CVE-2017-7471: The VirtFS host directory sharing via
        Plan 9 File System(9pfs) support was vulnerable to an
        improper access control issue which allowed a privileged
        user inside guest to access host file system beyond the
        shared folder and potentially escalating their
        privileges on a host (bsc#1034866)
    
      - CVE-2016-6834: A infinite loop during packet
        fragmentation in the VMWARE VMXNET3 NIC device support
        allowed privileged user inside guest to crash the Qemu
        instance resulting in DoS (bsc#994418)
    
      - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC
        device support, causing an OOB read access (bsc#994605)
    
      - Fix privilege escalation in TCG mode (bsc#1030624)
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1020427"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1021741"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1025109"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1025311"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1026612"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1028184"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1028656"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1030624"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1032075"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1034866"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1034908"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1035406"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1035950"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1036211"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1037242"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1039495"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1042159"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1042800"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1042801"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1043296"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1045035"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1046636"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1047674"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1048902"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1049381"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1056334"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1057585"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1062069"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1063122"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=994418"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=994605"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-6834/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-6835/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9602/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9603/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-10664/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-10806/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-11334/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-11434/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-13672/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-14167/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15038/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15289/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-2633/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5579/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5973/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5987/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-6505/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7377/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7471/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7493/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7718/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7980/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-8086/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-8112/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-8309/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9330/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9373/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9375/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9503/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20172969-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?902e96be"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 12-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-2017-1839=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-lang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-s390");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/11/09");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/10");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP0", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"qemu-block-rbd-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"qemu-block-rbd-debuginfo-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"qemu-x86-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"x86_64", reference:"qemu-x86-debuginfo-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"s390x", reference:"qemu-s390-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", cpu:"s390x", reference:"qemu-s390-debuginfo-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-block-curl-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-block-curl-debuginfo-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-debugsource-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-guest-agent-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-guest-agent-debuginfo-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-lang-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-tools-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-tools-debuginfo-2.0.2-48.34.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"0", reference:"qemu-kvm-2.0.2-48.34.3")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1497.NASL
    descriptionSeveral vulnerabilities were found in qemu, a fast processor emulator : CVE-2015-8666 Heap-based buffer overflow in QEMU when built with the Q35-chipset-based PC system emulator CVE-2016-2198 NULL pointer dereference in ehci_caps_write in the USB EHCI support that may result in denial of service CVE-2016-6833 Use after free while writing in the vmxnet3 device that could be used to cause a denial of service CVE-2016-6835 Buffer overflow in vmxnet_tx_pkt_parse_headers() in vmxnet3 device that could result in denial of service CVE-2016-8576 Infinite loop vulnerability in xhci_ring_fetch in the USB xHCI support CVE-2016-8667 / CVE-2016-8669 Divide by zero errors in set_next_tick in the JAZZ RC4030 chipset emulator, and in serial_update_parameters of some serial devices, that could result in denial of service CVE-2016-9602 Improper link following with VirtFS CVE-2016-9603 Heap buffer overflow via vnc connection in the Cirrus CLGD 54xx VGA emulator support CVE-2016-9776 Infinite loop while receiving data in the ColdFire Fast Ethernet Controller emulator CVE-2016-9907 Memory leakage in the USB redirector usb-guest support CVE-2016-9911 Memory leakage in ehci_init_transfer in the USB EHCI support CVE-2016-9914 / CVE-2016-9915 / CVE-2016-9916 Plan 9 File System (9pfs): add missing cleanup operation in FileOperations, in the handle backend and in the proxy backend driver CVE-2016-9921 / CVE-2016-9922 Divide by zero in cirrus_do_copy in the Cirrus CLGD 54xx VGA Emulator support CVE-2016-10155 Memory leak in hw/watchdog/wdt_i6300esb.c allowing local guest OS privileged users to cause a denial of service via a large number of device unplug operations. CVE-2017-2615 / CVE-2017-2620 / CVE-2017-18030 / CVE-2018-5683 / CVE-2017-7718 Out-of-bounds access issues in the Cirrus CLGD 54xx VGA emulator support, that could result in denial of service CVE-2017-5525 / CVE-2017-5526 Memory leakage issues in the ac97 and es1370 device emulation CVE-2017-5579 Most memory leakage in the 16550A UART emulation CVE-2017-5667 Out-of-bounds access during multi block SDMA transfer in the SDHCI emulation support. CVE-2017-5715 Mitigations against the Spectre v2 vulnerability. For more information please refer to https://www.qemu.org/2018/01/04/spectre/ CVE-2017-5856 Memory leak in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support CVE-2017-5973 / CVE-2017-5987 / CVE-2017-6505 Infinite loop issues in the USB xHCI, in the transfer mode register of the SDHCI protocol, and the USB ohci_service_ed_list CVE-2017-7377 9pfs: host memory leakage via v9fs_create CVE-2017-7493 Improper access control issues in the host directory sharing via 9pfs support. CVE-2017-7980 Heap-based buffer overflow in the Cirrus VGA device that could allow local guest OS users to execute arbitrary code or cause a denial of service CVE-2017-8086 9pfs: host memory leakage via v9pfs_list_xattr CVE-2017-8112 Infinite loop in the VMWare PVSCSI emulation CVE-2017-8309 / CVE-2017-8379 Host memory leakage issues via the audio capture buffer and the keyboard input event handlers CVE-2017-9330 Infinite loop due to incorrect return value in USB OHCI that may result in denial of service CVE-2017-9373 / CVE-2017-9374 Host memory leakage during hot unplug in IDE AHCI and USB emulated devices that could result in denial of service CVE-2017-9503 NULL pointer dereference while processing megasas command CVE-2017-10806 Stack buffer overflow in USB redirector CVE-2017-10911 Xen disk may leak stack data via response ring CVE-2017-11434 Out-of-bounds read while parsing Slirp/DHCP options CVE-2017-14167 Out-of-bounds access while processing multiboot headers that could result in the execution of arbitrary code CVE-2017-15038 9pfs: information disclosure when reading extended attributes CVE-2017-15289 Out-of-bounds write access issue in the Cirrus graphic adaptor that could result in denial of service CVE-2017-16845 Information leak in the PS/2 mouse and keyboard emulation support that could be exploited during instance migration CVE-2017-18043 Integer overflow in the macro ROUND_UP (n, d) that could result in denial of service CVE-2018-7550 Incorrect handling of memory during multiboot that could may result in execution of arbitrary code For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id117351
    published2018-09-07
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117351
    titleDebian DLA-1497-1 : qemu security update (Spectre)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Debian Security Advisory DLA-1497-1. The text
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(117351);
      script_version("1.5");
      script_cvs_date("Date: 2019/07/15 14:20:30");
    
      script_cve_id("CVE-2015-8666", "CVE-2016-10155", "CVE-2016-2198", "CVE-2016-6833", "CVE-2016-6835", "CVE-2016-8576", "CVE-2016-8667", "CVE-2016-8669", "CVE-2016-9602", "CVE-2016-9603", "CVE-2016-9776", "CVE-2016-9907", "CVE-2016-9911", "CVE-2016-9914", "CVE-2016-9915", "CVE-2016-9916", "CVE-2016-9921", "CVE-2016-9922", "CVE-2017-10806", "CVE-2017-10911", "CVE-2017-11434", "CVE-2017-14167", "CVE-2017-15038", "CVE-2017-15289", "CVE-2017-16845", "CVE-2017-18030", "CVE-2017-18043", "CVE-2017-2615", "CVE-2017-2620", "CVE-2017-5525", "CVE-2017-5526", "CVE-2017-5579", "CVE-2017-5667", "CVE-2017-5715", "CVE-2017-5856", "CVE-2017-5973", "CVE-2017-5987", "CVE-2017-6505", "CVE-2017-7377", "CVE-2017-7493", "CVE-2017-7718", "CVE-2017-7980", "CVE-2017-8086", "CVE-2017-8112", "CVE-2017-8309", "CVE-2017-8379", "CVE-2017-9330", "CVE-2017-9373", "CVE-2017-9374", "CVE-2017-9503", "CVE-2018-5683", "CVE-2018-7550");
    
      script_name(english:"Debian DLA-1497-1 : qemu security update (Spectre)");
      script_summary(english:"Checks dpkg output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Several vulnerabilities were found in qemu, a fast processor 
    emulator :
    
    CVE-2015-8666
    
    Heap-based buffer overflow in QEMU when built with the
    Q35-chipset-based PC system emulator
    
    CVE-2016-2198
    
    NULL pointer dereference in ehci_caps_write in the USB EHCI support
    that may result in denial of service
    
    CVE-2016-6833
    
    Use after free while writing in the vmxnet3 device that could be used
    to cause a denial of service
    
    CVE-2016-6835
    
    Buffer overflow in vmxnet_tx_pkt_parse_headers() in vmxnet3 device
    that could result in denial of service
    
    CVE-2016-8576
    
    Infinite loop vulnerability in xhci_ring_fetch in the USB xHCI support
    
    CVE-2016-8667 / CVE-2016-8669
    
    Divide by zero errors in set_next_tick in the JAZZ RC4030 chipset
    emulator, and in serial_update_parameters of some serial devices, that
    could result in denial of service
    
    CVE-2016-9602
    
    Improper link following with VirtFS
    
    CVE-2016-9603
    
    Heap buffer overflow via vnc connection in the Cirrus CLGD 54xx VGA
    emulator support
    
    CVE-2016-9776
    
    Infinite loop while receiving data in the ColdFire Fast Ethernet
    Controller emulator
    
    CVE-2016-9907
    
    Memory leakage in the USB redirector usb-guest support 
    
    CVE-2016-9911
    
    Memory leakage in ehci_init_transfer in the USB EHCI support
    
    CVE-2016-9914 / CVE-2016-9915 / CVE-2016-9916
    
    Plan 9 File System (9pfs): add missing cleanup operation in
    FileOperations, in the handle backend and in the proxy backend driver
    
    CVE-2016-9921 / CVE-2016-9922
    
    Divide by zero in cirrus_do_copy in the Cirrus CLGD 54xx VGA Emulator
    support 
    
    CVE-2016-10155
    
    Memory leak in hw/watchdog/wdt_i6300esb.c allowing local guest OS
    privileged users to cause a denial of service via a large number of
    device unplug operations.
    
    CVE-2017-2615 / CVE-2017-2620 / CVE-2017-18030 / CVE-2018-5683 /
    CVE-2017-7718
    
    Out-of-bounds access issues in the Cirrus CLGD 54xx VGA emulator
    support, that could result in denial of service
    
    CVE-2017-5525 / CVE-2017-5526
    
    Memory leakage issues in the ac97 and es1370 device emulation
    
    CVE-2017-5579
    
    Most memory leakage in the 16550A UART emulation
    
    CVE-2017-5667
    
    Out-of-bounds access during multi block SDMA transfer in the SDHCI
    emulation support.
    
    CVE-2017-5715
    
    Mitigations against the Spectre v2 vulnerability. For more information
    please refer to https://www.qemu.org/2018/01/04/spectre/
    
    CVE-2017-5856
    
    Memory leak in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation
    support
    
    CVE-2017-5973 / CVE-2017-5987 / CVE-2017-6505
    
    Infinite loop issues in the USB xHCI, in the transfer mode register of
    the SDHCI protocol, and the USB ohci_service_ed_list
    
    CVE-2017-7377
    
    9pfs: host memory leakage via v9fs_create
    
    CVE-2017-7493
    
    Improper access control issues in the host directory sharing via 9pfs
    support.
    
    CVE-2017-7980
    
    Heap-based buffer overflow in the Cirrus VGA device that could allow
    local guest OS users to execute arbitrary code or cause a denial of
    service
    
    CVE-2017-8086
    
    9pfs: host memory leakage via v9pfs_list_xattr
    
    CVE-2017-8112
    
    Infinite loop in the VMWare PVSCSI emulation
    
    CVE-2017-8309 / CVE-2017-8379
    
    Host memory leakage issues via the audio capture buffer and the
    keyboard input event handlers 
    
    CVE-2017-9330
    
    Infinite loop due to incorrect return value in USB OHCI that may
    result in denial of service
    
    CVE-2017-9373 / CVE-2017-9374
    
    Host memory leakage during hot unplug in IDE AHCI and USB emulated
    devices that could result in denial of service
    
    CVE-2017-9503
    
    NULL pointer dereference while processing megasas command
    
    CVE-2017-10806
    
    Stack buffer overflow in USB redirector
    
    CVE-2017-10911
    
    Xen disk may leak stack data via response ring
    
    CVE-2017-11434
    
    Out-of-bounds read while parsing Slirp/DHCP options
    
    CVE-2017-14167
    
    Out-of-bounds access while processing multiboot headers that could
    result in the execution of arbitrary code
    
    CVE-2017-15038
    
    9pfs: information disclosure when reading extended attributes
    
    CVE-2017-15289
    
    Out-of-bounds write access issue in the Cirrus graphic adaptor that
    could result in denial of service
    
    CVE-2017-16845
    
    Information leak in the PS/2 mouse and keyboard emulation support that
    could be exploited during instance migration 
    
    CVE-2017-18043
    
    Integer overflow in the macro ROUND_UP (n, d) that could result in
    denial of service
    
    CVE-2018-7550
    
    Incorrect handling of memory during multiboot that could may result in
    execution of arbitrary code
    
    For Debian 8 'Jessie', these problems have been fixed in version
    1:2.1+dfsg-12+deb8u7.
    
    We recommend that you upgrade your qemu packages.
    
    NOTE: Tenable Network Security has extracted the preceding description
    block directly from the DLA security advisory. Tenable has attempted
    to automatically clean and format it as much as possible without
    introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.debian.org/debian-lts-announce/2018/09/msg00007.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://packages.debian.org/source/jessie/qemu"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.qemu.org/2018/01/04/spectre/"
      );
      script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-guest-agent");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-mips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-misc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-ppc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-sparc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-system-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-user");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-user-binfmt");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-user-static");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu-utils");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/09/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/07");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"8.0", prefix:"qemu", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-guest-agent", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-kvm", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system-arm", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system-common", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system-mips", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system-misc", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system-ppc", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system-sparc", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-system-x86", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-user", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-user-binfmt", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-user-static", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    if (deb_check(release:"8.0", prefix:"qemu-utils", reference:"1:2.1+dfsg-12+deb8u7")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2946-1.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-10911: The make_response function in the Linux kernel allowed guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures (bsc#1057378). - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive (bsc#1054724). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122) - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069) - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585) - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334) - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c allowed local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer (bsc#1025311) - CVE-2017-6505: The ohci_service_ed_list function allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count (bsc#1036211) - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800) - CVE-2017-9374: Missing free of
    last seen2020-06-01
    modified2020-06-02
    plugin id104471
    published2017-11-09
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104471
    titleSUSE SLES12 Security Update : qemu (SUSE-SU-2017:2946-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:2946-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(104471);
      script_version("3.9");
      script_cvs_date("Date: 2019/09/11 11:22:16");
    
      script_cve_id("CVE-2016-6834", "CVE-2016-6835", "CVE-2016-9602", "CVE-2016-9603", "CVE-2017-10664", "CVE-2017-10806", "CVE-2017-10911", "CVE-2017-11334", "CVE-2017-11434", "CVE-2017-12809", "CVE-2017-13672", "CVE-2017-14167", "CVE-2017-15038", "CVE-2017-15289", "CVE-2017-5579", "CVE-2017-5973", "CVE-2017-5987", "CVE-2017-6505", "CVE-2017-7377", "CVE-2017-7471", "CVE-2017-7493", "CVE-2017-7718", "CVE-2017-7980", "CVE-2017-8086", "CVE-2017-8112", "CVE-2017-8309", "CVE-2017-8379", "CVE-2017-8380", "CVE-2017-9330", "CVE-2017-9373", "CVE-2017-9374", "CVE-2017-9375", "CVE-2017-9503");
    
      script_name(english:"SUSE SLES12 Security Update : qemu (SUSE-SU-2017:2946-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for qemu fixes several issues. These security issues were
    fixed :
    
      - CVE-2017-10911: The make_response function in the Linux
        kernel allowed guest OS users to obtain sensitive
        information from host OS (or other guest OS) kernel
        memory by leveraging the copying of uninitialized
        padding fields in Xen block-interface response
        structures (bsc#1057378).
    
      - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator
        support allowed local guest OS privileged users to cause
        a denial of service (NULL pointer dereference and QEMU
        process crash) by flushing an empty CDROM device drive
        (bsc#1054724).
    
      - CVE-2017-15289: The mode4and5 write functions allowed
        local OS guest privileged users to cause a denial of
        service (out-of-bounds write access and Qemu process
        crash) via vectors related to dst calculation
        (bsc#1063122)
    
      - CVE-2017-15038: Race condition in the v9fs_xattrwalk
        function local guest OS users to obtain sensitive
        information from host heap memory via vectors related to
        reading extended attributes (bsc#1062069)
    
      - CVE-2017-14167: Integer overflow in the load_multiboot
        function allowed local guest OS users to execute
        arbitrary code on the host via crafted multiboot header
        address values, which trigger an out-of-bounds write
        (bsc#1057585)
    
      - CVE-2017-11434: The dhcp_decode function in
        slirp/bootp.c allowed local guest OS users to cause a
        denial of service (out-of-bounds read) via a crafted
        DHCP options string (bsc#1049381)
    
      - CVE-2017-11334: The address_space_write_continue
        function allowed local guest OS privileged users to
        cause a denial of service (out-of-bounds access and
        guest instance crash) by leveraging use of
        qemu_map_ram_ptr to access guest ram block area
        (bsc#1048902)
    
      - CVE-2017-13672: The VGA display emulator support allowed
        local guest OS privileged users to cause a denial of
        service (out-of-bounds read and QEMU process crash) via
        vectors involving display update (bsc#1056334)
    
      - CVE-2017-5973: A infinite loop while doing control
        transfer in xhci_kick_epctx allowed privileged user
        inside the guest to crash the host process resulting in
        DoS (bsc#1025109)
    
      - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks
        function in hw/sd/sdhci.c allowed local OS guest
        privileged users to cause a denial of service (infinite
        loop and QEMU process crash) via vectors involving the
        transfer mode register during multi block transfer
        (bsc#1025311)
    
      - CVE-2017-6505: The ohci_service_ed_list function allowed
        local guest OS users to cause a denial of service
        (infinite loop) via vectors involving the number of link
        endpoint list descriptors (bsc#1028184)
    
      - CVE-2016-9603: A privileged user within the guest VM
        could have caused a heap overflow in the device model
        process, potentially escalating their privileges to that
        of the device model process (bsc#1028656)
    
      - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local
        guest OS privileged users to cause a denial of service
        (out-of-bounds read and QEMU process crash) via vectors
        related to copying VGA data via the
        cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_
        functions (bsc#1034908)
    
      - CVE-2017-7980: An out-of-bounds r/w access issues in the
        Cirrus CLGD 54xx VGA Emulator support allowed privileged
        user inside guest to use this flaw to crash the Qemu
        process resulting in DoS or potentially execute
        arbitrary code on a host with privileges of Qemu process
        on the host (bsc#1035406)
    
      - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest
        OS privileged users to cause a denial of service
        (infinite loop and CPU consumption) via the message ring
        page count (bsc#1036211)
    
      - CVE-2017-9375: The USB xHCI controller emulator support
        was vulnerable to an infinite recursive call loop issue,
        which allowed a privileged user inside guest to crash
        the Qemu process resulting in DoS (bsc#1042800)
    
      - CVE-2017-9374: Missing free of 's->ipacket', causes a
        host memory leak, allowing for DoS (bsc#1043073)
    
      - CVE-2017-9373: The IDE AHCI Emulation support was
        vulnerable to a host memory leakage issue, which allowed
        a privileged user inside guest to leak host memory
        resulting in DoS (bsc#1042801)
    
      - CVE-2017-9330: USB OHCI Emulation in qemu allowed local
        guest OS users to cause a denial of service (infinite
        loop) by leveraging an incorrect return value
        (bsc#1042159)
    
      - CVE-2017-8379: Memory leak in the keyboard input event
        handlers support allowed local guest OS privileged users
        to cause a denial of service (host memory consumption)
        by rapidly generating large keyboard events
        (bsc#1037334)
    
      - CVE-2017-8309: Memory leak in the audio/audio.c allowed
        remote attackers to cause a denial of service (memory
        consumption) by repeatedly starting and stopping audio
        capture (bsc#1037242)
    
      - CVE-2017-8380: The MegaRAID SAS 8708EM2 Host Bus Adapter
        emulation support was vulnerable to an out-of-bounds
        read access issue which allowed a privileged user inside
        guest to read host memory resulting in DoS (bsc#1037336)
    
      - CVE-2017-7493: The VirtFS, host directory sharing via
        Plan 9 File System(9pfs) support, was vulnerable to an
        improper access control issue. It could occur while
        accessing virtfs metadata files in mapped-file security
        mode. A guest user could have used this flaw to escalate
        their privileges inside guest (bsc#1039495)
    
      - CVE-2016-9602: The VirtFS host directory sharing via
        Plan 9 File System(9pfs) support was vulnerable to an
        improper link following issue which allowed a privileged
        user inside guest to access host file system beyond the
        shared folder and potentially escalating their
        privileges on a host (bsc#1020427)
    
      - CVE-2017-5579: The 16550A UART serial device emulation
        support was vulnerable to a memory leakage issue
        allowing a privileged user to cause a DoS and/or
        potentially crash the Qemu process on the host
        (bsc#1021741)
    
      - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter
        emulation support was vulnerable to a NULL pointer
        dereference issue which allowed a privileged user inside
        guest to crash the Qemu process on the host resulting in
        DoS (bsc#1043296)
    
      - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which
        allowed remote attackers to cause a denial of service
        (daemon crash) by disconnecting during a
        server-to-client reply attempt (bsc#1046636)
    
      - CVE-2017-10806: Stack-based buffer overflow allowed
        local guest OS users to cause a denial of service (QEMU
        process crash) via vectors related to logging debug
        messages (bsc#1047674)
    
      - CVE-2016-9602: The VirtFS host directory sharing via
        Plan 9 File System(9pfs) support was vulnerable to an
        improper link following issue which allowed a privileged
        user inside guest to access host file system beyond the
        shared folder and potentially escalating their
        privileges on a host (bsc#1020427)
    
      - CVE-2017-7377: The v9fs_create and v9fs_lcreate
        functions in hw/9pfs/9p.c allowed local guest OS
        privileged users to cause a denial of service (file
        descriptor or memory consumption) via vectors related to
        an already in-use fid (bsc#1032075)
    
      - CVE-2017-8086: A memory leak in the v9fs_list_xattr
        function in hw/9pfs/9p-xattr.c allowed local guest OS
        privileged users to cause a denial of service (memory
        consumption) via vectors involving the orig_value
        variable (bsc#1035950)
    
      - CVE-2017-7471: The VirtFS host directory sharing via
        Plan 9 File System(9pfs) support was vulnerable to an
        improper access control issue which allowed a privileged
        user inside guest to access host file system beyond the
        shared folder and potentially escalating their
        privileges on a host (bsc#1034866)
    
      - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC
        device support, causing an OOB read access (bsc#994605)
    
      - CVE-2016-6834: A infinite loop during packet
        fragmentation in the VMWARE VMXNET3 NIC device support
        allowed privileged user inside guest to crash the Qemu
        instance resulting in DoS (bsc#994418)
    
      - Fix privilege escalation in TCG mode (bsc#1030624)
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1020427"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1021741"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1025109"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1025311"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1028184"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1028656"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1030624"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1032075"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1034866"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1034908"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1035406"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1035950"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1036211"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1037242"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1037334"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1037336"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1039495"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1042159"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1042800"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1042801"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1043073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1043296"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1045035"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1046636"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1047674"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1048902"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1049381"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1054724"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1056334"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1057378"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1057585"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1062069"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1063122"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=994418"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=994605"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-6834/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-6835/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9602/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9603/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-10664/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-10806/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-10911/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-11334/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-11434/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-12809/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-13672/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-14167/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15038/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-15289/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5579/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5973/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5987/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-6505/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7377/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7471/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7493/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7718/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7980/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-8086/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-8112/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-8309/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-8379/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-8380/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9330/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9373/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9374/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9375/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9503/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20172946-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?4becc028"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE OpenStack Cloud 6:zypper in -t patch
    SUSE-OpenStack-Cloud-6-2017-1827=1
    
    SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch
    SUSE-SLE-SAP-12-SP1-2017-1827=1
    
    SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP1-2017-1827=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-lang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-s390");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-x86");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/12/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/11/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/11/09");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"qemu-block-rbd-2.3.1-33.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"qemu-block-rbd-debuginfo-2.3.1-33.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"x86_64", reference:"qemu-x86-2.3.1-33.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"s390x", reference:"qemu-s390-2.3.1-33.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", cpu:"s390x", reference:"qemu-s390-debuginfo-2.3.1-33.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"qemu-2.3.1-33.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"qemu-block-curl-2.3.1-33.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"qemu-block-curl-debuginfo-2.3.1-33.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"qemu-debugsource-2.3.1-33.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"qemu-guest-agent-2.3.1-33.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"qemu-guest-agent-debuginfo-2.3.1-33.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"qemu-lang-2.3.1-33.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"qemu-tools-2.3.1-33.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"qemu-tools-debuginfo-2.3.1-33.3.3")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"qemu-kvm-2.3.1-33.3.3")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-822.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value (bsc#1042159). - CVE-2017-8379: Memory leak in the keyboard input event handlers support allowed local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events (bsc#1037334). - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture (bsc#1037242). - CVE-2017-7493: The VirtFS, host directory sharing via Plan 9 File System(9pfs) support, was vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could have used this flaw to escalate their privileges inside guest (bsc#1039495). - CVE-2017-7377: The v9fs_create and v9fs_lcreate functions in hw/9pfs/9p.c allowed local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid (bsc#1032075). - CVE-2017-8086: A memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c allowed local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable (bsc#1035950). - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c allowed local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer (bsc#1025311). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count (bsc#1036211). - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800). - CVE-2017-9374: Missing free of
    last seen2020-06-05
    modified2017-07-17
    plugin id101758
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101758
    titleopenSUSE Security Update : qemu (openSUSE-2017-822)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update openSUSE-2017-822.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101758);
      script_version("1.5");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-10028", "CVE-2016-10029", "CVE-2016-9602", "CVE-2016-9603", "CVE-2017-5579", "CVE-2017-5973", "CVE-2017-5987", "CVE-2017-6505", "CVE-2017-7377", "CVE-2017-7471", "CVE-2017-7493", "CVE-2017-7718", "CVE-2017-7980", "CVE-2017-8086", "CVE-2017-8112", "CVE-2017-8309", "CVE-2017-8379", "CVE-2017-8380", "CVE-2017-9330", "CVE-2017-9373", "CVE-2017-9374", "CVE-2017-9375", "CVE-2017-9503");
    
      script_name(english:"openSUSE Security Update : qemu (openSUSE-2017-822)");
      script_summary(english:"Check for the openSUSE-2017-822 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for qemu fixes several issues.
    
    These security issues were fixed :
    
      - CVE-2017-9330: USB OHCI Emulation in qemu allowed local
        guest OS users to cause a denial of service (infinite
        loop) by leveraging an incorrect return value
        (bsc#1042159).
    
      - CVE-2017-8379: Memory leak in the keyboard input event
        handlers support allowed local guest OS privileged users
        to cause a denial of service (host memory consumption)
        by rapidly generating large keyboard events
        (bsc#1037334).
    
      - CVE-2017-8309: Memory leak in the audio/audio.c allowed
        remote attackers to cause a denial of service (memory
        consumption) by repeatedly starting and stopping audio
        capture (bsc#1037242).
    
      - CVE-2017-7493: The VirtFS, host directory sharing via
        Plan 9 File System(9pfs) support, was vulnerable to an
        improper access control issue. It could occur while
        accessing virtfs metadata files in mapped-file security
        mode. A guest user could have used this flaw to escalate
        their privileges inside guest (bsc#1039495).
    
      - CVE-2017-7377: The v9fs_create and v9fs_lcreate
        functions in hw/9pfs/9p.c allowed local guest OS
        privileged users to cause a denial of service (file
        descriptor or memory consumption) via vectors related to
        an already in-use fid (bsc#1032075).
    
      - CVE-2017-8086: A memory leak in the v9fs_list_xattr
        function in hw/9pfs/9p-xattr.c allowed local guest OS
        privileged users to cause a denial of service (memory
        consumption) via vectors involving the orig_value
        variable (bsc#1035950).
    
      - CVE-2017-5973: A infinite loop while doing control
        transfer in xhci_kick_epctx allowed privileged user
        inside the guest to crash the host process resulting in
        DoS (bsc#1025109)
    
      - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks
        function in hw/sd/sdhci.c allowed local OS guest
        privileged users to cause a denial of service (infinite
        loop and QEMU process crash) via vectors involving the
        transfer mode register during multi block transfer
        (bsc#1025311).
    
      - CVE-2017-6505: The ohci_service_ed_list function in
        hw/usb/hcd-ohci.c allowed local guest OS users to cause
        a denial of service (infinite loop) via vectors
        involving the number of link endpoint list descriptors
        (bsc#1028184)
    
      - CVE-2016-9603: A privileged user within the guest VM
        could have caused a heap overflow in the device model
        process, potentially escalating their privileges to that
        of the device model process (bsc#1028656)
    
      - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local
        guest OS privileged users to cause a denial of service
        (out-of-bounds read and QEMU process crash) via vectors
        related to copying VGA data via the
        cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_
        functions (bsc#1034908)
    
      - CVE-2017-7980: An out-of-bounds r/w access issues in the
        Cirrus CLGD 54xx VGA Emulator support allowed privileged
        user inside guest to use this flaw to crash the Qemu
        process resulting in DoS or potentially execute
        arbitrary code on a host with privileges of Qemu process
        on the host (bsc#1035406)
    
      - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest
        OS privileged users to cause a denial of service
        (infinite loop and CPU consumption) via the message ring
        page count (bsc#1036211).
    
      - CVE-2017-9375: The USB xHCI controller emulator support
        was vulnerable to an infinite recursive call loop issue,
        which allowed a privileged user inside guest to crash
        the Qemu process resulting in DoS (bsc#1042800).
    
      - CVE-2017-9374: Missing free of 's->ipacket', causes a
        host memory leak, allowing for DoS (bsc#1043073).
    
      - CVE-2017-9373: The IDE AHCI Emulation support was
        vulnerable to a host memory leakage issue, which allowed
        a privileged user inside guest to leak host memory
        resulting in DoS (bsc#1042801).
    
      - CVE-2017-8380: The MegaRAID SAS 8708EM2 Host Bus Adapter
        emulation support was vulnerable to an out-of-bounds
        read access issue which allowed a privileged user inside
        guest to read host memory resulting in DoS
        (bsc#1037336).
    
      - CVE-2016-9602: The VirtFS host directory sharing via
        Plan 9 File System(9pfs) support was vulnerable to an
        improper link following issue which allowed a privileged
        user inside guest to access host file system beyond the
        shared folder and potentially escalating their
        privileges on a host (bsc#1020427).
    
      - CVE-2017-7471: The VirtFS host directory sharing via
        Plan 9 File System(9pfs) support was vulnerable to an
        improper access control issue which allowed a privileged
        user inside guest to access host file system beyond the
        shared folder and potentially escalating their
        privileges on a host (bsc#1034866).
    
      - Fix privilege escalation in TCG mode of QEMU. This is
        not considered a security issue by the upstream project,
        but is included as additional hardening (bsc#1030624)
    
      - Fix potential DoS in virtfs
    
      - CVE-2016-10028: The Virtio GPU Device emulator support
        was vulnerable to an out of bounds memory access issue
        allowing a guest user to crash the Qemu process instance
        on a host, resulting in DoS (bsc#1017084, bsc#1016503)
    
      - CVE-2016-10029: The Virtio GPU Device emulator support
        was vulnerable to an OOB read issue allowing a guest
        user to crash the Qemu process instance resulting in Dos
        (bsc#1017081, bsc#1016504)
    
      - CVE-2017-5579: The 16550A UART serial device emulation
        support was vulnerable to a memory leakage issue
        allowing a privileged user to cause a DoS and/or
        potentially crash the Qemu process on the host
        (bsc#1021741)
    
      - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter
        emulation support was vulnerable to a NULL pointer
        dereference issue which allowed a privileged user inside
        guest to crash the Qemu process on the host resulting in
        DoS (bsc#1043296).
    
    This non-security issue was fixed :
    
      - Enable MONITOR/MWAIT support for guests (bsc#1031142)
    
    This update was imported from the SUSE:SLE-12-SP2:Update update
    project."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1016503"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1016504"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1017081"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1017084"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1020427"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1021741"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1025109"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1025311"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1028184"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1028656"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1030624"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1031142"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1032075"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034866"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1034908"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1035406"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1035950"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1036211"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1037242"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1037334"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1037336"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1039495"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1042159"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1042800"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1042801"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1043073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.opensuse.org/show_bug.cgi?id=1043296"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected qemu packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-arm-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-curl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-dmg");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-dmg-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-iscsi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-iscsi-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-rbd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-rbd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-ssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-block-ssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-extra");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-extra-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-guest-agent");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-guest-agent-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-ipxe");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-lang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-linux-user");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-linux-user-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-linux-user-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-ppc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-ppc-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-s390");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-s390-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-seabios");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-sgabios");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-testsuite");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-vgabios");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-x86");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:qemu-x86-debuginfo");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:42.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/17");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE42\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "42.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-arm-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-arm-debuginfo-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-block-curl-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-block-curl-debuginfo-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-block-dmg-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-block-dmg-debuginfo-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-block-iscsi-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-block-iscsi-debuginfo-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-block-ssh-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-block-ssh-debuginfo-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-debugsource-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-extra-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-extra-debuginfo-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-guest-agent-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-guest-agent-debuginfo-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-ipxe-1.0.0-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-kvm-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-lang-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-linux-user-2.6.2-31.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-linux-user-debuginfo-2.6.2-31.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-linux-user-debugsource-2.6.2-31.3.1") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-ppc-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-ppc-debuginfo-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-s390-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-s390-debuginfo-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-seabios-1.9.1-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-sgabios-8-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-testsuite-2.6.2-31.3.6") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-tools-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-tools-debuginfo-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-vgabios-1.9.1-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-x86-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", reference:"qemu-x86-debuginfo-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"qemu-block-rbd-2.6.2-31.3.3") ) flag++;
    if ( rpm_check(release:"SUSE42.2", cpu:"x86_64", reference:"qemu-block-rbd-debuginfo-2.6.2-31.3.3") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-linux-user / qemu-linux-user-debuginfo / etc");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1266.NASL
    descriptionAccording to the versions of the qemu-kvm packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.(CVE-2019-6778) - A flaw was found in QEMU
    last seen2020-03-19
    modified2020-03-13
    plugin id134555
    published2020-03-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134555
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : qemu-kvm (EulerOS-SA-2020-1266)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(134555);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/19");
    
      script_cve_id(
        "CVE-2017-5525",
        "CVE-2017-5526",
        "CVE-2017-5898",
        "CVE-2017-5973",
        "CVE-2017-5987",
        "CVE-2018-16872",
        "CVE-2018-19364",
        "CVE-2018-19489",
        "CVE-2019-3812",
        "CVE-2019-6778"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : qemu-kvm (EulerOS-SA-2020-1266)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the qemu-kvm packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a
        heap-based buffer overflow.(CVE-2019-6778)
    
      - A flaw was found in QEMU's Media Transfer Protocol
        (MTP). The code opening files in usb_mtp_get_object and
        usb_mtp_get_partial_object and directories in
        usb_mtp_object_readdir doesn't consider that the
        underlying filesystem may have changed since the time
        lstat(2) was called in usb_mtp_object_alloc, a
        classical TOCTTOU problem. An attacker with write
        access to the host filesystem, shared with a guest, can
        use this property to navigate the host filesystem in
        the context of the QEMU process and read any file the
        QEMU process has access to. Access to the filesystem
        may be local or via a network share protocol such as
        CIFS.(CVE-2018-16872)
    
      - hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an
        fid path while it is being accessed by a second thread,
        leading to (for example) a use-after-free
        outcome.(CVE-2018-19364)
    
      - v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS
        users to cause a denial of service (crash) because of a
        race condition during file renaming.(CVE-2018-19489)
    
      - QEMU, through version 2.10 and through version 3.1.0,
        is vulnerable to an out-of-bounds read of up to 128
        bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A
        local attacker with permission to execute i2c commands
        could exploit this to read stack memory of the qemu
        process on the host.(CVE-2019-3812)
    
      - Memory leak in hw/audio/ac97.c in QEMU (aka Quick
        Emulator) allows local guest OS privileged users to
        cause a denial of service (host memory consumption and
        QEMU process crash) via a large number of device unplug
        operations.(CVE-2017-5525)
    
      - Memory leak in hw/audio/es1370.c in QEMU (aka Quick
        Emulator) allows local guest OS privileged users to
        cause a denial of service (host memory consumption and
        QEMU process crash) via a large number of device unplug
        operations.(CVE-2017-5526)
    
      - The sdhci_sdma_transfer_multi_blocks function in
        hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local
        OS guest privileged users to cause a denial of service
        (infinite loop and QEMU process crash) via vectors
        involving the transfer mode register during multi block
        transfer.(CVE-2017-5987)
    
      - An integer overflow flaw was found in Quick Emulator
        (QEMU) in the CCID Card device support. The flaw could
        occur while passing messages via command/response
        packets to and from the host. A privileged user inside
        a guest could use this flaw to crash the QEMU
        process.(CVE-2017-5898)
    
      - The xhci_kick_epctx function in hw/usb/hcd-xhci.c in
        QEMU (aka Quick Emulator) allows local guest OS
        privileged users to cause a denial of service (infinite
        loop and QEMU process crash) via vectors related to
        control transfer descriptor sequence.(CVE-2017-5973)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1266
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?70651d73");
      script_set_attribute(attribute:"solution", value:
    "Update the affected qemu-kvm packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-6778");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/03/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-img");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["qemu-img-2.8.1-30.100",
            "qemu-kvm-2.8.1-30.100",
            "qemu-kvm-common-2.8.1-30.100",
            "qemu-kvm-tools-2.8.1-30.100"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-kvm");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201704-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201704-01 (QEMU: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact : Remote server can cause a crash in the client causing execution of arbitrary code, and a Denial of Service within the QEMU process. Remote or Local users within a guest QEMU environment can cause a Denial of Service condition of the QEMU guest process. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id99274
    published2017-04-11
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99274
    titleGLSA-201704-01 : QEMU: Multiple vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 201704-01.
    #
    # The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99274);
      script_version("3.7");
      script_cvs_date("Date: 2018/09/12 15:00:25");
    
      script_cve_id("CVE-2016-9602", "CVE-2017-2620", "CVE-2017-2630", "CVE-2017-5973", "CVE-2017-5987", "CVE-2017-6058", "CVE-2017-6505");
      script_xref(name:"GLSA", value:"201704-01");
      script_xref(name:"IAVB", value:"2017-B-0024");
    
      script_name(english:"GLSA-201704-01 : QEMU: Multiple vulnerabilities");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-201704-01
    (QEMU: Multiple vulnerabilities)
    
        Multiple vulnerabilities have been discovered in QEMU. Please review the
          CVE identifiers referenced below for details.
      
    Impact :
    
        Remote server can cause a crash in the client causing execution of
          arbitrary code, and a Denial of Service within the QEMU process. Remote
          or Local users within a guest QEMU environment can cause a Denial of
          Service condition of the QEMU guest process.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/201704-01"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All QEMU users should upgrade to the latest version:
          # emerge --sync
          # emerge --ask --oneshot --verbose '>=app-emulation/qemu-2.8.0-r9'"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:qemu");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/11");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"app-emulation/qemu", unaffected:make_list("ge 2.8.0-r9"), vulnerable:make_list("lt 2.8.0-r9"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "QEMU");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-31B976672B.NASL
    description - CVE-2016-7907: net: imx: infinite loop (bz #1381182) - CVE-2017-5525: audio: memory leakage in ac97 (bz #1414110) - CVE-2017-5526: audio: memory leakage in es1370 (bz #1414210) - CVE-2016-10155 watchdog: memory leakage in i6300esb (bz #1415200) - CVE-2017-5552: virtio-gpu-3d: memory leakage (bz #1415283) - CVE-2017-5578: virtio-gpu: memory leakage (bz #1415797) - CVE-2017-5667: sd: sdhci OOB access during multi block transfer (bz #1417560) - CVE-2017-5856: scsi: megasas: memory leakage (bz #1418344) - CVE-2017-5857: virtio-gpu-3d: host memory leakage in virgl_cmd_resource_unref (bz #1418383) - CVE-2017-5898: usb: integer overflow in emulated_apdu_from_guest (bz #1419700) - CVE-2017-5987: sd: infinite loop issue in multi block transfers (bz #1422001) - CVE-2017-6058: vmxnet3: OOB access when doing vlan stripping (bz #1423359) - CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list (bz #1429434) - CVE-2017-2615: cirrus: oob access while doing bitblt copy backward (bz #1418206) - CVE-2017-2620: cirrus: potential arbitrary code execution (bz #1425419) - Fix spice GL with new mesa/libglvnd (bz #1431905) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-03-20
    plugin id97804
    published2017-03-20
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97804
    titleFedora 25 : 2:qemu (2017-31b976672b)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-31b976672b.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97804);
      script_version("3.10");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-10155", "CVE-2016-7907", "CVE-2017-2615", "CVE-2017-2620", "CVE-2017-5525", "CVE-2017-5526", "CVE-2017-5552", "CVE-2017-5578", "CVE-2017-5667", "CVE-2017-5856", "CVE-2017-5857", "CVE-2017-5898", "CVE-2017-5987", "CVE-2017-6058", "CVE-2017-6505");
      script_xref(name:"FEDORA", value:"2017-31b976672b");
      script_xref(name:"IAVB", value:"2017-B-0024");
    
      script_name(english:"Fedora 25 : 2:qemu (2017-31b976672b)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - CVE-2016-7907: net: imx: infinite loop (bz #1381182)
    
      - CVE-2017-5525: audio: memory leakage in ac97 (bz
        #1414110)
    
      - CVE-2017-5526: audio: memory leakage in es1370 (bz
        #1414210)
    
      - CVE-2016-10155 watchdog: memory leakage in i6300esb (bz
        #1415200)
    
      - CVE-2017-5552: virtio-gpu-3d: memory leakage (bz
        #1415283)
    
      - CVE-2017-5578: virtio-gpu: memory leakage (bz #1415797)
    
      - CVE-2017-5667: sd: sdhci OOB access during multi block
        transfer (bz #1417560)
    
      - CVE-2017-5856: scsi: megasas: memory leakage (bz
        #1418344)
    
      - CVE-2017-5857: virtio-gpu-3d: host memory leakage in
        virgl_cmd_resource_unref (bz #1418383)
    
      - CVE-2017-5898: usb: integer overflow in
        emulated_apdu_from_guest (bz #1419700)
    
      - CVE-2017-5987: sd: infinite loop issue in multi block
        transfers (bz #1422001)
    
      - CVE-2017-6058: vmxnet3: OOB access when doing vlan
        stripping (bz #1423359)
    
      - CVE-2017-6505: usb: an infinite loop issue in
        ohci_service_ed_list (bz #1429434)
    
      - CVE-2017-2615: cirrus: oob access while doing bitblt
        copy backward (bz #1418206)
    
      - CVE-2017-2620: cirrus: potential arbitrary code
        execution (bz #1425419)
    
      - Fix spice GL with new mesa/libglvnd (bz #1431905)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-31b976672b"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 2:qemu package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:2:qemu");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/18");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/20");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"qemu-2.7.1-4.fc25", epoch:"2")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "2:qemu");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-1774-1.NASL
    descriptionThis update for qemu fixes several issues. These security issues were fixed : - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value (bsc#1042159). - CVE-2017-8379: Memory leak in the keyboard input event handlers support allowed local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events (bsc#1037334). - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture (bsc#1037242). - CVE-2017-7493: The VirtFS, host directory sharing via Plan 9 File System(9pfs) support, was vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could have used this flaw to escalate their privileges inside guest (bsc#1039495). - CVE-2017-7377: The v9fs_create and v9fs_lcreate functions in hw/9pfs/9p.c allowed local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid (bsc#1032075). - CVE-2017-8086: A memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c allowed local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable (bsc#1035950). - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c allowed local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer (bsc#1025311). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count (bsc#1036211). - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800). - CVE-2017-9374: Missing free of
    last seen2020-06-01
    modified2020-06-02
    plugin id101227
    published2017-07-05
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101227
    titleSUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:1774-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2017:1774-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101227);
      script_version("3.10");
      script_cvs_date("Date: 2019/09/11 11:22:15");
    
      script_cve_id("CVE-2016-10028", "CVE-2016-10029", "CVE-2016-9602", "CVE-2016-9603", "CVE-2017-5579", "CVE-2017-5973", "CVE-2017-5987", "CVE-2017-6505", "CVE-2017-7377", "CVE-2017-7471", "CVE-2017-7493", "CVE-2017-7718", "CVE-2017-7980", "CVE-2017-8086", "CVE-2017-8112", "CVE-2017-8309", "CVE-2017-8379", "CVE-2017-8380", "CVE-2017-9330", "CVE-2017-9373", "CVE-2017-9374", "CVE-2017-9375", "CVE-2017-9503");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:1774-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for qemu fixes several issues. These security issues were
    fixed :
    
      - CVE-2017-9330: USB OHCI Emulation in qemu allowed local
        guest OS users to cause a denial of service (infinite
        loop) by leveraging an incorrect return value
        (bsc#1042159).
    
      - CVE-2017-8379: Memory leak in the keyboard input event
        handlers support allowed local guest OS privileged users
        to cause a denial of service (host memory consumption)
        by rapidly generating large keyboard events
        (bsc#1037334).
    
      - CVE-2017-8309: Memory leak in the audio/audio.c allowed
        remote attackers to cause a denial of service (memory
        consumption) by repeatedly starting and stopping audio
        capture (bsc#1037242).
    
      - CVE-2017-7493: The VirtFS, host directory sharing via
        Plan 9 File System(9pfs) support, was vulnerable to an
        improper access control issue. It could occur while
        accessing virtfs metadata files in mapped-file security
        mode. A guest user could have used this flaw to escalate
        their privileges inside guest (bsc#1039495).
    
      - CVE-2017-7377: The v9fs_create and v9fs_lcreate
        functions in hw/9pfs/9p.c allowed local guest OS
        privileged users to cause a denial of service (file
        descriptor or memory consumption) via vectors related to
        an already in-use fid (bsc#1032075).
    
      - CVE-2017-8086: A memory leak in the v9fs_list_xattr
        function in hw/9pfs/9p-xattr.c allowed local guest OS
        privileged users to cause a denial of service (memory
        consumption) via vectors involving the orig_value
        variable (bsc#1035950).
    
      - CVE-2017-5973: A infinite loop while doing control
        transfer in xhci_kick_epctx allowed privileged user
        inside the guest to crash the host process resulting in
        DoS (bsc#1025109)
    
      - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks
        function in hw/sd/sdhci.c allowed local OS guest
        privileged users to cause a denial of service (infinite
        loop and QEMU process crash) via vectors involving the
        transfer mode register during multi block transfer
        (bsc#1025311).
    
      - CVE-2017-6505: The ohci_service_ed_list function in
        hw/usb/hcd-ohci.c allowed local guest OS users to cause
        a denial of service (infinite loop) via vectors
        involving the number of link endpoint list descriptors
        (bsc#1028184)
    
      - CVE-2016-9603: A privileged user within the guest VM
        could have caused a heap overflow in the device model
        process, potentially escalating their privileges to that
        of the device model process (bsc#1028656)
    
      - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local
        guest OS privileged users to cause a denial of service
        (out-of-bounds read and QEMU process crash) via vectors
        related to copying VGA data via the
        cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_
        functions (bsc#1034908)
    
      - CVE-2017-7980: An out-of-bounds r/w access issues in the
        Cirrus CLGD 54xx VGA Emulator support allowed privileged
        user inside guest to use this flaw to crash the Qemu
        process resulting in DoS or potentially execute
        arbitrary code on a host with privileges of Qemu process
        on the host (bsc#1035406)
    
      - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest
        OS privileged users to cause a denial of service
        (infinite loop and CPU consumption) via the message ring
        page count (bsc#1036211).
    
      - CVE-2017-9375: The USB xHCI controller emulator support
        was vulnerable to an infinite recursive call loop issue,
        which allowed a privileged user inside guest to crash
        the Qemu process resulting in DoS (bsc#1042800).
    
      - CVE-2017-9374: Missing free of 's->ipacket', causes a
        host memory leak, allowing for DoS (bsc#1043073).
    
      - CVE-2017-9373: The IDE AHCI Emulation support was
        vulnerable to a host memory leakage issue, which allowed
        a privileged user inside guest to leak host memory
        resulting in DoS (bsc#1042801).
    
      - CVE-2017-8380: The MegaRAID SAS 8708EM2 Host Bus Adapter
        emulation support was vulnerable to an out-of-bounds
        read access issue which allowed a privileged user inside
        guest to read host memory resulting in DoS
        (bsc#1037336).
    
      - CVE-2016-9602: The VirtFS host directory sharing via
        Plan 9 File System(9pfs) support was vulnerable to an
        improper link following issue which allowed a privileged
        user inside guest to access host file system beyond the
        shared folder and potentially escalating their
        privileges on a host (bsc#1020427).
    
      - CVE-2017-7471: The VirtFS host directory sharing via
        Plan 9 File System(9pfs) support was vulnerable to an
        improper access control issue which allowed a privileged
        user inside guest to access host file system beyond the
        shared folder and potentially escalating their
        privileges on a host (bsc#1034866).
    
      - Fix privilege escalation in TCG mode of QEMU. This is
        not considered a security issue by the upstream project,
        but is included as additional hardening (bsc#1030624)
    
      - Fix potential DoS in virtfs
    
      - CVE-2016-10028: The Virtio GPU Device emulator support
        was vulnerable to an out of bounds memory access issue
        allowing a guest user to crash the Qemu process instance
        on a host, resulting in DoS (bsc#1017084, bsc#1016503)
    
      - CVE-2016-10029: The Virtio GPU Device emulator support
        was vulnerable to an OOB read issue allowing a guest
        user to crash the Qemu process instance resulting in Dos
        (bsc#1017081, bsc#1016504)
    
      - CVE-2017-5579: The 16550A UART serial device emulation
        support was vulnerable to a memory leakage issue
        allowing a privileged user to cause a DoS and/or
        potentially crash the Qemu process on the host
        (bsc#1021741)
    
      - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter
        emulation support was vulnerable to a NULL pointer
        dereference issue which allowed a privileged user inside
        guest to crash the Qemu process on the host resulting in
        DoS (bsc#1043296).
    
    The update package also includes non-security fixes. See advisory for
    details.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1016503"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1016504"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1017081"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1017084"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1020427"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1021741"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1025109"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1025311"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1028184"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1028656"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1030624"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1031142"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1032075"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1034866"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1034908"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1035406"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1035950"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1036211"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1037242"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1037334"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1037336"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1039495"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1042159"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1042800"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1042801"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1043073"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1043296"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10028/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-10029/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9602/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-9603/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5579/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5973/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-5987/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-6505/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7377/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7471/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7493/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7718/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-7980/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-8086/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-8112/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-8309/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-8379/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-8380/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9330/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9373/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9374/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9375/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2017-9503/"
      );
      # https://www.suse.com/support/update/announcement/2017/suse-su-20171774-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?b04dc985"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use YaST online_update.
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server for Raspberry Pi 12-SP2:zypper in -t
    patch SUSE-SLE-RPI-12-SP2-2017-1102=1
    
    SUSE Linux Enterprise Server 12-SP2:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2017-1102=1
    
    SUSE Linux Enterprise Desktop 12-SP2:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP2-2017-1102=1
    
    To bring your system up-to-date, use 'zypper patch'."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-ssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-lang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-x86");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/02/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/07/04");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/05");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "x86_64") audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP2", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(2)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP2", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-block-curl-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-block-curl-debuginfo-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-block-ssh-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-block-ssh-debuginfo-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-debugsource-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-guest-agent-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-guest-agent-debuginfo-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-lang-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-tools-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-tools-debuginfo-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-block-rbd-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-block-rbd-debuginfo-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-kvm-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", cpu:"x86_64", reference:"qemu-x86-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-block-curl-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-block-curl-debuginfo-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-debugsource-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-kvm-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-tools-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-tools-debuginfo-2.6.2-41.16.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"2", cpu:"x86_64", reference:"qemu-x86-2.6.2-41.16.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-62AC1230F7.NASL
    description - CVE-2017-5525: audio: memory leakage in ac97 (bz #1414110) - CVE-2017-5526: audio: memory leakage in es1370 (bz #1414210) - CVE-2016-10155 watchdog: memory leakage in i6300esb (bz #1415200) - CVE-2017-5552: virtio-gpu-3d: memory leakage (bz #1415283) - CVE-2017-5667: sd: sdhci OOB access during multi block transfer (bz #1417560) - CVE-2017-5857: virtio-gpu-3d: host memory leakage in virgl_cmd_resource_unref (bz #1418383) - CVE-2017-5856: scsi: megasas: memory leakage (bz #1418344) - CVE-2017-5898: usb: integer overflow in emulated_apdu_from_guest (bz #1419700) - CVE-2017-5987: sd: infinite loop issue in multi block transfers (bz #1422001) - CVE-2017-6505: usb: an infinite loop issue in ohci_service_ed_list (bz #1429434) - CVE-2017-2615: cirrus: oob access while doing bitblt copy backward (bz #1418206) - CVE-2017-2620: cirrus: potential arbitrary code execution (bz #1425419) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-03-22
    plugin id97865
    published2017-03-22
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97865
    titleFedora 24 : 2:qemu (2017-62ac1230f7)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-62ac1230f7.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(97865);
      script_version("3.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2016-10155", "CVE-2017-2615", "CVE-2017-2620", "CVE-2017-5525", "CVE-2017-5526", "CVE-2017-5552", "CVE-2017-5667", "CVE-2017-5856", "CVE-2017-5857", "CVE-2017-5898", "CVE-2017-5987", "CVE-2017-6505");
      script_xref(name:"FEDORA", value:"2017-62ac1230f7");
      script_xref(name:"IAVB", value:"2017-B-0024");
    
      script_name(english:"Fedora 24 : 2:qemu (2017-62ac1230f7)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "  - CVE-2017-5525: audio: memory leakage in ac97 (bz
        #1414110)
    
      - CVE-2017-5526: audio: memory leakage in es1370 (bz
        #1414210)
    
      - CVE-2016-10155 watchdog: memory leakage in i6300esb (bz
        #1415200)
    
      - CVE-2017-5552: virtio-gpu-3d: memory leakage (bz
        #1415283)
    
      - CVE-2017-5667: sd: sdhci OOB access during multi block
        transfer (bz #1417560)
    
      - CVE-2017-5857: virtio-gpu-3d: host memory leakage in
        virgl_cmd_resource_unref (bz #1418383)
    
      - CVE-2017-5856: scsi: megasas: memory leakage (bz
        #1418344)
    
      - CVE-2017-5898: usb: integer overflow in
        emulated_apdu_from_guest (bz #1419700)
    
      - CVE-2017-5987: sd: infinite loop issue in multi block
        transfers (bz #1422001)
    
      - CVE-2017-6505: usb: an infinite loop issue in
        ohci_service_ed_list (bz #1429434)
    
      - CVE-2017-2615: cirrus: oob access while doing bitblt
        copy backward (bz #1418206)
    
      - CVE-2017-2620: cirrus: potential arbitrary code
        execution (bz #1425419)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-62ac1230f7"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 2:qemu package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:2:qemu");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:24");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/15");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/03/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^24([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 24", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC24", reference:"qemu-2.6.2-7.fc24", epoch:"2")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "2:qemu");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3268-1.NASL
    descriptionZhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-10028) It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8667) Jann Horn discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to access files on the host file system outside of the shared directory and possibly escalate their privileges. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9602) Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA device when being used with a VNC connection. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9603) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. (CVE-2016-9908) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9912, CVE-2017-5552, CVE-2017-5578) Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9914) Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5987) Li Qiang discovered that QEMU incorrectly handled USB OHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2017-6505). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99686
    published2017-04-26
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99686
    titleUbuntu 17.04 : qemu vulnerabilities (USN-3268-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3268-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99686);
      script_version("3.9");
      script_cvs_date("Date: 2019/09/18 12:31:47");
    
      script_cve_id("CVE-2016-10028", "CVE-2016-8667", "CVE-2016-9602", "CVE-2016-9603", "CVE-2016-9908", "CVE-2016-9912", "CVE-2016-9914", "CVE-2017-5552", "CVE-2017-5578", "CVE-2017-5987", "CVE-2017-6505");
      script_xref(name:"USN", value:"3268-1");
    
      script_name(english:"Ubuntu 17.04 : qemu vulnerabilities (USN-3268-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU
    device. An attacker inside the guest could use this issue to cause
    QEMU to crash, resulting in a denial of service. (CVE-2016-10028)
    
    It was discovered that QEMU incorrectly handled the JAZZ RC4030
    device. A privileged attacker inside the guest could use this issue to
    cause QEMU to crash, resulting in a denial of service. (CVE-2016-8667)
    
    Jann Horn discovered that QEMU incorrectly handled VirtFS directory
    sharing. A privileged attacker inside the guest could use this issue
    to access files on the host file system outside of the shared
    directory and possibly escalate their privileges. In the default
    installation, when QEMU is used with libvirt, attackers would be
    isolated by the libvirt AppArmor profile. (CVE-2016-9602)
    
    Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA
    device when being used with a VNC connection. A privileged attacker
    inside the guest could use this issue to cause QEMU to crash,
    resulting in a denial of service, or possibly execute arbitrary code
    on the host. In the default installation, when QEMU is used with
    libvirt, attackers would be isolated by the libvirt AppArmor profile.
    (CVE-2016-9603)
    
    Li Qiang discovered that QEMU incorrectly handled the Virtio GPU
    device. An attacker inside the guest could use this issue to cause
    QEMU to leak contents of host memory. (CVE-2016-9908)
    
    Li Qiang discovered that QEMU incorrectly handled the Virtio GPU
    device. An attacker inside the guest could use this issue to cause
    QEMU to crash, resulting in a denial of service. (CVE-2016-9912,
    CVE-2017-5552, CVE-2017-5578)
    
    Li Qiang discovered that QEMU incorrectly handled VirtFS directory
    sharing. A privileged attacker inside the guest could use this issue
    to cause QEMU to crash, resulting in a denial of service.
    (CVE-2016-9914)
    
    Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI
    device emulation. A privileged attacker inside the guest could use
    this issue to cause QEMU to crash, resulting in a denial of service.
    (CVE-2017-5987)
    
    Li Qiang discovered that QEMU incorrectly handled USB OHCI controller
    emulation. A privileged attacker inside the guest could use this issue
    to cause QEMU to hang, resulting in a denial of service.
    (CVE-2017-6505).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3268-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:17.04");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/04");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(17\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 17.04", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system", pkgver:"1:2.8+dfsg-3ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-aarch64", pkgver:"1:2.8+dfsg-3ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-arm", pkgver:"1:2.8+dfsg-3ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-mips", pkgver:"1:2.8+dfsg-3ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-misc", pkgver:"1:2.8+dfsg-3ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-ppc", pkgver:"1:2.8+dfsg-3ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-s390x", pkgver:"1:2.8+dfsg-3ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-sparc", pkgver:"1:2.8+dfsg-3ubuntu2.1")) flag++;
    if (ubuntu_check(osver:"17.04", pkgname:"qemu-system-x86", pkgver:"1:2.8+dfsg-3ubuntu2.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-system / qemu-system-aarch64 / qemu-system-arm / etc");
    }
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3261-1.NASL
    descriptionZhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10028, CVE-2016-10029) Li Qiang discovered that QEMU incorrectly handled the 6300esb watchdog. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-10155) Li Qiang discovered that QEMU incorrectly handled the i.MX Fast Ethernet Controller. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7907) It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8667) It was discovered that QEMU incorrectly handled the 16550A UART device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8669) It was discovered that QEMU incorrectly handled the shared rings when used with Xen. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. (CVE-2016-9381) Jann Horn discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to access files on the host file system outside of the shared directory and possibly escalate their privileges. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9602) Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA device when being used with a VNC connection. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9603) It was discovered that QEMU incorrectly handled the ColdFire Fast Ethernet Controller. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9776) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9845, CVE-2016-9908) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9846, CVE-2016-9912, CVE-2017-5552, CVE-2017-5578, CVE-2017-5857) Li Qiang discovered that QEMU incorrectly handled the USB redirector. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9907) Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9911) Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9913, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916) Qinghao Tang, Li Qiang, and Jiangxin discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9921, CVE-2016-9922) Wjjzhang and Li Qiang discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-2615) It was discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-2620) It was discovered that QEMU incorrectly handled VNC connections. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-2633) Li Qiang discovered that QEMU incorrectly handled the ac97 audio device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5525) Li Qiang discovered that QEMU incorrectly handled the es1370 audio device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5526) Li Qiang discovered that QEMU incorrectly handled the 16550A UART device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5579) Jiang Xin discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-5667) Li Qiang discovered that QEMU incorrectly handled the MegaRAID SAS device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5856) Li Qiang discovered that QEMU incorrectly handled the CCID Card device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5898) Li Qiang discovered that QEMU incorrectly handled USB xHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5973) Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5987) Li Qiang discovered that QEMU incorrectly handled USB OHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2017-6505). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id99581
    published2017-04-21
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99581
    titleUbuntu 14.04 LTS / 16.04 LTS / 16.10 : qemu vulnerabilities (USN-3261-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-3261-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99581);
      script_version("3.16");
      script_cvs_date("Date: 2019/09/18 12:31:46");
    
      script_cve_id("CVE-2016-10028", "CVE-2016-10029", "CVE-2016-10155", "CVE-2016-7907", "CVE-2016-8667", "CVE-2016-8669", "CVE-2016-9381", "CVE-2016-9602", "CVE-2016-9603", "CVE-2016-9776", "CVE-2016-9845", "CVE-2016-9846", "CVE-2016-9907", "CVE-2016-9908", "CVE-2016-9911", "CVE-2016-9912", "CVE-2016-9913", "CVE-2016-9914", "CVE-2016-9915", "CVE-2016-9916", "CVE-2016-9921", "CVE-2016-9922", "CVE-2017-2615", "CVE-2017-2620", "CVE-2017-2633", "CVE-2017-5525", "CVE-2017-5526", "CVE-2017-5552", "CVE-2017-5578", "CVE-2017-5579", "CVE-2017-5667", "CVE-2017-5856", "CVE-2017-5857", "CVE-2017-5898", "CVE-2017-5973", "CVE-2017-5987", "CVE-2017-6505");
      script_xref(name:"USN", value:"3261-1");
      script_xref(name:"IAVB", value:"2017-B-0024");
    
      script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS / 16.10 : qemu vulnerabilities (USN-3261-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU
    device. An attacker inside the guest could use this issue to cause
    QEMU to crash, resulting in a denial of service. This issue only
    affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10028,
    CVE-2016-10029)
    
    Li Qiang discovered that QEMU incorrectly handled the 6300esb
    watchdog. A privileged attacker inside the guest could use this issue
    to cause QEMU to crash, resulting in a denial of service.
    (CVE-2016-10155)
    
    Li Qiang discovered that QEMU incorrectly handled the i.MX Fast
    Ethernet Controller. A privileged attacker inside the guest could use
    this issue to cause QEMU to crash, resulting in a denial of service.
    This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10.
    (CVE-2016-7907)
    
    It was discovered that QEMU incorrectly handled the JAZZ RC4030
    device. A privileged attacker inside the guest could use this issue to
    cause QEMU to crash, resulting in a denial of service. (CVE-2016-8667)
    
    It was discovered that QEMU incorrectly handled the 16550A UART
    device. A privileged attacker inside the guest could use this issue to
    cause QEMU to crash, resulting in a denial of service. (CVE-2016-8669)
    
    It was discovered that QEMU incorrectly handled the shared rings when
    used with Xen. A privileged attacker inside the guest could use this
    issue to cause QEMU to crash, resulting in a denial of service, or
    possibly execute arbitrary code on the host. (CVE-2016-9381)
    
    Jann Horn discovered that QEMU incorrectly handled VirtFS directory
    sharing. A privileged attacker inside the guest could use this issue
    to access files on the host file system outside of the shared
    directory and possibly escalate their privileges. In the default
    installation, when QEMU is used with libvirt, attackers would be
    isolated by the libvirt AppArmor profile. (CVE-2016-9602)
    
    Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA
    device when being used with a VNC connection. A privileged attacker
    inside the guest could use this issue to cause QEMU to crash,
    resulting in a denial of service, or possibly execute arbitrary code
    on the host. In the default installation, when QEMU is used with
    libvirt, attackers would be isolated by the libvirt AppArmor profile.
    (CVE-2016-9603)
    
    It was discovered that QEMU incorrectly handled the ColdFire Fast
    Ethernet Controller. A privileged attacker inside the guest could use
    this issue to cause QEMU to crash, resulting in a denial of service.
    (CVE-2016-9776)
    
    Li Qiang discovered that QEMU incorrectly handled the Virtio GPU
    device. An attacker inside the guest could use this issue to cause
    QEMU to leak contents of host memory. This issue only affected Ubuntu
    16.04 LTS and Ubuntu 16.10. (CVE-2016-9845, CVE-2016-9908)
    
    Li Qiang discovered that QEMU incorrectly handled the Virtio GPU
    device. An attacker inside the guest could use this issue to cause
    QEMU to crash, resulting in a denial of service. This issue only
    affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9846,
    CVE-2016-9912, CVE-2017-5552, CVE-2017-5578, CVE-2017-5857)
    
    Li Qiang discovered that QEMU incorrectly handled the USB redirector.
    An attacker inside the guest could use this issue to cause QEMU to
    crash, resulting in a denial of service. This issue only affected
    Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9907)
    
    Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation.
    An attacker inside the guest could use this issue to cause QEMU to
    crash, resulting in a denial of service. (CVE-2016-9911)
    
    Li Qiang discovered that QEMU incorrectly handled VirtFS directory
    sharing. A privileged attacker inside the guest could use this issue
    to cause QEMU to crash, resulting in a denial of service.
    (CVE-2016-9913, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916)
    
    Qinghao Tang, Li Qiang, and Jiangxin discovered that QEMU incorrectly
    handled the Cirrus VGA device. A privileged attacker inside the guest
    could use this issue to cause QEMU to crash, resulting in a denial of
    service. (CVE-2016-9921, CVE-2016-9922)
    
    Wjjzhang and Li Qiang discovered that QEMU incorrectly handled the
    Cirrus VGA device. A privileged attacker inside the guest could use
    this issue to cause QEMU to crash, resulting in a denial of service,
    or possibly execute arbitrary code on the host. In the default
    installation, when QEMU is used with libvirt, attackers would be
    isolated by the libvirt AppArmor profile. (CVE-2017-2615)
    
    It was discovered that QEMU incorrectly handled the Cirrus VGA device.
    A privileged attacker inside the guest could use this issue to cause
    QEMU to crash, resulting in a denial of service, or possibly execute
    arbitrary code on the host. In the default installation, when QEMU is
    used with libvirt, attackers would be isolated by the libvirt AppArmor
    profile. (CVE-2017-2620)
    
    It was discovered that QEMU incorrectly handled VNC connections. An
    attacker inside the guest could use this issue to cause QEMU to crash,
    resulting in a denial of service. (CVE-2017-2633)
    
    Li Qiang discovered that QEMU incorrectly handled the ac97 audio
    device. A privileged attacker inside the guest could use this issue to
    cause QEMU to crash, resulting in a denial of service. (CVE-2017-5525)
    
    Li Qiang discovered that QEMU incorrectly handled the es1370 audio
    device. A privileged attacker inside the guest could use this issue to
    cause QEMU to crash, resulting in a denial of service. (CVE-2017-5526)
    
    Li Qiang discovered that QEMU incorrectly handled the 16550A UART
    device. A privileged attacker inside the guest could use this issue to
    cause QEMU to crash, resulting in a denial of service. (CVE-2017-5579)
    
    Jiang Xin discovered that QEMU incorrectly handled SDHCI device
    emulation. A privileged attacker inside the guest could use this issue
    to cause QEMU to crash, resulting in a denial of service, or possibly
    execute arbitrary code on the host. In the default installation, when
    QEMU is used with libvirt, attackers would be isolated by the libvirt
    AppArmor profile. (CVE-2017-5667)
    
    Li Qiang discovered that QEMU incorrectly handled the MegaRAID SAS
    device. A privileged attacker inside the guest could use this issue to
    cause QEMU to crash, resulting in a denial of service. (CVE-2017-5856)
    
    Li Qiang discovered that QEMU incorrectly handled the CCID Card
    device. A privileged attacker inside the guest could use this issue to
    cause QEMU to crash, resulting in a denial of service. (CVE-2017-5898)
    
    Li Qiang discovered that QEMU incorrectly handled USB xHCI controller
    emulation. A privileged attacker inside the guest could use this issue
    to cause QEMU to crash, resulting in a denial of service.
    (CVE-2017-5973)
    
    Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI
    device emulation. A privileged attacker inside the guest could use
    this issue to cause QEMU to crash, resulting in a denial of service.
    (CVE-2017-5987)
    
    Li Qiang discovered that QEMU incorrectly handled USB OHCI controller
    emulation. A privileged attacker inside the guest could use this issue
    to cause QEMU to hang, resulting in a denial of service.
    (CVE-2017-6505).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://usn.ubuntu.com/3261-1/"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.10");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! preg(pattern:"^(14\.04|16\.04|16\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 16.04 / 16.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system", pkgver:"2.0.0+dfsg-2ubuntu1.33")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-aarch64", pkgver:"2.0.0+dfsg-2ubuntu1.33")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-arm", pkgver:"2.0.0+dfsg-2ubuntu1.33")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-mips", pkgver:"2.0.0+dfsg-2ubuntu1.33")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-misc", pkgver:"2.0.0+dfsg-2ubuntu1.33")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-ppc", pkgver:"2.0.0+dfsg-2ubuntu1.33")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-sparc", pkgver:"2.0.0+dfsg-2ubuntu1.33")) flag++;
    if (ubuntu_check(osver:"14.04", pkgname:"qemu-system-x86", pkgver:"2.0.0+dfsg-2ubuntu1.33")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system", pkgver:"1:2.5+dfsg-5ubuntu10.11")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-aarch64", pkgver:"1:2.5+dfsg-5ubuntu10.11")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-arm", pkgver:"1:2.5+dfsg-5ubuntu10.11")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-mips", pkgver:"1:2.5+dfsg-5ubuntu10.11")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-misc", pkgver:"1:2.5+dfsg-5ubuntu10.11")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-ppc", pkgver:"1:2.5+dfsg-5ubuntu10.11")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-s390x", pkgver:"1:2.5+dfsg-5ubuntu10.11")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-sparc", pkgver:"1:2.5+dfsg-5ubuntu10.11")) flag++;
    if (ubuntu_check(osver:"16.04", pkgname:"qemu-system-x86", pkgver:"1:2.5+dfsg-5ubuntu10.11")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"qemu-system", pkgver:"1:2.6.1+dfsg-0ubuntu5.4")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"qemu-system-aarch64", pkgver:"1:2.6.1+dfsg-0ubuntu5.4")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"qemu-system-arm", pkgver:"1:2.6.1+dfsg-0ubuntu5.4")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"qemu-system-mips", pkgver:"1:2.6.1+dfsg-0ubuntu5.4")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"qemu-system-misc", pkgver:"1:2.6.1+dfsg-0ubuntu5.4")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"qemu-system-ppc", pkgver:"1:2.6.1+dfsg-0ubuntu5.4")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"qemu-system-s390x", pkgver:"1:2.6.1+dfsg-0ubuntu5.4")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"qemu-system-sparc", pkgver:"1:2.6.1+dfsg-0ubuntu5.4")) flag++;
    if (ubuntu_check(osver:"16.10", pkgname:"qemu-system-x86", pkgver:"1:2.6.1+dfsg-0ubuntu5.4")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-system / qemu-system-aarch64 / qemu-system-arm / etc");
    }