Vulnerabilities > CVE-2019-12155 - NULL Pointer Dereference vulnerability in Qemu 4.0.0
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
interface_release_resource in hw/display/qxl.c in QEMU 3.1.x through 4.0.0 has a NULL pointer dereference.
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2192-1.NASL description This update for qemu fixes the following issues : Security issues fixed : CVE-2019-14378: Security fix for heap overflow in ip_reass on big packet input (bsc#1143794). CVE-2019-12155: Security fix for NULL pointer dereference while releasing spice resources (bsc#1135902). CVE-2019-13164: Security fix for qemu-bridge-helper ACL can be bypassed when names are too long (bsc#1140402). CVE-2019-5008: Fix DoS (NULL pointer dereference) in sparc64 virtual machine possible through guest device driver (bsc#1133031). Bug fixes and enhancements: Upstream tweaked SnowRidge-Server vcpu model to now be simply Snowridge (jsc#SLE-4883) Add SnowRidge-Server vcpu model (jsc#SLE-4883) Add in documentation about md-clear feature (bsc#1138534) Fix SEV issue where older machine type is not processed correctly (bsc#1144087) Fix case of a bad pointer in Xen PV usb support code (bsc#1128106) Further refine arch-capabilities handling to help with security and performance in Intel hosts (bsc#1134883, bsc#1135210) (fate#327764) Add support for one more security/performance related vcpu feature (bsc#1136778) (fate#327796) Ignore csske for expanding the cpu model (bsc#1136540) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 128074 published 2019-08-22 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128074 title SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2019:2192-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2019:2192-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(128074); script_version("1.3"); script_cvs_date("Date: 2019/09/24 11:01:33"); script_cve_id("CVE-2019-12155", "CVE-2019-13164", "CVE-2019-14378", "CVE-2019-5008"); script_name(english:"SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2019:2192-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for qemu fixes the following issues : Security issues fixed : CVE-2019-14378: Security fix for heap overflow in ip_reass on big packet input (bsc#1143794). CVE-2019-12155: Security fix for NULL pointer dereference while releasing spice resources (bsc#1135902). CVE-2019-13164: Security fix for qemu-bridge-helper ACL can be bypassed when names are too long (bsc#1140402). CVE-2019-5008: Fix DoS (NULL pointer dereference) in sparc64 virtual machine possible through guest device driver (bsc#1133031). Bug fixes and enhancements: Upstream tweaked SnowRidge-Server vcpu model to now be simply Snowridge (jsc#SLE-4883) Add SnowRidge-Server vcpu model (jsc#SLE-4883) Add in documentation about md-clear feature (bsc#1138534) Fix SEV issue where older machine type is not processed correctly (bsc#1144087) Fix case of a bad pointer in Xen PV usb support code (bsc#1128106) Further refine arch-capabilities handling to help with security and performance in Intel hosts (bsc#1134883, bsc#1135210) (fate#327764) Add support for one more security/performance related vcpu feature (bsc#1136778) (fate#327796) Ignore csske for expanding the cpu model (bsc#1136540) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1128106" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1133031" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1134883" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1135210" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1135902" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1136540" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1136778" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1138534" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1140402" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1143794" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1144087" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-12155/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-13164/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-14378/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-5008/" ); # https://www.suse.com/support/update/announcement/2019/suse-su-20192192-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7e13d510" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Module for Server Applications 15-SP1:zypper in -t patch SUSE-SLE-Module-Server-Applications-15-SP1-2019-2192=1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1:zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2192=1 SUSE Linux Enterprise Module for Basesystem 15-SP1:zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP1-2019-2192=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-arm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-arm-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-audio-alsa"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-audio-alsa-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-audio-oss"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-audio-oss-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-audio-pa"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-audio-pa-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-dmg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-dmg-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-iscsi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-ssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-extra"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-extra-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-lang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-linux-user"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-linux-user-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-linux-user-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-ppc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-ppc-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-s390"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-testsuite"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-ui-curses"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-ui-curses-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-ui-gtk"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-ui-gtk-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-x86"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/19"); script_set_attribute(attribute:"patch_publication_date", value:"2019/08/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED15|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP1", os_ver + " SP" + sp); if (os_ver == "SLED15" && (! preg(pattern:"^(1)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP1", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"qemu-audio-alsa-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"qemu-audio-alsa-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"qemu-audio-oss-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"qemu-audio-oss-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"qemu-audio-pa-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"qemu-audio-pa-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"qemu-ui-curses-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"qemu-ui-curses-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"qemu-ui-gtk-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"qemu-ui-gtk-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"qemu-x86-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"qemu-x86-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"qemu-s390-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"x86_64", reference:"qemu-s390-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"s390x", reference:"qemu-s390-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"s390x", reference:"qemu-s390-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"s390x", reference:"qemu-audio-alsa-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"s390x", reference:"qemu-audio-alsa-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"s390x", reference:"qemu-audio-oss-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"s390x", reference:"qemu-audio-oss-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"s390x", reference:"qemu-audio-pa-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"s390x", reference:"qemu-audio-pa-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"s390x", reference:"qemu-ui-curses-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"s390x", reference:"qemu-ui-curses-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"s390x", reference:"qemu-ui-gtk-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"s390x", reference:"qemu-ui-gtk-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"s390x", reference:"qemu-x86-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", cpu:"s390x", reference:"qemu-x86-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-block-curl-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-block-curl-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-block-iscsi-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-block-iscsi-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-block-rbd-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-block-rbd-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-block-ssh-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-block-ssh-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-debugsource-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-guest-agent-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-guest-agent-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-lang-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-kvm-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-block-dmg-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-block-dmg-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-debugsource-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-extra-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-extra-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-linux-user-3.1.1-9.3.2")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-linux-user-debuginfo-3.1.1-9.3.2")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-linux-user-debugsource-3.1.1-9.3.2")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-testsuite-3.1.1-9.3.4")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-ppc-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-ppc-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-arm-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-arm-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-debugsource-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-tools-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLES15", sp:"1", reference:"qemu-tools-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"x86_64", reference:"qemu-s390-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"x86_64", reference:"qemu-s390-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"s390x", reference:"qemu-audio-alsa-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"s390x", reference:"qemu-audio-alsa-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"s390x", reference:"qemu-audio-oss-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"s390x", reference:"qemu-audio-oss-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"s390x", reference:"qemu-audio-pa-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"s390x", reference:"qemu-audio-pa-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"s390x", reference:"qemu-ui-curses-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"s390x", reference:"qemu-ui-curses-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"s390x", reference:"qemu-ui-gtk-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"s390x", reference:"qemu-ui-gtk-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"s390x", reference:"qemu-x86-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", cpu:"s390x", reference:"qemu-x86-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-block-dmg-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-block-dmg-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-debugsource-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-extra-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-extra-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-linux-user-3.1.1-9.3.2")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-linux-user-debuginfo-3.1.1-9.3.2")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-linux-user-debugsource-3.1.1-9.3.2")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-testsuite-3.1.1-9.3.4")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-ppc-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-ppc-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-arm-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-arm-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-debuginfo-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-debugsource-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-tools-3.1.1-9.3.3")) flag++; if (rpm_check(release:"SLED15", sp:"1", reference:"qemu-tools-debuginfo-3.1.1-9.3.3")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu"); }
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2227.NASL description According to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.(CVE-2019-6778) - The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method.(CVE-2015-7549) - The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTOP registers, involving ring buffer control.(CVE-2016-2841) - Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device.(CVE-2017-9374) - Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allows a user to cause a denial of service (Qemu process crash).(CVE-2017-18043) - Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.(CVE-2017-5579) - The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program.(CVE-2015-4037) - The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.(CVE-2016-7908) - hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information.(CVE-2013-4544) - Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function.(CVE-2016-2538) - Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.(CVE-2018-10839) - Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device.(CVE-2017-9373) - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.(CVE-2019-9824) - QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing.(CVE-2017-9503) - Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports.(CVE-2013-4526) - Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image.(CVE-2013-4530) - Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image.(CVE-2013-4539) - Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image.(CVE-2013-4540) - The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer.(CVE-2017-5987) - Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12126) - Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12127) - Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12130) - Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2019-11091) - interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NULL pointer dereference.(CVE-2019-12155) - Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.(CVE-2016-7161) - Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets.(CVE-2015-5279) - The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds heap access and crash) or execute arbitrary code on the QEMU host via vectors involving the data transfer length.(CVE-2017-5667) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-11-08 plugin id 130689 published 2019-11-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130689 title EulerOS 2.0 SP5 : qemu-kvm (EulerOS-SA-2019-2227) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(130689); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07"); script_cve_id( "CVE-2013-4526", "CVE-2013-4530", "CVE-2013-4539", "CVE-2013-4540", "CVE-2013-4544", "CVE-2015-4037", "CVE-2015-5279", "CVE-2015-7549", "CVE-2016-2538", "CVE-2016-2841", "CVE-2016-7161", "CVE-2016-7908", "CVE-2017-18043", "CVE-2017-5579", "CVE-2017-5667", "CVE-2017-5987", "CVE-2017-9373", "CVE-2017-9374", "CVE-2017-9503", "CVE-2018-10839", "CVE-2018-12126", "CVE-2018-12127", "CVE-2018-12130", "CVE-2019-11091", "CVE-2019-12155", "CVE-2019-6778", "CVE-2019-9824" ); script_bugtraq_id( 66955, 67483, 74809 ); script_name(english:"EulerOS 2.0 SP5 : qemu-kvm (EulerOS-SA-2019-2227)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing multiple security updates."); script_set_attribute(attribute:"description", value: "According to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.(CVE-2019-6778) - The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method.(CVE-2015-7549) - The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTOP registers, involving ring buffer control.(CVE-2016-2841) - Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device.(CVE-2017-9374) - Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allows a user to cause a denial of service (Qemu process crash).(CVE-2017-18043) - Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.(CVE-2017-5579) - The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program.(CVE-2015-4037) - The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.(CVE-2016-7908) - hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information.(CVE-2013-4544) - Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function.(CVE-2016-2538) - Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.(CVE-2018-10839) - Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device.(CVE-2017-9373) - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.(CVE-2019-9824) - QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing.(CVE-2017-9503) - Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports.(CVE-2013-4526) - Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image.(CVE-2013-4530) - Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image.(CVE-2013-4539) - Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image.(CVE-2013-4540) - The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer.(CVE-2017-5987) - Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12126) - Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12127) - Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12130) - Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2019-11091) - interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NULL pointer dereference.(CVE-2019-12155) - Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.(CVE-2016-7161) - Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets.(CVE-2015-5279) - The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds heap access and crash) or execute arbitrary code on the QEMU host via vectors involving the data transfer length.(CVE-2017-5667) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2227 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?95b359a0"); script_set_attribute(attribute:"solution", value: "Update the affected qemu-kvm packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/08"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-img"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm-common"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["qemu-img-1.5.3-156.5.h14.eulerosv2r7", "qemu-kvm-1.5.3-156.5.h14.eulerosv2r7", "qemu-kvm-common-1.5.3-156.5.h14.eulerosv2r7"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-kvm"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1216.NASL description The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1216 advisory. - QEMU: qxl: null pointer dereference while releasing spice resources (CVE-2019-12155) - QEMU: slirp: heap buffer overflow during packet reassembly (CVE-2019-14378) - QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server (CVE-2020-1711) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-04-23 modified 2020-03-31 plugin id 135033 published 2020-03-31 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135033 title RHEL 7 : qemu-kvm-rhev (RHSA-2020:1216) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2020:1216. The text # itself is copyright (C) Red Hat, Inc. # include('compat.inc'); if (description) { script_id(135033); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/20"); script_cve_id("CVE-2019-12155", "CVE-2019-14378", "CVE-2020-1711"); script_bugtraq_id(108429); script_xref(name:"RHSA", value:"2020:1216"); script_name(english:"RHEL 7 : qemu-kvm-rhev (RHSA-2020:1216)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute(attribute:"synopsis", value: "The remote Red Hat host is missing one or more security updates."); script_set_attribute(attribute:"description", value: "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1216 advisory. - QEMU: qxl: null pointer dereference while releasing spice resources (CVE-2019-12155) - QEMU: slirp: heap buffer overflow during packet reassembly (CVE-2019-14378) - QEMU: block: iscsi: OOB heap access via an unexpected response of iSCSI Server (CVE-2020-1711) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/476.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/122.html"); script_set_attribute(attribute:"see_also", value:"https://cwe.mitre.org/data/definitions/122.html"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2020:1216"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-12155"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2019-14378"); script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/cve/CVE-2020-1711"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1648622"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1665256"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1711643"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1721522"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1724048"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1734502"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1743365"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1746224"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1764120"); script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/1775251"); script_set_attribute(attribute:"solution", value: "Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-14378"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(122, 476); script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/24"); script_set_attribute(attribute:"patch_publication_date", value:"2020/03/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/31"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:redhat:rhev_manager:4.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7::hypervisor"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-img-rhev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-common-rhev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-rhev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-tools-rhev"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Red Hat Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('rpm.inc'); if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item('Host/RedHat/release'); if (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat'); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat'); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver); if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item('Host/cpu'); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu); pkgs = [ {'reference':'qemu-img-rhev-2.12.0-44.el7', 'cpu':'x86_64', 'release':'7', 'epoch':'10'}, {'reference':'qemu-kvm-common-rhev-2.12.0-44.el7', 'cpu':'x86_64', 'release':'7', 'epoch':'10'}, {'reference':'qemu-kvm-rhev-2.12.0-44.el7', 'cpu':'x86_64', 'release':'7', 'epoch':'10'}, {'reference':'qemu-kvm-tools-rhev-2.12.0-44.el7', 'cpu':'x86_64', 'release':'7', 'epoch':'10'} ]; flag = 0; foreach package_array ( pkgs ) { reference = NULL; release = NULL; sp = NULL; cpu = NULL; el_string = NULL; rpm_spec_vers_cmp = NULL; epoch = NULL; if (!empty_or_null(package_array['reference'])) reference = package_array['reference']; if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release']; if (!empty_or_null(package_array['sp'])) sp = package_array['sp']; if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu']; if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string']; if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp']; if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch']; if (reference && release) { if (rpm_spec_vers_cmp) { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:TRUE)) flag++; } else { if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch)) flag++; } } } if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu-img-rhev / qemu-kvm-common-rhev / qemu-kvm-rhev / etc'); }
NASL family Fedora Local Security Checks NASL id FEDORA_2019-E9DE40D53F.NASL description - CVE-2019-12155: qxl: NULL pointer dereference while releasing spice resources (bz #1712727, bz #1712670) - CVE-2019-5008: NULL pointer dereference in hw/sparc64/sun4u.c leading to DoS (bz #1705916, bz #1705915) - CVE-2018-20815: device_tree: heap buffer overflow while loading device tree blob (bz #1693117, bz #1693101) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 126533 published 2019-07-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126533 title Fedora 29 : 2:qemu (2019-e9de40d53f) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2019-e9de40d53f. # include("compat.inc"); if (description) { script_id(126533); script_version("1.3"); script_cvs_date("Date: 2020/01/08"); script_cve_id("CVE-2018-20815", "CVE-2019-12155", "CVE-2019-5008"); script_xref(name:"FEDORA", value:"2019-e9de40d53f"); script_name(english:"Fedora 29 : 2:qemu (2019-e9de40d53f)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: " - CVE-2019-12155: qxl: NULL pointer dereference while releasing spice resources (bz #1712727, bz #1712670) - CVE-2019-5008: NULL pointer dereference in hw/sparc64/sun4u.c leading to DoS (bz #1705916, bz #1705915) - CVE-2018-20815: device_tree: heap buffer overflow while loading device tree blob (bz #1693117, bz #1693101) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9de40d53f" ); script_set_attribute( attribute:"solution", value:"Update the affected 2:qemu package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:2:qemu"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:29"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/04/19"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/09"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^29([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 29", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC29", reference:"qemu-3.0.1-4.fc29", epoch:"2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "2:qemu"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2246-1.NASL description This update for qemu fixes the following issues : Security issues fixed : CVE-2019-14378: Security fix for heap overflow in ip_reass on big packet input (bsc#1143794). CVE-2019-12155: Security fix for NULL pointer dereference while releasing spice resources (bsc#1135902). CVE-2019-13164: Security fix for qemu-bridge-helper ACL can be bypassed when names are too long (bsc#1140402). Bug fixes and enhancements: Add vcpu features needed for Cascadelake-Server, Icelake-Client and Icelake-Server, especially the foundational arch-capabilities to help with security and performance on Intel hosts (bsc#1134883) (fate#327764) Add support for one more security/performance related vcpu feature (bsc#1136778) (fate#327796) Disable file locking in the Xen PV disk backend to avoid locking issues with PV domUs during migration. The issues triggered by the locking can not be properly handled in libxl. The locking introduced in qemu-2.10 was removed again in qemu-4.0 (bsc#1079730, bsc#1098403, bsc#1111025). Ignore csske for expanding the cpu model (bsc#1136540) Fix vm migration is failing with input/output error when nfs server is disconnected (bsc#1119115) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 128318 published 2019-08-29 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128318 title SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2019:2246-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2019:2246-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(128318); script_version("1.3"); script_cvs_date("Date: 2019/09/24 11:01:33"); script_cve_id("CVE-2019-12155", "CVE-2019-13164", "CVE-2019-14378"); script_name(english:"SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2019:2246-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for qemu fixes the following issues : Security issues fixed : CVE-2019-14378: Security fix for heap overflow in ip_reass on big packet input (bsc#1143794). CVE-2019-12155: Security fix for NULL pointer dereference while releasing spice resources (bsc#1135902). CVE-2019-13164: Security fix for qemu-bridge-helper ACL can be bypassed when names are too long (bsc#1140402). Bug fixes and enhancements: Add vcpu features needed for Cascadelake-Server, Icelake-Client and Icelake-Server, especially the foundational arch-capabilities to help with security and performance on Intel hosts (bsc#1134883) (fate#327764) Add support for one more security/performance related vcpu feature (bsc#1136778) (fate#327796) Disable file locking in the Xen PV disk backend to avoid locking issues with PV domUs during migration. The issues triggered by the locking can not be properly handled in libxl. The locking introduced in qemu-2.10 was removed again in qemu-4.0 (bsc#1079730, bsc#1098403, bsc#1111025). Ignore csske for expanding the cpu model (bsc#1136540) Fix vm migration is failing with input/output error when nfs server is disconnected (bsc#1119115) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1079730" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1098403" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1111025" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1119115" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1134883" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1135902" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1136540" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1136778" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1140402" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1143794" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-12155/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-13164/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2019-14378/" ); # https://www.suse.com/support/update/announcement/2019/suse-su-20192246-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?901c6416" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE Linux Enterprise Module for Server Applications 15:zypper in -t patch SUSE-SLE-Module-Server-Applications-15-2019-2246=1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15:zypper in -t patch SUSE-SLE-Module-Development-Tools-OBS-15-2019-2246=1 SUSE Linux Enterprise Module for Basesystem 15:zypper in -t patch SUSE-SLE-Module-Basesystem-15-2019-2246=1" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-dmg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-dmg-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-iscsi"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-ssh"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-extra"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-extra-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-kvm"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-lang"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-linux-user"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-linux-user-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-linux-user-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-s390"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-x86"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-x86-debuginfo"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:15"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/24"); script_set_attribute(attribute:"patch_publication_date", value:"2019/08/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED15|SLES15)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED15 / SLES15", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES15" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLES15 SP0", os_ver + " SP" + sp); if (os_ver == "SLED15" && (! preg(pattern:"^(0)$", string:sp))) audit(AUDIT_OS_NOT, "SLED15 SP0", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"qemu-x86-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", cpu:"x86_64", reference:"qemu-x86-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"qemu-s390-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", cpu:"s390x", reference:"qemu-s390-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-block-curl-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-block-curl-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-block-iscsi-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-block-iscsi-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-block-rbd-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-block-rbd-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-block-ssh-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-block-ssh-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-debugsource-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-guest-agent-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-guest-agent-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-lang-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-kvm-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-block-dmg-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-block-dmg-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-debugsource-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-extra-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-extra-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-linux-user-2.11.2-9.28.2")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-linux-user-debuginfo-2.11.2-9.28.2")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-linux-user-debugsource-2.11.2-9.28.2")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-debugsource-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-tools-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLES15", sp:"0", reference:"qemu-tools-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"qemu-block-dmg-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"qemu-block-dmg-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"qemu-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"qemu-debugsource-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"qemu-extra-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"qemu-extra-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"qemu-linux-user-2.11.2-9.28.2")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"qemu-linux-user-debuginfo-2.11.2-9.28.2")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"qemu-linux-user-debugsource-2.11.2-9.28.2")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"qemu-debuginfo-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"qemu-debugsource-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"qemu-tools-2.11.2-9.28.3")) flag++; if (rpm_check(release:"SLED15", sp:"0", reference:"qemu-tools-debuginfo-2.11.2-9.28.3")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4454.NASL description Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service, the execution of arbitrary code or information disclosure. In addition this update backports support to passthrough the new md-clear CPU flag added in the intel-microcode update shipped in DSA 4447 to x86-based guests. last seen 2020-06-01 modified 2020-06-02 plugin id 125609 published 2019-05-31 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125609 title Debian DSA-4454-1 : qemu - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-4454. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(125609); script_version("1.2"); script_cvs_date("Date: 2019/06/04 9:45:00"); script_cve_id("CVE-2018-11806", "CVE-2018-12617", "CVE-2018-16872", "CVE-2018-17958", "CVE-2018-18849", "CVE-2018-18954", "CVE-2018-19364", "CVE-2018-19489", "CVE-2019-12155", "CVE-2019-3812", "CVE-2019-6778", "CVE-2019-9824"); script_xref(name:"DSA", value:"4454"); script_name(english:"Debian DSA-4454-1 : qemu - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Multiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service, the execution of arbitrary code or information disclosure. In addition this update backports support to passthrough the new md-clear CPU flag added in the intel-microcode update shipped in DSA 4447 to x86-based guests." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/qemu" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/stretch/qemu" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2019/dsa-4454" ); script_set_attribute( attribute:"solution", value: "Upgrade the qemu packages. For the stable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u6." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:qemu"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/13"); script_set_attribute(attribute:"patch_publication_date", value:"2019/05/30"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/31"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"9.0", prefix:"qemu", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-block-extra", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-guest-agent", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-kvm", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-system", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-system-arm", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-system-common", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-system-mips", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-system-misc", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-system-ppc", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-system-sparc", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-system-x86", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-user", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-user-binfmt", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-user-static", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (deb_check(release:"9.0", prefix:"qemu-utils", reference:"1:2.8+dfsg-6+deb9u6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0211_QEMU-KVM.NASL description The remote NewStart CGSL host, running version MAIN 4.06, has qemu-kvm packages installed that are affected by multiple vulnerabilities: - m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. (CVE-2018-11806) - Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. (CVE-2018-10839) - Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. (CVE-2018-17962) - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap- based buffer overflow. (CVE-2019-6778) - interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NULL pointer dereference. (CVE-2019-12155) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 131771 published 2019-12-06 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131771 title NewStart CGSL MAIN 4.06 : qemu-kvm Multiple Vulnerabilities (NS-SA-2019-0211) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from ZTE advisory NS-SA-2019-0211. The text # itself is copyright (C) ZTE, Inc. include("compat.inc"); if (description) { script_id(131771); script_version("1.2"); script_cvs_date("Date: 2019/12/10"); script_cve_id( "CVE-2018-10839", "CVE-2018-11806", "CVE-2018-17962", "CVE-2019-6778", "CVE-2019-12155" ); script_bugtraq_id(106758, 108429); script_name(english:"NewStart CGSL MAIN 4.06 : qemu-kvm Multiple Vulnerabilities (NS-SA-2019-0211)"); script_set_attribute(attribute:"synopsis", value: "The remote machine is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote NewStart CGSL host, running version MAIN 4.06, has qemu-kvm packages installed that are affected by multiple vulnerabilities: - m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. (CVE-2018-11806) - Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. (CVE-2018-10839) - Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. (CVE-2018-17962) - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap- based buffer overflow. (CVE-2019-6778) - interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NULL pointer dereference. (CVE-2019-12155) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://security.gd-linux.com/notice/NS-SA-2019-0211"); script_set_attribute(attribute:"solution", value: "Upgrade the vulnerable CGSL qemu-kvm packages. Note that updated packages may not be available yet. Please contact ZTE for more information."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-11806"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/06/13"); script_set_attribute(attribute:"patch_publication_date", value:"2019/11/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/06"); script_set_attribute(attribute:"plugin_type", value:"local"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"NewStart CGSL Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/ZTE-CGSL/release", "Host/ZTE-CGSL/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/ZTE-CGSL/release"); if (isnull(release) || release !~ "^CGSL (MAIN|CORE)") audit(AUDIT_OS_NOT, "NewStart Carrier Grade Server Linux"); if (release !~ "CGSL MAIN 4.06") audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 4.06'); if (!get_kb_item("Host/ZTE-CGSL/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "NewStart Carrier Grade Server Linux", cpu); flag = 0; pkgs = { "CGSL MAIN 4.06": [ "qemu-guest-agent-0.12.1.2-2.506.el6_10.5", "qemu-img-0.12.1.2-2.506.el6_10.5", "qemu-kvm-0.12.1.2-2.506.el6_10.5", "qemu-kvm-debuginfo-0.12.1.2-2.506.el6_10.5", "qemu-kvm-tools-0.12.1.2-2.506.el6_10.5" ] }; pkg_list = pkgs[release]; foreach (pkg in pkg_list) if (rpm_check(release:"ZTE " + release, reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-kvm"); }
NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2221-1.NASL description This update for qemu fixes the following issues : Security issues fixed : CVE-2019-14378: Security fix for heap overflow in ip_reass on big packet input (bsc#1143794). CVE-2019-12155: Security fix for NULL pointer dereference while releasing spice resources (bsc#1135902). CVE-2019-13164: Security fix for qemu-bridge-helper ACL can be bypassed when names are too long (bsc#1140402). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 128301 published 2019-08-28 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128301 title SUSE SLES12 Security Update : qemu (SUSE-SU-2019:2221-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2019-2892.NASL description An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams (CVE-2018-11806) * QEMU: slirp: heap buffer overflow in tcp_emu() (CVE-2019-6778) * QEMU: ne2000: integer overflow leads to buffer overflow issue (CVE-2018-10839) * QEMU: pcnet: integer overflow leads to buffer overflow (CVE-2018-17962) * QEMU: qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 129473 published 2019-10-01 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129473 title CentOS 6 : qemu-kvm (CESA-2019:2892) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2041.NASL description This update for qemu fixes the following issues : Security issues fixed : - CVE-2019-14378: Security fix for heap overflow in ip_reass on big packet input (bsc#1143794). - CVE-2019-12155: Security fix for NULL pointer dereference while releasing spice resources (bsc#1135902). - CVE-2019-13164: Security fix for qemu-bridge-helper ACL can be bypassed when names are too long (bsc#1140402). - CVE-2019-5008: Fix DoS (NULL pointer dereference) in sparc64 virtual machine possible through guest device driver (bsc#1133031). Bug fixes and enhancements : - Upstream tweaked SnowRidge-Server vcpu model to now be simply Snowridge (jsc#SLE-4883) - Add SnowRidge-Server vcpu model (jsc#SLE-4883) - Add in documentation about md-clear feature (bsc#1138534) - Fix SEV issue where older machine type is not processed correctly (bsc#1144087) - Fix case of a bad pointer in Xen PV usb support code (bsc#1128106) - Further refine arch-capabilities handling to help with security and performance in Intel hosts (bsc#1134883, bsc#1135210) (fate#327764) - Add support for one more security/performance related vcpu feature (bsc#1136778) (fate#327796) - Ignore csske for expanding the cpu model (bsc#1136540) This update was imported from the SUSE:SLE-15-SP1:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 128457 published 2019-09-03 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128457 title openSUSE Security Update : qemu (openSUSE-2019-2041) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-2059.NASL description This update for qemu fixes the following issues : Security issues fixed : - CVE-2019-14378: Security fix for heap overflow in ip_reass on big packet input (bsc#1143794). - CVE-2019-12155: Security fix for NULL pointer dereference while releasing spice resources (bsc#1135902). - CVE-2019-13164: Security fix for qemu-bridge-helper ACL can be bypassed when names are too long (bsc#1140402). Bug fixes and enhancements : - Add vcpu features needed for Cascadelake-Server, Icelake-Client and Icelake-Server, especially the foundational arch-capabilities to help with security and performance on Intel hosts (bsc#1134883) (fate#327764) - Add support for one more security/performance related vcpu feature (bsc#1136778) (fate#327796) - Disable file locking in the Xen PV disk backend to avoid locking issues with PV domUs during migration. The issues triggered by the locking can not be properly handled in libxl. The locking introduced in qemu-2.10 was removed again in qemu-4.0 (bsc#1079730, bsc#1098403, bsc#1111025). - Ignore csske for expanding the cpu model (bsc#1136540) - Fix vm migration is failing with input/output error when nfs server is disconnected (bsc#1119115) This update was imported from the SUSE:SLE-15:Update update project. last seen 2020-06-01 modified 2020-06-02 plugin id 128465 published 2019-09-03 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128465 title openSUSE Security Update : qemu (openSUSE-2019-2059) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2019-0045.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - kvm-slirp-fix-big-little-endian-conversion-in-ident-prot .patch - kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t .patch - kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch [bz#1669066] - kvm-qxl-check-release-info-object.patch [bz#1712728] - kvm-net-Use-iov-helper-functions.patch [bz#1636415] - kvm-net-increase-buffer-size-to-accommodate-Jumbo-frame- .patch - kvm-net-ignore-packet-size-greater-than-INT_MAX.patch [bz#1636415] - kvm-net-drop-too-large-packet-early.patch [bz#1636415] - kvm-PATCH-slirp-fix-buffer-overrun.patch [bz#1586251] - kvm-Fix-build-from-previous-commit.patch [bz#1586251] - kvm-slirp-remove-mbuf-m_hdr-m_dat-indirection.patch [bz#1586251] - kvm-slirp-Convert-mbufs-to-use-g_malloc-and-g_free.patch [bz#1586251] - kvm-slirp-correct-size-computation-while-concatenating-m .patch - kvm-pcnet-fix-possible-buffer-overflow.patch [bz#1636774] - Resolves: bz#1586251 (CVE-2018-11806 qemu-kvm: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-6.10.z]) - Resolves: bz#1636415 (CVE-2018-10839 qemu-kvm: Qemu: ne2000: integer overflow leads to buffer overflow issue [rhel-6]) - Resolves: bz#1636774 (CVE-2018-17962 qemu-kvm: Qemu: pcnet: integer overflow leads to buffer overflow [rhel-6]) - Resolves: bz#1669066 (CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu [rhel-6.10.z]) - Resolves: bz#1712728 (CVE-2019-12155 qemu-kvm: QEMU: qxl: null pointer dereference while releasing spice resources [rhel-6]) last seen 2020-06-01 modified 2020-06-02 plugin id 129370 published 2019-09-26 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129370 title OracleVM 3.4 : qemu-kvm (OVMSA-2019-0045) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2019-2607.NASL description An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 129022 published 2019-09-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129022 title CentOS 7 : qemu-kvm (CESA-2019:2607) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3179.NASL description An update for qemu-kvm-rhev is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 and Red Hat Virtualization Engine 4.3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Security Fix(es) : * QEMU: slirp: heap buffer overflow during packet reassembly (CVE-2019-14378) * QEMU: qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : * ccid: Fix incorrect dwProtocol advertisement of T=0 (BZ#1729880) * QEMU gets stuck on resume/cont call from libvirt (BZ#1741937) * [v2v] Migration performance regression (BZ#1743322) * qemu, qemu-img fail to detect alignment with XFS and Gluster/XFS on 4k block device (BZ#1745443) * qemu-kvm: backport cpuidle-haltpoll support (BZ#1746282) * qemu aborts in blockCommit: qemu-kvm: block.c:3486 (BZ#1750322) last seen 2020-06-01 modified 2020-06-02 plugin id 130188 published 2019-10-24 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130188 title RHEL 7 : Virtualization Manager (RHSA-2019:3179) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2020-0019_QEMU-KVM.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has qemu-kvm packages installed that are affected by multiple vulnerabilities: - m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. (CVE-2018-11806) - Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. (CVE-2018-10839) - Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. (CVE-2018-17962) - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap- based buffer overflow. (CVE-2019-6778) - interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NULL pointer dereference. (CVE-2019-12155) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-03-18 modified 2020-03-08 plugin id 134319 published 2020-03-08 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134319 title NewStart CGSL MAIN 4.05 : qemu-kvm Multiple Vulnerabilities (NS-SA-2020-0019) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-2607.NASL description An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 128497 published 2019-09-04 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128497 title RHEL 7 : qemu-kvm (RHSA-2019:2607) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2353-1.NASL description This update for qemu fixes the following issues : Security issues fixed : CVE-2019-14378: Security fix for heap overflow in ip_reass on big packet input (bsc#1143794). CVE-2019-12155: Security fix for NULL pointer dereference while releasing spice resources (bsc#1135902). CVE-2019-13164: Security fix for qemu-bridge-helper ACL can be bypassed when names are too long (bsc#1140402). Bug fixes and enhancements: Add vcpu features needed for Cascadelake-Server, Icelake-Client and Icelake-Server, especially the foundational arch-capabilities to help with security and performance on Intel hosts (bsc#1134880) (fate#327764). Add support for one more security/performance related vcpu feature (bsc#1136777) (fate#327795). Disable file locking in the Xen PV disk backend to avoid locking issues with PV domUs during migration. The issues triggered by the locking can not be properly handled in libxl. The locking introduced in qemu-2.10 was removed again in qemu-4.0 (bsc#1079730, bsc#1098403, bsc#1111025). Ignore csske for expanding the cpu model (bsc#1136528). Provide qcow2 L2 caching improvements, which allows for better storage performance in certain configurations (bsc#1139926, ECO-130). Fixed virsh migrate-setspeed (bsc#1127077, bsc#1141043). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 128753 published 2019-09-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128753 title SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2019:2353-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-3345.NASL description An update for the virt:rhel module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. Kernel-based Virtual Machine (KVM) offers a full virtualization solution for Linux on numerous hardware platforms. The virt:rhel module contains packages which provide user-space components used to run virtual machines using KVM. The packages also provide APIs for managing and interacting with the virtualized systems. Security Fix(es) : * ntfs-3g: heap-based buffer overflow leads to local root privilege escalation (CVE-2019-9755) * QEMU: slirp: information leakage in tcp_emu() due to uninitialized stack variables (CVE-2019-9824) * QEMU: qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.1 Release Notes linked from the References section. last seen 2020-05-23 modified 2019-11-06 plugin id 130529 published 2019-11-06 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130529 title RHEL 8 : virt:rhel (RHSA-2019:3345) NASL family SuSE Local Security Checks NASL id SUSE_SU-2020-0388-1.NASL description This update for xen fixes the following issues : CVE-2018-12207: Fixed a race condition where untrusted virtual machines could have been using the Instruction Fetch Unit of the Intel CPU to cause a Machine Exception during Page Size Change, causing the CPU core to be non-functional (bsc#1155945 XSA-304). CVE-2018-19965: Fixed a DoS from attempting to use INVPCID with a non-canonical addresses (bsc#1115045 XSA-279). CVE-2019-11135: Aborting an asynchronous TSX operation on Intel CPUs with Transactional Memory support could be used to facilitate side-channel information leaks out of microarchitectural buffers, similar to the previously described last seen 2020-03-18 modified 2020-02-18 plugin id 133763 published 2020-02-18 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/133763 title SUSE SLES12 Security Update : xen (SUSE-SU-2020:0388-1) NASL family Scientific Linux Local Security Checks NASL id SL_20190903_QEMU_KVM_ON_SL7_X.NASL description Security Fix(es): - QEMU: qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155) -- last seen 2020-03-18 modified 2019-09-04 plugin id 128502 published 2019-09-04 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128502 title Scientific Linux Security Update : qemu-kvm on SL7.x x86_64 (20190903) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-2892.NASL description An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams (CVE-2018-11806) * QEMU: slirp: heap buffer overflow in tcp_emu() (CVE-2019-6778) * QEMU: ne2000: integer overflow leads to buffer overflow issue (CVE-2018-10839) * QEMU: pcnet: integer overflow leads to buffer overflow (CVE-2018-17962) * QEMU: qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 129332 published 2019-09-25 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129332 title RHEL 6 : qemu-kvm (RHSA-2019:2892) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-4191-1.NASL description It was discovered that the LSI SCSI adapter emulator implementation in QEMU did not properly validate executed scripts. A local attacker could use this to cause a denial of service. (CVE-2019-12068) Sergej Schumilo, Cornelius Aschermann and Simon Worner discovered that the qxl paravirtual graphics driver implementation in QEMU contained a NULL pointer dereference. A local attacker in a guest could use this to cause a denial of service. (CVE-2019-12155) Riccardo Schirone discovered that the QEMU bridge helper did not properly validate network interface names. A local attacker could possibly use this to bypass ACL restrictions. (CVE-2019-13164) It was discovered that a heap-based buffer overflow existed in the SLiRP networking implementation of QEMU. A local attacker in a guest could use this to cause a denial of service or possibly execute arbitrary code in the host. (CVE-2019-14378) It was discovered that a use-after-free vulnerability existed in the SLiRP networking implementation of QEMU. A local attacker in a guest could use this to cause a denial of service. (CVE-2019-15890). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 131017 published 2019-11-14 reporter Ubuntu Security Notice (C) 2019 Canonical, Inc. / NASL script (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131017 title Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : qemu vulnerabilities (USN-4191-1) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2019-1248.NASL description A heap buffer overflow issue was found in the load_device_tree() function of QEMU, which is invoked to load a device tree blob at boot time. It occurs due to device tree size manipulation before buffer allocation, which could overflow a signed int type. A user/process could use this flaw to potentially execute arbitrary code on a host system with privileges of the QEMU process. (CVE-2018-20815) hw/sparc64/sun4u.c in QEMU 3.1.50 is vulnerable to a NULL pointer dereference, which allows the attacker to cause a denial of service via a device driver. (CVE-2019-5008) Slirp: information leakage in tcp_emu() due to uninitialized stack variables (CVE-2019-9824) qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155) last seen 2020-06-01 modified 2020-06-02 plugin id 126960 published 2019-07-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126960 title Amazon Linux 2 : qemu (ALAS-2019-1248) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1927.NASL description Several vulnerabilities were found in QEMU, a fast processor emulator (notably used in KVM and Xen HVM virtualization). CVE-2016-5126 Heap-based buffer overflow in the iscsi_aio_ioctl function in block/iscsi.c in QEMU allows local guest OS users to cause a denial of service (QEMU process crash) or possibly execute arbitrary code via a crafted iSCSI asynchronous I/O ioctl call. CVE-2016-5403 The virtqueue_pop function in hw/virtio/virtio.c in QEMU allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by submitting requests without waiting for completion. CVE-2017-9375 QEMU, when built with USB xHCI controller emulator support, allows local guest OS privileged users to cause a denial of service (infinite recursive call) via vectors involving control transfer descriptors sequencing. CVE-2019-12068 QEMU scsi disk backend: lsi: exit infinite loop while executing script CVE-2019-12155 interface_release_resource in hw/display/qxl.c in QEMU has a NULL pointer dereference. CVE-2019-13164 qemu-bridge-helper.c in QEMU does not ensure that a network interface name (obtained from bridge.conf or a --br=bridge option) is limited to the IFNAMSIZ size, which can lead to an ACL bypass. CVE-2019-14378 ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment. CVE-2019-15890 libslirp 4.0.0, as used in QEMU, has a use-after-free in ip_reass in ip_input.c. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 129105 published 2019-09-23 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129105 title Debian DLA-1927-1 : qemu security update NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-2607.NASL description From Red Hat Security Advisory 2019:2607 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 128514 published 2019-09-05 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128514 title Oracle Linux 7 : qemu-kvm (ELSA-2019-2607) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-2892.NASL description From Red Hat Security Advisory 2019:2892 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams (CVE-2018-11806) * QEMU: slirp: heap buffer overflow in tcp_emu() (CVE-2019-6778) * QEMU: ne2000: integer overflow leads to buffer overflow issue (CVE-2018-10839) * QEMU: pcnet: integer overflow leads to buffer overflow (CVE-2018-17962) * QEMU: qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 129329 published 2019-09-25 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129329 title Oracle Linux 6 : qemu-kvm (ELSA-2019-2892) NASL family SuSE Local Security Checks NASL id SUSE_SU-2019-2157-1.NASL description This update for qemu fixes the following issues : Security issues fixed : CVE-2019-14378: Security fix for heap overflow in ip_reass on big packet input (bsc#1143794). CVE-2019-12155: Security fix for NULL pointer dereference while releasing spice resources (bsc#1135902). CVE-2019-13164: Security fix for qemu-bridge-helper ACL can be bypassed when names are too long (bsc#1140402). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 128609 published 2019-09-09 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128609 title SUSE SLES12 Security Update : qemu (SUSE-SU-2019:2157-1) NASL family Fedora Local Security Checks NASL id FEDORA_2019-52A8F5468E.NASL description - CVE-2019-12155: qxl: NULL pointer dereference while releasing spice resources (bz #1712727, bz #1712670) - CVE-2019-5008: NULL pointer dereference in hw/sparc64/sun4u.c leading to DoS (bz #1705916, bz #1705915) - CVE-2018-20815: device_tree: heap buffer overflow while loading device tree blob (bz #1693117, bz #1693101) - CVE-2019-9824: Slirp: information leakage in tcp_emu() due to uninitialized stack variables (bz #1689794, bz #1678515) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 126530 published 2019-07-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126530 title Fedora 30 : 2:qemu (2019-52a8f5468e) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-4713.NASL description Description of changes: [15:3.1.0-5.el7] - Only enable the halt poll control MSR if it is supported by the host (Mark Kanda) [Orabug: 29946722] [15:3.1.0-4.el7] - kvm: i386: halt poll control MSR support (Marcelo Tosatti) [Orabug: 29933278] - Document CVEs as fixed: CVE-2017-9524, CVE-2017-6058, CVE-2017-5931 (Mark Kanda) [Orabug: 29886908] {CVE-2017-5931} {CVE-2017-6058} {CVE-2017-9524} - pvrdma: release device resources in case of an error (Prasad J Pandit) [Orabug: 29056678] {CVE-2018-20123} - qxl: check release info object (Prasad J Pandit) [Orabug: 29886906] {CVE-2019-12155} - target/i386: add MDS-NO feature (Paolo Bonzini) [Orabug: 29820428] {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091} - docs: recommend use of md-clear feature on all Intel CPUs (Daniel P. Berrangé ) [Orabug: 29820428] {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091} - target/i386: define md-clear bit (Paolo Bonzini) [Orabug: 29820428] {CVE-2018-12126} {CVE-2018-12127} {CVE-2018-12130} {CVE-2019-11091} - pvh: block migration if booting using PVH (Liam Merwick) [Orabug: 29796676] - hw/i386/pc: run the multiboot loader before the PVH loader (Stefano Garzarella) [Orabug: 29796676] - optionrom/pvh: load initrd from fw_cfg (Stefano Garzarella) [Orabug: 29796676] - hw/i386/pc: use PVH option rom (Stefano Garzarella) [Orabug: 29796676] - qemu.spec: add pvh.bin to %files (Liam Merwick) [Orabug: 29796676] - optionrom: add new PVH option rom (Stefano Garzarella) [Orabug: 29796676] - linuxboot_dma: move common functions in a new header (Stefano Garzarella) [Orabug: 29796676] - linuxboot_dma: remove duplicate definitions of FW_CFG (Stefano Garzarella) [Orabug: 29796676] - pvh: load initrd and expose it through fw_cfg (Stefano Garzarella) [Orabug: 29796676] - pvh: Boot uncompressed kernel using direct boot ABI (Liam Merwick) [Orabug: 29796676] - pvh: Add x86/HVM direct boot ABI header file (Liam Merwick) [Orabug: 29796676] - elf-ops.h: Add get_elf_note_type() (Liam Merwick) [Orabug: 29796676] - elf: Add optional function ptr to load_elf() to parse ELF notes (Liam Merwick) [Orabug: 29796676] last seen 2020-06-01 modified 2020-06-02 plugin id 126673 published 2019-07-15 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126673 title Oracle Linux 7 : qemu (ELSA-2019-4713) (MDSUM/RIDL) (MFBDS/RIDL/ZombieLoad) (MLPDS/RIDL) (MSBDS/Fallout) NASL family Scientific Linux Local Security Checks NASL id SL_20190924_QEMU_KVM_ON_SL6_X.NASL description Security Fix(es) : - QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams (CVE-2018-11806) - QEMU: slirp: heap buffer overflow in tcp_emu() (CVE-2019-6778) - QEMU: ne2000: integer overflow leads to buffer overflow issue (CVE-2018-10839) - QEMU: pcnet: integer overflow leads to buffer overflow (CVE-2018-17962) - QEMU: qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155) last seen 2020-03-18 modified 2019-09-25 plugin id 129334 published 2019-09-25 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129334 title Scientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64 (20190924) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2255.NASL description According to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.(CVE-2019-9824) - interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NULL pointer dereference.(CVE-2019-12155) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2019-11-08 plugin id 130717 published 2019-11-08 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130717 title EulerOS 2.0 SP3 : qemu-kvm (EulerOS-SA-2019-2255)
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- https://lists.gnu.org/archive/html/qemu-devel/2019-05/msg01321.html
- http://www.openwall.com/lists/oss-security/2019/05/22/1
- https://www.debian.org/security/2019/dsa-4454
- https://seclists.org/bugtraq/2019/May/76
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00000.html
- http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00008.html
- https://access.redhat.com/errata/RHSA-2019:2607
- https://lists.debian.org/debian-lts-announce/2019/09/msg00021.html
- https://access.redhat.com/errata/RHSA-2019:2892
- https://access.redhat.com/errata/RHSA-2019:3179
- https://access.redhat.com/errata/RHSA-2019:3345
- https://access.redhat.com/errata/RHSA-2019:3742
- https://access.redhat.com/errata/RHSA-2019:3787
- https://usn.ubuntu.com/4191-2/
- https://usn.ubuntu.com/4191-1/
- https://access.redhat.com/errata/RHBA-2019:3723
- https://access.redhat.com/errata/RHSA-2019:4344
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RVDHJB2QKXNDU7OFXIHIL5O5VN5QCSZL/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BOE3PVFPMWMXV3DGP2R3XIHAF2ZQU3FS/
- https://git.qemu.org/?p=qemu.git%3Ba=commit%3Bh=3be7eb2f47bf71db5f80fcf8750ea395dd5ffdd2