Vulnerabilities > CVE-2017-7980 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

nessus

NVD

Published: 2017-07-25

Updated: 2021-08-04

Summary

Heap-based buffer overflow in Cirrus CLGD 54xx VGA Emulator in Quick Emulator (Qemu) 2.8 and earlier allows local guest OS users to execute arbitrary code or cause a denial of service (crash) via vectors related to a VNC client updating its display after a VGA operation.

Vulnerable Configurations

Part	Description	Count
Application	Qemu Qemu Qemu - Qemu Qemu 0.1 Qemu Qemu 0.1.0 Qemu Qemu 0.1.1 Qemu Qemu 0.1.2 Qemu Qemu 0.1.3 Qemu Qemu 0.1.4 Qemu Qemu 0.1.5 Qemu Qemu 0.1.6 Qemu Qemu 0.2 Qemu Qemu 0.2.0 Qemu Qemu 0.3 Qemu Qemu 0.3.0 Qemu Qemu 0.4 Qemu Qemu 0.4.0 Qemu Qemu 0.4.1 Qemu Qemu 0.4.2 Qemu Qemu 0.4.3 Qemu Qemu 0.4.4 Qemu Qemu 0.5.0 Qemu Qemu 0.5.1 Qemu Qemu 0.5.2 Qemu Qemu 0.5.3 Qemu Qemu 0.5.4 Qemu Qemu 0.5.5 Qemu Qemu 0.6.0 Qemu Qemu 0.6.1 Qemu Qemu 0.7.0 Qemu Qemu 0.7.1 Qemu Qemu 0.7.2 Qemu Qemu 0.8.0 Qemu Qemu 0.8.1 Qemu Qemu 0.8.2 Qemu Qemu 0.9.0 Qemu Qemu 0.9.1 Qemu Qemu 0.9.1-5 Qemu Qemu 0.10.0 Qemu Qemu 0.10.1 Qemu Qemu 0.10.2 Qemu Qemu 0.10.3 Qemu Qemu 0.10.4 Qemu Qemu 0.10.5 Qemu Qemu 0.10.6 Qemu Qemu 0.11.0 Qemu Qemu 0.11.0-Rc0 Qemu Qemu 0.11.0-Rc1 Qemu Qemu 0.11.0-Rc2 Qemu Qemu 0.11.1 Qemu Qemu 0.12.0 Qemu Qemu 0.12.1 Qemu Qemu 0.12.2 Qemu Qemu 0.12.3 Qemu Qemu 0.12.4 Qemu Qemu 0.12.5 Qemu Qemu 0.13.0 Qemu Qemu 0.14.0 Qemu Qemu 0.14.1 Qemu Qemu 0.15.0 Qemu Qemu 0.15.1 Qemu Qemu 0.15.2 Qemu Qemu 1.0 Qemu Qemu 1.0.1 Qemu Qemu 1.1 Qemu Qemu 1.1.0 Qemu Qemu 1.1.1 Qemu Qemu 1.1.2 Qemu Qemu 1.1.2\+Dfsg Qemu Qemu 1.2.0 Qemu Qemu 1.2.1 Qemu Qemu 1.2.2 Qemu Qemu 1.3.0 Qemu Qemu 1.3.1 Qemu Qemu 1.4.0 Qemu Qemu 1.4.1 Qemu Qemu 1.4.2 Qemu Qemu 1.5.0 Qemu Qemu 1.5.1 Qemu Qemu 1.5.2 Qemu Qemu 1.5.3 Qemu Qemu 1.6.0 Qemu Qemu 1.6.1 Qemu Qemu 1.6.2 Qemu Qemu 1.7.0 Qemu Qemu 1.7.1 Qemu Qemu 1.7.2 Qemu Qemu 1\ Qemu Qemu 2.0.0 Qemu Qemu 2.0.1 Qemu Qemu 2.0.2 Qemu Qemu 2.1\+Dfsg Qemu Qemu 2.1.0 Qemu Qemu 2.1.1 Qemu Qemu 2.1.2 Qemu Qemu 2.1.3 Qemu Qemu 2.2.0 Qemu Qemu 2.2.1 Qemu Qemu 2.3.0 Qemu Qemu 2.3.1 Qemu Qemu 2.4.0 Qemu Qemu 2.4.0.1 Qemu Qemu 2.4.1 Qemu Qemu 2.5.0 Qemu Qemu 2.5.1 Qemu Qemu 2.5.1.1 Qemu Qemu 2.6.0 Qemu Qemu 2.6.1 Qemu Qemu 2.6.2 Qemu Qemu 2.7.0 Qemu Qemu 2.7.1	227
Application	Redhat Redhat Openstack 7.0 Redhat Openstack 6.0 Redhat Openstack 10 Redhat Openstack 9 Redhat Openstack 8 Redhat Openstack 5.0 Redhat Virtualization 3.0	7
OS	Canonical Canonical Ubuntu Linux 16.10 Canonical Ubuntu Linux 16.04 Canonical Ubuntu Linux 14.04 Canonical Ubuntu Linux 17.04	4
OS	Debian Debian Debian Linux 8.0	1
OS	Redhat Redhat Enterprise Linux 7.0 Redhat Enterprise Linux 6.0 Redhat Enterprise Linux Desktop 7.0 Redhat Enterprise Linux Desktop 6.0 Redhat Enterprise Linux Workstation 7.0 Redhat Enterprise Linux Workstation 6.0 Redhat Enterprise Linux Server 7.0 Redhat Enterprise Linux Server 6.0 Redhat Enterprise Linux Server TUS 7.3 Redhat Enterprise Linux Server TUS 7.6 Redhat Enterprise Linux Server AUS 7.3 Redhat Enterprise Linux Server AUS 7.4 Redhat Enterprise Linux Server AUS 7.6 Redhat Enterprise Linux Server EUS 7.3 Redhat Enterprise Linux Server EUS 7.4 Redhat Enterprise Linux Server EUS 7.5 Redhat Enterprise Linux Server EUS 7.6	17

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2018-0238.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - qemu-kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018 -3639.patch - qemu-kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-i t-CVE.patch - qemu-kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit -CVE-.patch - Resolves: bz#1574074 (CVE-2018-3639 qemu-kvm: hw: cpu: speculative store bypass [rhel-6.10.z]) - kvm-vga-add-share_surface-flag.patch [bz#1553674] - kvm-vga-add-sanity-checks.patch [bz#1553674] - Resolves: bz#1553674 (CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-6]) - kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch [bz#1525939 bz#1528024] - kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran .patch - kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran .patch - kvm-cirrus-fix-oob-access-in-mode4and5-write-functions.p atch [bz#1501298] - kvm-vga-stop-passing-pointers-to-vga_draw_line-functions .patch - kvm-vga-check-the-validation-of-memory-addr-when-draw-te .patch - Resolves: bz#1486641 (CVE-2017-13672 qemu-kvm-rhev: Qemu: vga: OOB read access during display update [rhel-6.10]) - Resolves: bz#1501298 (CVE-2017-15289 qemu-kvm: Qemu: cirrus: OOB access issue in mode4and5 write functions [rhel-6.10]) - Resolves: bz#1525939 (CVE-2017-5715 qemu-kvm: hw: cpu: speculative execution branch target injection [rhel-6.10]) - Resolves: bz#1528024 (CVE-2017-5715 qemu-kvm-rhev: hw: cpu: speculative execution branch target injection [rhel-6.10]) - Resolves: bz#1534692 (CVE-2018-5683 qemu-kvm: Qemu: Out-of-bounds read in vga_draw_text routine [rhel-6.10]) - Resolves: bz#1549152 (qemu-kvm-rhev: remove unused patch file [rhel-6.10]) - kvm-vns-tls-don-t-use-depricated-gnutls-functions.patch [bz#1428750] - kvm-vnc-apply-display-size-limits.patch [bz#1430616 bz#1430617] - kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f .patch - kvm-cirrus-vnc-zap-bitblit-support-from-console-code.pat ch [bz#1443448 bz#1443450 bz#1447542 bz#1447545] - kvm-cirrus-avoid-write-only-variables.patch [bz#1444378 bz#1444380] - kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt .patch - kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt .patch - kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran .patch - kvm-cirrus-fix-PUTPIXEL-macro.patch [bz#1444378 bz#1444380] - Resolves: bz#1428750 (Fails to build in brew) - Resolves: bz#1430616 (CVE-2017-2633 qemu-kvm: Qemu: VNC: memory corruption due to unchecked resolution limit [rhel-6.10]) - Resolves: bz#1430617 (CVE-2017-2633 qemu-kvm-rhev: Qemu: VNC: memory corruption due to unchecked resolution limit [rhel-6.10]) - Resolves: bz#1443448 (CVE-2017-7718 qemu-kvm: Qemu: display: cirrus: OOB read access issue [rhel-6.10]) - Resolves: bz#1443450 (CVE-2017-7718 qemu-kvm-rhev: Qemu: display: cirrus: OOB read access issue [rhel-6.10]) - Resolves: bz#1444378 (CVE-2017-7980 qemu-kvm: Qemu: display: cirrus: OOB r/w access issues in bitblt routines [rhel-6.10]) - Resolves: bz#1444380 (CVE-2017-7980 qemu-kvm-rhev: Qemu: display: cirrus: OOB r/w access issues in bitblt routines [rhel-6.10]) - Resolves: bz#1447542 (CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-6.10]) - Resolves: bz#1447545 (CVE-2016-9603 qemu-kvm-rhev: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-6.10])
last seen	2020-06-01
modified	2020-06-02
plugin id	111023
published	2018-07-12
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/111023
title	OracleVM 3.4 : qemu-kvm (OVMSA-2018-0238) (Spectre)
code	# # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2018-0238. # include("compat.inc"); if (description) { script_id(111023); script_version("1.8"); script_cvs_date("Date: 2019/09/27 13:00:35"); script_cve_id("CVE-2016-9603", "CVE-2017-13672", "CVE-2017-15289", "CVE-2017-2633", "CVE-2017-5715", "CVE-2017-7718", "CVE-2017-7980", "CVE-2018-3639", "CVE-2018-5683", "CVE-2018-7858"); script_name(english:"OracleVM 3.4 : qemu-kvm (OVMSA-2018-0238) (Spectre)"); script_summary(english:"Checks the RPM output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing a security update." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : - qemu-kvm-i386-define-the-ssbd-CPUID-feature-bit-CVE-2018 -3639.patch - qemu-kvm-i386-Define-the-Virt-SSBD-MSR-and-handling-of-i t-CVE.patch - qemu-kvm-i386-define-the-AMD-virt-ssbd-CPUID-feature-bit -CVE-.patch - Resolves: bz#1574074 (CVE-2018-3639 qemu-kvm: hw: cpu: speculative store bypass [rhel-6.10.z]) - kvm-vga-add-share_surface-flag.patch [bz#1553674] - kvm-vga-add-sanity-checks.patch [bz#1553674] - Resolves: bz#1553674 (CVE-2018-7858 qemu-kvm: Qemu: cirrus: OOB access when updating vga display [rhel-6]) - kvm-target-i386-add-support-for-SPEC_CTRL-MSR.patch [bz#1525939 bz#1528024] - kvm-target-i386-cpu-add-new-CPUID-bits-for-indirect-bran .patch - kvm-target-i386-cpu-add-new-CPU-models-for-indirect-bran .patch - kvm-cirrus-fix-oob-access-in-mode4and5-write-functions.p atch [bz#1501298] - kvm-vga-stop-passing-pointers-to-vga_draw_line-functions .patch - kvm-vga-check-the-validation-of-memory-addr-when-draw-te .patch - Resolves: bz#1486641 (CVE-2017-13672 qemu-kvm-rhev: Qemu: vga: OOB read access during display update [rhel-6.10]) - Resolves: bz#1501298 (CVE-2017-15289 qemu-kvm: Qemu: cirrus: OOB access issue in mode4and5 write functions [rhel-6.10]) - Resolves: bz#1525939 (CVE-2017-5715 qemu-kvm: hw: cpu: speculative execution branch target injection [rhel-6.10]) - Resolves: bz#1528024 (CVE-2017-5715 qemu-kvm-rhev: hw: cpu: speculative execution branch target injection [rhel-6.10]) - Resolves: bz#1534692 (CVE-2018-5683 qemu-kvm: Qemu: Out-of-bounds read in vga_draw_text routine [rhel-6.10]) - Resolves: bz#1549152 (qemu-kvm-rhev: remove unused patch file [rhel-6.10]) - kvm-vns-tls-don-t-use-depricated-gnutls-functions.patch [bz#1428750] - kvm-vnc-apply-display-size-limits.patch [bz#1430616 bz#1430617] - kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f .patch - kvm-cirrus-vnc-zap-bitblit-support-from-console-code.pat ch [bz#1443448 bz#1443450 bz#1447542 bz#1447545] - kvm-cirrus-avoid-write-only-variables.patch [bz#1444378 bz#1444380] - kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt .patch - kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt .patch - kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran .patch - kvm-cirrus-fix-PUTPIXEL-macro.patch [bz#1444378 bz#1444380] - Resolves: bz#1428750 (Fails to build in brew) - Resolves: bz#1430616 (CVE-2017-2633 qemu-kvm: Qemu: VNC: memory corruption due to unchecked resolution limit [rhel-6.10]) - Resolves: bz#1430617 (CVE-2017-2633 qemu-kvm-rhev: Qemu: VNC: memory corruption due to unchecked resolution limit [rhel-6.10]) - Resolves: bz#1443448 (CVE-2017-7718 qemu-kvm: Qemu: display: cirrus: OOB read access issue [rhel-6.10]) - Resolves: bz#1443450 (CVE-2017-7718 qemu-kvm-rhev: Qemu: display: cirrus: OOB read access issue [rhel-6.10]) - Resolves: bz#1444378 (CVE-2017-7980 qemu-kvm: Qemu: display: cirrus: OOB r/w access issues in bitblt routines [rhel-6.10]) - Resolves: bz#1444380 (CVE-2017-7980 qemu-kvm-rhev: Qemu: display: cirrus: OOB r/w access issues in bitblt routines [rhel-6.10]) - Resolves: bz#1447542 (CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-6.10]) - Resolves: bz#1447545 (CVE-2016-9603 qemu-kvm-rhev: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-6.10])" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/oraclevm-errata/2018-July/000873.html" ); script_set_attribute( attribute:"solution", value:"Update the affected qemu-img package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:qemu-img"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/20"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/12"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) \|\| "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "3\.4" + "(\.[0-9]\|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.4", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"OVS3.4", reference:"qemu-img-0.12.1.2-2.506.el6_10.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-img"); }

NASL family	Misc.
NASL id	CITRIX_XENSERVER_CTX230138.NASL
description	The version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities as noted in the CTX230138 advisory.
last seen	2020-05-03
modified	2017-12-07
plugin id	105083
published	2017-12-07
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105083
title	Citrix XenServer Multiple Vulnerabilities (CTX230138)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(105083); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/30"); script_cve_id( "CVE-2017-7980", "CVE-2017-15592", "CVE-2017-17044", "CVE-2017-17045" ); script_bugtraq_id( 97955, 101513, 102008, 102013 ); script_name(english:"Citrix XenServer Multiple Vulnerabilities (CTX230138)"); script_summary(english:"Checks for patches."); script_set_attribute(attribute:"synopsis", value: "A server virtualization platform installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Citrix XenServer installed on the remote host is missing a security hotfix. It is, therefore, affected by multiple vulnerabilities as noted in the CTX230138 advisory."); script_set_attribute(attribute:"see_also", value:"https://support.citrix.com/article/CTX230138"); script_set_attribute(attribute:"solution", value: "Apply the appropriate hotfix according to the vendor advisory."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-17045"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/16"); script_set_attribute(attribute:"patch_publication_date", value:"2017/12/01"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/12/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:citrix:xenserver"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("citrix_xenserver_version.nbin"); script_require_keys("Host/XenServer/version", "Host/local_checks_enabled"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); app_name = "Citrix XenServer"; version = get_kb_item_or_exit("Host/XenServer/version"); get_kb_item_or_exit("Host/local_checks_enabled"); patches = get_kb_item("Host/XenServer/patches"); vuln = FALSE; fix = ''; if (version =~ "^7\.2($\|[^0-9])") { if ("XS72E010" >!< patches) # CTX229541 { fix = "XS72E010"; vuln = TRUE; } if ("XS72E012" >!< patches) # CTX230161 { if (empty_or_null(fix)) fix = "XS72E012"; else fix += " and XS72E012"; vuln = TRUE; } } else if (version =~ "^7\.1($\|[^0-9])") { # LTSR CU1 CTX229540 & CTX230160, LTSR CTX229545 & CTX230159 # No patch applied if ("XS71ECU" >!< patches && "XS71E018" >!< patches && "XS71E019" >!< patches) { fix = "XS71ECU1006 and XS71ECU1008, or XS71E018 and XS71E019"; vuln = TRUE; } # LTSR CU1 patch applied else if ("XS71ECU" >!< patches && ("XS71ECU1006" >< patches \|\| "XS71ECU1008" >< patches)) { if ("XS71ECU1006" >!< patches) # CTX229540 { fix = "XS71ECU1006"; vuln = TRUE; } else if ("XS71ECU1008" >!< patches) # CTX230160 { fix = "XS71ECU1008"; vuln = TRUE; } } # LTSR patch applied else if ("XS71E018" >< patches \|\| "XS71E019" >< patches) { if ("XS71E018" >!< patches) # CTX229545 { fix = "XS71E018"; vuln = TRUE; } else if ("XS71E019" >!< patches) # CTX230159 { fix = "XS71E019"; vuln = TRUE; } } } else if (version =~ "^7\.0($\|[^0-9])") { if ("XS70E048" >!< patches) # CTX229539 { fix = "XS70E048"; vuln = TRUE; } if ("XS70E049" >!< patches) # CTX229544 { if (empty_or_null(fix)) fix = "XS70E049"; else fix += " and XS70E049"; vuln = TRUE; } } else if (version =~ "^6\.5($\|[^0-9])") { fix = "XS65ESP1064"; # CTX229543 if (fix >!< patches) vuln = TRUE; } else if (version =~ "^6\.2($\|[^0-9])") { fix = "XS62ESP1066"; # CTX229096 if (fix >!< patches) vuln = TRUE; } else if (version =~ "^6\.0\.2($\|[^0-9])") { fix = "XS602ECC050"; # CTX229095 if (fix >!< patches) vuln = TRUE; } if (vuln) { port = 0; report = report_items_str( report_items:make_array( "Installed version", version, "Missing hotfix", fix ), ordered_fields:make_list("Installed version", "Missing hotfix") ); security_report_v4(port:port, severity:SECURITY_HOLE, extra:report); } else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2017-1430.NASL
description	An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * An out-of-bounds r/w access issue was found in QEMU
last seen	2020-06-01
modified	2020-06-02
plugin id	100777
published	2017-06-14
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100777
title	RHEL 7 : qemu-kvm (RHSA-2017:1430)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20170509_QEMU_KVM_ON_SL6_X.NASL
description	Security Fix(es) : - A heap buffer overflow flaw was found in QEMU
last seen	2020-03-18
modified	2017-05-10
plugin id	100097
published	2017-05-10
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100097
title	Scientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64 (20170509)

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2017-0101.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - kvm-cirrus-avoid-write-only-variables.patch [bz#1444377 bz#1444379] - kvm-cirrus-stop-passing-around-dst-pointers-in-the-blitt .patch - kvm-cirrus-stop-passing-around-src-pointers-in-the-blitt .patch - kvm-cirrus-fix-off-by-one-in-cirrus_bitblt_rop_bkwd_tran .patch - kvm-cirrus-fix-PUTPIXEL-macro.patch [bz#1444377 bz#1444379] - Resolves: bz#1444377 (CVE-2017-7980 qemu-kvm: Qemu: display: cirrus: OOB r/w access issues in bitblt routines [rhel-6.9.z]) - Resolves: bz#1444379 (CVE-2017-7980 qemu-kvm-rhev: Qemu: display: cirrus: OOB r/w access issues in bitblt routines [rhel-6.9.z]) - kvm-fix-cirrus_vga-fix-OOB-read-case-qemu-Segmentation-f .patch - kvm-cirrus-vnc-zap-bitblit-support-from-console-code.pat ch [bz#1443447 bz#1443449] - Resolves: bz#1443447 (CVE-2017-7718 qemu-kvm: Qemu: display: cirrus: OOB read access issue [rhel-6.9.z]) - Resolves: bz#1443449 (CVE-2017-7718 qemu-kvm-rhev: Qemu: display: cirrus: OOB read access issue [rhel-6.9.z]) - Resolves: bz#1447544 (CVE-2016-9603 qemu-kvm-rhev: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-6.9.z]) - Resolves: bz#1447540 (CVE-2016-9603 qemu-kvm: Qemu: cirrus: heap buffer overflow via vnc connection [rhel-6.9.z]) - kvm-vns-tls-don-t-use-depricated-gnutls-functions.patch [bz#1428750] - kvm-vnc-apply-display-size-limits.patch [bz#1400438 bz#1425943] - Resolves: bz#1400438 (qemu-kvm coredump in vnc_refresh_server_surface [rhel-6.9.z]) - Resolves: bz#1425943 (CVE-2017-2633 qemu-kvm-rhev: Qemu: VNC: memory corruption due to unchecked resolution limit [rhel-6.9.z]) - Resolves: bz#1428750 (Fails to build in brew)
last seen	2020-06-01
modified	2020-06-02
plugin id	100115
published	2017-05-11
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100115
title	OracleVM 3.4 : qemu-kvm (OVMSA-2017-0101)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2017-2969-1.NASL
description	This update for qemu fixes several issues. These security issues were fixed : - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122) - CVE-2017-2633: The VNC display driver support was vulnerable to an out-of-bounds memory access issue. A user/process inside guest could use this flaw to cause DoS (bsc#1026612) - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069) - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585) - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334) - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c allowed local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer (bsc#1025311) - CVE-2017-6505: The ohci_service_ed_list function allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count (bsc#1036211) - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800) - CVE-2017-9373: The IDE AHCI Emulation support was vulnerable to a host memory leakage issue, which allowed a privileged user inside guest to leak host memory resulting in DoS (bsc#1042801) - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value (bsc#1042159) - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture (bsc#1037242) - CVE-2017-7493: The VirtFS, host directory sharing via Plan 9 File System(9pfs) support, was vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could have used this flaw to escalate their privileges inside guest (bsc#1039495) - CVE-2016-9602: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper link following issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1020427) - CVE-2017-5579: The 16550A UART serial device emulation support was vulnerable to a memory leakage issue allowing a privileged user to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1021741) - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a NULL pointer dereference issue which allowed a privileged user inside guest to crash the Qemu process on the host resulting in DoS (bsc#1043296) - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046636) - CVE-2017-10806: Stack-based buffer overflow allowed local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages (bsc#1047674) - CVE-2016-9602: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper link following issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1020427) - CVE-2017-7377: The v9fs_create and v9fs_lcreate functions in hw/9pfs/9p.c allowed local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid (bsc#1032075) - CVE-2017-8086: A memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c allowed local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable (bsc#1035950) - CVE-2017-7471: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper access control issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1034866) - CVE-2016-6834: A infinite loop during packet fragmentation in the VMWARE VMXNET3 NIC device support allowed privileged user inside guest to crash the Qemu instance resulting in DoS (bsc#994418) - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC device support, causing an OOB read access (bsc#994605) - Fix privilege escalation in TCG mode (bsc#1030624) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	104495
published	2017-11-10
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/104495
title	SUSE SLES12 Security Update : qemu (SUSE-SU-2017:2969-1)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2017-1118.NASL
description	According to the versions of the qemu-kvm package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An out-of-bounds access issue was found in QEMU
last seen	2020-05-06
modified	2017-07-21
plugin id	101850
published	2017-07-21
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/101850
title	EulerOS 2.0 SP1 : qemu-kvm (EulerOS-SA-2017-1118)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1497.NASL
description	Several vulnerabilities were found in qemu, a fast processor emulator : CVE-2015-8666 Heap-based buffer overflow in QEMU when built with the Q35-chipset-based PC system emulator CVE-2016-2198 NULL pointer dereference in ehci_caps_write in the USB EHCI support that may result in denial of service CVE-2016-6833 Use after free while writing in the vmxnet3 device that could be used to cause a denial of service CVE-2016-6835 Buffer overflow in vmxnet_tx_pkt_parse_headers() in vmxnet3 device that could result in denial of service CVE-2016-8576 Infinite loop vulnerability in xhci_ring_fetch in the USB xHCI support CVE-2016-8667 / CVE-2016-8669 Divide by zero errors in set_next_tick in the JAZZ RC4030 chipset emulator, and in serial_update_parameters of some serial devices, that could result in denial of service CVE-2016-9602 Improper link following with VirtFS CVE-2016-9603 Heap buffer overflow via vnc connection in the Cirrus CLGD 54xx VGA emulator support CVE-2016-9776 Infinite loop while receiving data in the ColdFire Fast Ethernet Controller emulator CVE-2016-9907 Memory leakage in the USB redirector usb-guest support CVE-2016-9911 Memory leakage in ehci_init_transfer in the USB EHCI support CVE-2016-9914 / CVE-2016-9915 / CVE-2016-9916 Plan 9 File System (9pfs): add missing cleanup operation in FileOperations, in the handle backend and in the proxy backend driver CVE-2016-9921 / CVE-2016-9922 Divide by zero in cirrus_do_copy in the Cirrus CLGD 54xx VGA Emulator support CVE-2016-10155 Memory leak in hw/watchdog/wdt_i6300esb.c allowing local guest OS privileged users to cause a denial of service via a large number of device unplug operations. CVE-2017-2615 / CVE-2017-2620 / CVE-2017-18030 / CVE-2018-5683 / CVE-2017-7718 Out-of-bounds access issues in the Cirrus CLGD 54xx VGA emulator support, that could result in denial of service CVE-2017-5525 / CVE-2017-5526 Memory leakage issues in the ac97 and es1370 device emulation CVE-2017-5579 Most memory leakage in the 16550A UART emulation CVE-2017-5667 Out-of-bounds access during multi block SDMA transfer in the SDHCI emulation support. CVE-2017-5715 Mitigations against the Spectre v2 vulnerability. For more information please refer to https://www.qemu.org/2018/01/04/spectre/ CVE-2017-5856 Memory leak in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support CVE-2017-5973 / CVE-2017-5987 / CVE-2017-6505 Infinite loop issues in the USB xHCI, in the transfer mode register of the SDHCI protocol, and the USB ohci_service_ed_list CVE-2017-7377 9pfs: host memory leakage via v9fs_create CVE-2017-7493 Improper access control issues in the host directory sharing via 9pfs support. CVE-2017-7980 Heap-based buffer overflow in the Cirrus VGA device that could allow local guest OS users to execute arbitrary code or cause a denial of service CVE-2017-8086 9pfs: host memory leakage via v9pfs_list_xattr CVE-2017-8112 Infinite loop in the VMWare PVSCSI emulation CVE-2017-8309 / CVE-2017-8379 Host memory leakage issues via the audio capture buffer and the keyboard input event handlers CVE-2017-9330 Infinite loop due to incorrect return value in USB OHCI that may result in denial of service CVE-2017-9373 / CVE-2017-9374 Host memory leakage during hot unplug in IDE AHCI and USB emulated devices that could result in denial of service CVE-2017-9503 NULL pointer dereference while processing megasas command CVE-2017-10806 Stack buffer overflow in USB redirector CVE-2017-10911 Xen disk may leak stack data via response ring CVE-2017-11434 Out-of-bounds read while parsing Slirp/DHCP options CVE-2017-14167 Out-of-bounds access while processing multiboot headers that could result in the execution of arbitrary code CVE-2017-15038 9pfs: information disclosure when reading extended attributes CVE-2017-15289 Out-of-bounds write access issue in the Cirrus graphic adaptor that could result in denial of service CVE-2017-16845 Information leak in the PS/2 mouse and keyboard emulation support that could be exploited during instance migration CVE-2017-18043 Integer overflow in the macro ROUND_UP (n, d) that could result in denial of service CVE-2018-7550 Incorrect handling of memory during multiboot that could may result in execution of arbitrary code For Debian 8
last seen	2020-06-01
modified	2020-06-02
plugin id	117351
published	2018-09-07
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/117351
title	Debian DLA-1497-1 : qemu security update (Spectre)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-939.NASL
description	Multiple vulnerabilities have been discovered in qemu-kvm, a full virtualization solution on x86 hardware based on Quick Emulator(Qemu). The Common Vulnerabilities and Exposures project identifies the following problems : CVE-2016-9603 qemu-kvm built with the Cirrus CLGD 54xx VGA Emulator and the VNC display driver support is vulnerable to a heap buffer overflow issue. It could occur when Vnc client attempts to update its display after a vga operation is performed by a guest. A privileged user/process inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially leverage it to execute arbitrary code on the host with privileges of the Qemu process. CVE-2017-7718 qemu-kvm built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt functions cirrus_bitblt_rop_fwd_transp_ and/or cirrus_bitblt_rop_fwd_. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS. CVE-2017-7980 qemu-kvm built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds r/w access issues. It could occur while copying VGA data via various bitblt functions. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on a host with privileges of Qemu process on the host. For Debian 7
last seen	2020-03-17
modified	2017-05-12
plugin id	100133
published	2017-05-12
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100133
title	Debian DLA-939-1 : qemu-kvm security update

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-3289-1.NASL
description	Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-7377, CVE-2017-8086) Jiangxin discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-7718) Li Qiang and Jiangxin discovered that QEMU incorrectly handled the Cirrus VGA device when being used with a VNC connection. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-7980) Jiang Xin discovered that QEMU incorrectly handled the audio subsystem. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-8309) Jiang Xin discovered that QEMU incorrectly handled the input subsystem. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04. (CVE-2017-8379). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	100250
published	2017-05-17
reporter	Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100250
title	Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : qemu vulnerabilities (USN-3289-1)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2017-1430.NASL
description	An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * An out-of-bounds r/w access issue was found in QEMU
last seen	2020-06-01
modified	2020-06-02
plugin id	100770
published	2017-06-14
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100770
title	CentOS 7 : qemu-kvm (CESA-2017:1430)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2017-1206.NASL
description	An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * A heap buffer overflow flaw was found in QEMU
last seen	2020-06-01
modified	2020-06-02
plugin id	100092
published	2017-05-10
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100092
title	RHEL 6 : qemu-kvm (RHSA-2017:1206)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2017-2946-1.NASL
description	This update for qemu fixes several issues. These security issues were fixed : - CVE-2017-10911: The make_response function in the Linux kernel allowed guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures (bsc#1057378). - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by flushing an empty CDROM device drive (bsc#1054724). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122) - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069) - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585) - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334) - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c allowed local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer (bsc#1025311) - CVE-2017-6505: The ohci_service_ed_list function allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count (bsc#1036211) - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800) - CVE-2017-9374: Missing free of
last seen	2020-06-01
modified	2020-06-02
plugin id	104471
published	2017-11-09
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/104471
title	SUSE SLES12 Security Update : qemu (SUSE-SU-2017:2946-1)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201706-03.NASL
description	The remote host is affected by the vulnerability described in GLSA-201706-03 (QEMU: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact : A remote attacker might cause a Denial of Service or gain escalated privileges from a guest VM. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	100630
published	2017-06-06
reporter	This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100630
title	GLSA-201706-03 : QEMU: Multiple vulnerabilities

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2017-1145-1.NASL
description	This update for xen fixes several issues. These security issues were fixed : - A malicious 64-bit PV guest may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks by placing a IRET hypercall in the middle of a multicall batch (XSA-213, bsc#1034843) - A malicious pair of guests may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks because of a missing check when transfering pages via GNTTABOP_transfer (XSA-214, bsc#1034844). - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034994). - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028655) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	99960
published	2017-05-03
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/99960
title	SUSE SLES11 Security Update : xen (SUSE-SU-2017:1145-1)

NASL family	NewStart CGSL Local Security Checks
NASL id	NEWSTART_CGSL_NS-SA-2019-0108_QEMU-KVM.NASL
description	The remote NewStart CGSL host, running version MAIN 4.05, has qemu-kvm packages installed that are affected by multiple vulnerabilities: - Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. The issue could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the QEMU process OR potentially execute arbitrary code on host with privileges of the QEMU process. (CVE-2017-2620) - Quick emulator (QEMU) built with the Cirrus CLGD 54xx VGA emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS or potentially execute arbitrary code on the host with privileges of QEMU process on the host. (CVE-2017-2615) - An out-of-bounds memory access issue was found in Quick Emulator (QEMU) in the VNC display driver. This flaw could occur while refreshing the VNC display surface area in the
last seen	2020-06-01
modified	2020-06-02
plugin id	127343
published	2019-08-12
reporter	This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/127343
title	NewStart CGSL MAIN 4.05 : qemu-kvm Multiple Vulnerabilities (NS-SA-2019-0108)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-1035.NASL
description	Several vulnerabilities were discovered in qemu, a fast processor emulator. The Common Vulnerabilities and Exposures project identifies the following problems : CVE-2016-9603 qemu-kvm built with the Cirrus CLGD 54xx VGA Emulator and the VNC display driver support is vulnerable to a heap buffer overflow issue. It could occur when Vnc client attempts to update its display after a vga operation is performed by a guest. A privileged user/process inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially leverage it to execute arbitrary code on the host with privileges of the Qemu process. CVE-2017-7718 qemu-kvm built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt functions cirrus_bitblt_rop_fwd_transp_ and/or cirrus_bitblt_rop_fwd_. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS. CVE-2017-7980 qemu-kvm built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds r/w access issues. It could occur while copying VGA data via various bitblt functions. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on a host with privileges of Qemu process on the host. CVE-2016-9602 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper link following issue. It could occur while accessing symbolic link files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. CVE-2017-7377 Quick Emulator(Qemu) built with the virtio-9p back-end support is vulnerable to a memory leakage issue. It could occur while doing a I/O operation via v9fs_create/v9fs_lcreate routine. A privileged user/process inside guest could use this flaw to leak host memory resulting in Dos. CVE-2017-7471 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host. CVE-2017-7493 Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest. CVE-2017-8086 Quick Emulator(Qemu) built with the virtio-9p back-end support is vulnerable to a memory leakage issue. It could occur while querying file system extended attributes via 9pfs_list_xattr() routine. A privileged user/process inside guest could use this flaw to leak host memory resulting in Dos. For Debian 7
last seen	2020-03-17
modified	2017-07-24
plugin id	101909
published	2017-07-24
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/101909
title	Debian DLA-1035-1 : qemu security update

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2017-1430.NASL
description	From Red Hat Security Advisory 2017:1430 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * An out-of-bounds r/w access issue was found in QEMU
last seen	2020-06-01
modified	2020-06-02
plugin id	100776
published	2017-06-14
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100776
title	Oracle Linux 7 : qemu-kvm (ELSA-2017-1430)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2017-822.NASL
description	This update for qemu fixes several issues. These security issues were fixed : - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value (bsc#1042159). - CVE-2017-8379: Memory leak in the keyboard input event handlers support allowed local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events (bsc#1037334). - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture (bsc#1037242). - CVE-2017-7493: The VirtFS, host directory sharing via Plan 9 File System(9pfs) support, was vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could have used this flaw to escalate their privileges inside guest (bsc#1039495). - CVE-2017-7377: The v9fs_create and v9fs_lcreate functions in hw/9pfs/9p.c allowed local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid (bsc#1032075). - CVE-2017-8086: A memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c allowed local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable (bsc#1035950). - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c allowed local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer (bsc#1025311). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count (bsc#1036211). - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800). - CVE-2017-9374: Missing free of
last seen	2020-06-05
modified	2017-07-17
plugin id	101758
published	2017-07-17
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/101758
title	openSUSE Security Update : qemu (openSUSE-2017-822)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2017-1148-1.NASL
description	This update for xen fixes several issues. These security issues were fixed : - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035483). - A malicious 64-bit PV guest may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks by placing a IRET hypercall in the middle of a multicall batch (XSA-213, bsc#1034843) - A malicious pair of guests may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks because of a missing check when transfering pages via GNTTABOP_transfer (XSA-214, bsc#1034844). - Incorrect checks when handling exceptions allowed a malicious or buggy 64-bit PV guest to modify part of a physical memory page not belonging to it, potentially allowing for all of privilege escalation, host or other guest crashes, and information leaks (XSA-215, bsc#1034845) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034994). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	99963
published	2017-05-03
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/99963
title	SUSE SLES12 Security Update : xen (SUSE-SU-2017:1148-1)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20170613_QEMU_KVM_ON_SL7_X.NASL
description	Security Fix(es) : - An out-of-bounds r/w access issue was found in QEMU
last seen	2020-03-18
modified	2017-06-14
plugin id	100779
published	2017-06-14
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100779
title	Scientific Linux Security Update : qemu-kvm on SL7.x x86_64 (20170613)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2017-1206.NASL
description	From Red Hat Security Advisory 2017:1206 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * A heap buffer overflow flaw was found in QEMU
last seen	2020-06-01
modified	2020-06-02
plugin id	100088
published	2017-05-10
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100088
title	Oracle Linux 6 : qemu-kvm (ELSA-2017-1206)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2017-2963-1.NASL
description	This update for kvm fixes several issues. These security issues were fixed : - CVE-2016-9602: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper link following issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1020427) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote attackers to cause a denial of service (daemon crash) by disconnecting during a server-to-client reply attempt (bsc#1046636) - CVE-2017-10806: Stack-based buffer overflow allowed local guest OS users to cause a denial of service (QEMU process crash) via vectors related to logging debug messages (bsc#1047674). - CVE-2017-11334: The address_space_write_continue function allowed local guest OS privileged users to cause a denial of service (out-of-bounds access and guest instance crash) by leveraging use of qemu_map_ram_ptr to access guest ram block area (bsc#1048902). - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local guest OS users to cause a denial of service (out-of-bounds read) via a crafted DHCP options string (bsc#1049381) - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056334). - CVE-2017-14167: Integer overflow in the load_multiboot function allowed local guest OS users to execute arbitrary code on the host via crafted multiboot header address values, which trigger an out-of-bounds write (bsc#1057585). - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local guest OS users to obtain sensitive information from host heap memory via vectors related to reading extended attributes (bsc#1062069). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063122). - CVE-2017-5579: The 16550A UART serial device emulation support was vulnerable to a memory leakage issue allowing a privileged user to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1021741) - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-6505: The ohci_service_ed_list function allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2017-7471: The VirtFS host directory sharing via Plan 9 File System(9pfs) support was vulnerable to an improper access control issue which allowed a privileged user inside guest to access host file system beyond the shared folder and potentially escalating their privileges on a host (bsc#1034866) - CVE-2017-7493: The VirtFS, host directory sharing via Plan 9 File System(9pfs) support, was vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could have used this flaw to escalate their privileges inside guest (bsc#1039495) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8086: A memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c allowed local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable (bsc#1035950) - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture (bsc#1037242) - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value (bsc#1042159) - CVE-2017-9373: The IDE AHCI Emulation support was vulnerable to a host memory leakage issue, which allowed a privileged user inside guest to leak host memory resulting in DoS (bsc#1042801) - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800) - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a NULL pointer dereference issue which allowed a privileged user inside guest to crash the Qemu process on the host resulting in DoS (bsc#1043296) - Privilege escalation in TCG mode (bsc#1030624) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	104494
published	2017-11-10
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/104494
title	SUSE SLES11 Security Update : kvm (SUSE-SU-2017:2963-1)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2017-1774-1.NASL
description	This update for qemu fixes several issues. These security issues were fixed : - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value (bsc#1042159). - CVE-2017-8379: Memory leak in the keyboard input event handlers support allowed local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events (bsc#1037334). - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture (bsc#1037242). - CVE-2017-7493: The VirtFS, host directory sharing via Plan 9 File System(9pfs) support, was vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could have used this flaw to escalate their privileges inside guest (bsc#1039495). - CVE-2017-7377: The v9fs_create and v9fs_lcreate functions in hw/9pfs/9p.c allowed local guest OS privileged users to cause a denial of service (file descriptor or memory consumption) via vectors related to an already in-use fid (bsc#1032075). - CVE-2017-8086: A memory leak in the v9fs_list_xattr function in hw/9pfs/9p-xattr.c allowed local guest OS privileged users to cause a denial of service (memory consumption) via vectors involving the orig_value variable (bsc#1035950). - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025109) - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c allowed local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer (bsc#1025311). - CVE-2017-6505: The ohci_service_ed_list function in hw/usb/hcd-ohci.c allowed local guest OS users to cause a denial of service (infinite loop) via vectors involving the number of link endpoint list descriptors (bsc#1028184) - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028656) - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034908) - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD 54xx VGA Emulator support allowed privileged user inside guest to use this flaw to crash the Qemu process resulting in DoS or potentially execute arbitrary code on a host with privileges of Qemu process on the host (bsc#1035406) - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count (bsc#1036211). - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable to an infinite recursive call loop issue, which allowed a privileged user inside guest to crash the Qemu process resulting in DoS (bsc#1042800). - CVE-2017-9374: Missing free of
last seen	2020-06-01
modified	2020-06-02
plugin id	101227
published	2017-07-05
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/101227
title	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:1774-1)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2017-1205.NASL
description	An update for qemu-kvm-rhev is now available for RHEV 3.X Hypervisor and Agents for RHEL-6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Security Fix(es) : * A heap buffer overflow flaw was found in QEMU
last seen	2020-06-01
modified	2020-06-02
plugin id	100142
published	2017-05-12
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100142
title	RHEL 6 : qemu-kvm-rhev (RHSA-2017:1205)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2017-3084-1.NASL
description	This update for kvm fixes several issues. These security issues were fixed : - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024972) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in
last seen	2020-06-01
modified	2020-06-02
plugin id	104780
published	2017-11-27
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/104780
title	SUSE SLES11 Security Update : kvm (SUSE-SU-2017:3084-1)

NASL family	Virtuozzo Local Security Checks
NASL id	VIRTUOZZO_VZLSA-2017-1206.NASL
description	An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * A heap buffer overflow flaw was found in QEMU
last seen	2020-06-01
modified	2020-06-02
plugin id	101463
published	2017-07-13
reporter	This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/101463
title	Virtuozzo 6 : qemu-guest-agent / qemu-img / qemu-kvm / etc (VZLSA-2017-1206)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2017-F941184DB1.NASL
description	- CVE-2017-7718: cirrus: OOB read access issue (bz #1443443) - CVE-2016-9603: cirrus: heap buffer overflow via vnc connection (bz #1432040) - CVE-2017-7377: 9pfs: fix file descriptor leak (bz #1437872) - CVE-2017-7980: cirrus: OOB r/w access issues in bitblt (bz #1444372) - CVE-2017-8112: vmw_pvscsi: infinite loop in pvscsi_log2 (bz #1445622) - CVE-2017-8309: audio: host memory lekage via capture buffer (bz #1446520) - CVE-2017-8379: input: host memory lekage via keyboard events (bz #1446560) - CVE-2017-8380: scsi: megasas: out-of-bounds read in megasas_mmio_write (bz #1446578) - CVE-2017-9060: virtio-gpu: host memory leakage in Virtio GPU device (bz #1452598) - CVE-2017-9310: net: infinite loop in e1000e NIC emulation (bz #1452623) - CVE-2017-9330: usb: ohci: infinite loop due to incorrect return value (bz #1457699) - CVE-2017-9374: usb: ehci host memory leakage during hotunplug (bz #1459137) - CVE-2017-10806: usb-redirect: stack-based buffer overflow in debug logging (bz #1468497) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2017-07-27
plugin id	102008
published	2017-07-27
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/102008
title	Fedora 25 : 2:qemu (2017-f941184db1)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2017-1147-1.NASL
description	This update for xen fixes several issues. These security issues were fixed : - A malicious 64-bit PV guest may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks by placing a IRET hypercall in the middle of a multicall batch (XSA-213, bsc#1034843) - A malicious pair of guests may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks because of a missing check when transfering pages via GNTTABOP_transfer (XSA-214, bsc#1034844). - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034994). - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028655) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	99962
published	2017-05-03
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/99962
title	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2017:1147-1)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2017-1119.NASL
description	According to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An out-of-bounds access issue was found in QEMU
last seen	2020-05-06
modified	2017-07-21
plugin id	101851
published	2017-07-21
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/101851
title	EulerOS 2.0 SP2 : qemu-kvm (EulerOS-SA-2017-1119)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2017-1206.NASL
description	An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * A heap buffer overflow flaw was found in QEMU
last seen	2020-06-01
modified	2020-06-02
plugin id	100068
published	2017-05-10
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/100068
title	CentOS 6 : qemu-kvm (CESA-2017:1206)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2017-1146-1.NASL
description	This update for xen fixes several security issues : - A malicious 64-bit PV guest may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks by placing a IRET hypercall in the middle of a multicall batch (XSA-213, bsc#1034843) - A malicious pair of guests may be able to access all of system memory, allowing for all of privilege escalation, host crashes, and information leaks because of a missing check when transfering pages via GNTTABOP_transfer (XSA-214, bsc#1034844). - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions (bsc#1034994). - CVE-2016-9603: A privileged user within the guest VM could have caused a heap overflow in the device model process, potentially escalating their privileges to that of the device model process (bsc#1028655) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	99961
published	2017-05-03
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/99961
title	SUSE SLES11 Security Update : xen (SUSE-SU-2017:1146-1)

NASL family	Virtuozzo Local Security Checks
NASL id	VIRTUOZZO_VZLSA-2017-1430.NASL
description	An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * An out-of-bounds r/w access issue was found in QEMU
last seen	2020-06-01
modified	2020-06-02
plugin id	101479
published	2017-07-13
reporter	This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/101479
title	Virtuozzo 7 : qemu-img / qemu-kvm / qemu-kvm-common / etc (VZLSA-2017-1430)

Redhat

advisories

bugzilla

id	1444371
title	CVE-2017-7980 Qemu: display: cirrus: OOB r/w access issues in bitblt routines

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 6 is installed
oval oval:com.redhat.rhba:tst:20111656003

AND

comment qemu-guest-agent is earlier than 2:0.12.1.2-2.503.el6_9.3
oval oval:com.redhat.rhsa:tst:20171206001
comment qemu-guest-agent is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20121234002

AND
comment qemu-kvm is earlier than 2:0.12.1.2-2.503.el6_9.3
oval oval:com.redhat.rhsa:tst:20171206003
comment qemu-kvm is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20110345004

AND

comment qemu-kvm-tools is earlier than 2:0.12.1.2-2.503.el6_9.3
oval oval:com.redhat.rhsa:tst:20171206005
comment qemu-kvm-tools is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20110345002

AND
comment qemu-img is earlier than 2:0.12.1.2-2.503.el6_9.3
oval oval:com.redhat.rhsa:tst:20171206007
comment qemu-img is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20110345006

rhsa

id	RHSA-2017:1206
released	2017-05-09
severity	Important
title	RHSA-2017:1206: qemu-kvm security update (Important)

bugzilla

id	1452332
title	RHEL 7.2 based VM (Virtual Machine) hung for several hours apparently waiting for lock held by main_loop

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 7 is installed
oval oval:com.redhat.rhba:tst:20150364027

AND
comment qemu-img is earlier than 10:1.5.3-126.el7_3.9
oval oval:com.redhat.rhsa:tst:20171430001
comment qemu-img is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20110345006
AND
comment qemu-kvm is earlier than 10:1.5.3-126.el7_3.9
oval oval:com.redhat.rhsa:tst:20171430003
comment qemu-kvm is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20110345004

AND

comment qemu-kvm-tools is earlier than 10:1.5.3-126.el7_3.9
oval oval:com.redhat.rhsa:tst:20171430005
comment qemu-kvm-tools is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20110345002

AND

comment qemu-kvm-common is earlier than 10:1.5.3-126.el7_3.9
oval oval:com.redhat.rhsa:tst:20171430007
comment qemu-kvm-common is signed with Red Hat redhatrelease2 key
oval oval:com.redhat.rhsa:tst:20140704004

rhsa

id	RHSA-2017:1430
released	2017-06-13
severity	Important
title	RHSA-2017:1430: qemu-kvm security and bug fix update (Important)

rhsa
id RHSA-2017:0980
rhsa
id RHSA-2017:0981
rhsa
id RHSA-2017:0982
rhsa
id RHSA-2017:0983
rhsa
id RHSA-2017:0984
rhsa
id RHSA-2017:0988
rhsa
id RHSA-2017:1205
rhsa
id RHSA-2017:1441

rpms

qemu-img-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-common-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-rhev-debuginfo-10:2.6.0-28.el7_3.9
qemu-kvm-tools-rhev-10:2.6.0-28.el7_3.9
qemu-img-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-common-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-rhev-debuginfo-10:2.6.0-28.el7_3.9
qemu-kvm-tools-rhev-10:2.6.0-28.el7_3.9
qemu-img-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-common-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-rhev-debuginfo-10:2.6.0-28.el7_3.9
qemu-kvm-tools-rhev-10:2.6.0-28.el7_3.9
qemu-img-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-common-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-rhev-debuginfo-10:2.6.0-28.el7_3.9
qemu-kvm-tools-rhev-10:2.6.0-28.el7_3.9
qemu-img-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-common-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-rhev-debuginfo-10:2.6.0-28.el7_3.9
qemu-kvm-tools-rhev-10:2.6.0-28.el7_3.9
qemu-img-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-common-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-rhev-10:2.6.0-28.el7_3.9
qemu-kvm-rhev-debuginfo-10:2.6.0-28.el7_3.9
qemu-kvm-tools-rhev-10:2.6.0-28.el7_3.9
qemu-img-rhev-2:0.12.1.2-2.503.el6_9.3
qemu-kvm-rhev-2:0.12.1.2-2.503.el6_9.3
qemu-kvm-rhev-debuginfo-2:0.12.1.2-2.503.el6_9.3
qemu-kvm-rhev-tools-2:0.12.1.2-2.503.el6_9.3
qemu-guest-agent-2:0.12.1.2-2.503.el6_9.3
qemu-img-2:0.12.1.2-2.503.el6_9.3
qemu-kvm-2:0.12.1.2-2.503.el6_9.3
qemu-kvm-debuginfo-2:0.12.1.2-2.503.el6_9.3
qemu-kvm-tools-2:0.12.1.2-2.503.el6_9.3
qemu-img-10:1.5.3-126.el7_3.9
qemu-kvm-10:1.5.3-126.el7_3.9
qemu-kvm-common-10:1.5.3-126.el7_3.9
qemu-kvm-debuginfo-10:1.5.3-126.el7_3.9
qemu-kvm-tools-10:1.5.3-126.el7_3.9
qemu-img-rhev-2:0.12.1.2-2.503.el6_9.3
qemu-kvm-rhev-2:0.12.1.2-2.503.el6_9.3
qemu-kvm-rhev-debuginfo-2:0.12.1.2-2.503.el6_9.3
qemu-kvm-rhev-tools-2:0.12.1.2-2.503.el6_9.3

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Redhat

References