Vulnerabilities > CVE-2019-6778 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH

Summary

In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-14001-1.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : Fixed multiple access violations introduced by XENMEM_exchange hypercall which could allow a single PV guest to leak arbitrary amounts of memory, leading to a denial of service (bsc#1126192). Fixed an issue which could allow a malicious unprivileged guest userspace process to escalate its privilege to that of other userspace processes in the same guest and potentially thereby to that of the guest operating system (bsc#1126201). Fixed an issue which could allow an untrusted PV domain with access to a physical device to DMA into its own pagetables leading to privilege escalation (bsc#1126195). Fixed an issue which could allow a malicious or buggy x86 PV guest kernels can mount a Denial of Service attack affecting the whole system (bsc#1126196). CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() found in slirp (bsc#1123157). Fixed an issue which could allow malicious PV guests may cause a host crash or gain access to data pertaining to other guests.Additionally, vulnerable configurations are likely to be unstable even in the absence of an attack (bsc#1126198). Fixed an issue which could allow malicious 64bit PV guests to cause a host crash (bsc#1127400). Fixed an issue which could allow malicious or buggy guests with passed through PCI devices to be able to escalate their privileges, crash the host, or access data belonging to other guests. Additionally memory leaks were also possible (bsc#1126140). Fixed a race condition issue which could allow malicious PV guests to escalate their privilege to that of the hypervisor (bsc#1126141). CVE-2019-9824: Fixed an information leak in SLiRP networking implementation which could allow a user/process to read uninitialised stack memory contents (bsc#1129623). Other issues fixed: Fixed an issue where VMs crashing when migrating between dom0 hosts (bsc#1031382). Upstream bug fixes (bsc#1027519) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123637
    published2019-04-02
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123637
    titleSUSE SLES11 Security Update : xen (SUSE-SU-2019:14001-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:14001-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(123637);
      script_version("1.1");
      script_cvs_date("Date: 2019/04/02 10:22:09");
    
      script_cve_id("CVE-2019-6778", "CVE-2019-9824");
    
      script_name(english:"SUSE SLES11 Security Update : xen (SUSE-SU-2019:14001-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for xen fixes the following issues :
    
    Security issues fixed :
    
    Fixed multiple access violations introduced by XENMEM_exchange
    hypercall which could allow a single PV guest to leak arbitrary
    amounts of memory, leading to a denial of service (bsc#1126192).
    
    Fixed an issue which could allow a malicious unprivileged guest
    userspace process to escalate its privilege to that of other userspace
    processes in the same guest and potentially thereby to that of the
    guest operating system (bsc#1126201).
    
    Fixed an issue which could allow an untrusted PV domain with access to
    a physical device to DMA into its own pagetables leading to privilege
    escalation (bsc#1126195).
    
    Fixed an issue which could allow a malicious or buggy x86 PV guest
    kernels can mount a Denial of Service attack affecting the whole
    system (bsc#1126196).
    
    CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() found in
    slirp (bsc#1123157).
    
    Fixed an issue which could allow malicious PV guests may cause a host
    crash or gain access to data pertaining to other guests.Additionally,
    vulnerable configurations are likely to be unstable even in the
    absence of an attack (bsc#1126198).
    
    Fixed an issue which could allow malicious 64bit PV guests to cause a
    host crash (bsc#1127400).
    
    Fixed an issue which could allow malicious or buggy guests with passed
    through PCI devices to be able to escalate their privileges, crash the
    host, or access data belonging to other guests. Additionally memory
    leaks were also possible (bsc#1126140).
    
    Fixed a race condition issue which could allow malicious PV guests to
    escalate their privilege to that of the hypervisor (bsc#1126141).
    
    CVE-2019-9824: Fixed an information leak in SLiRP networking
    implementation which could allow a user/process to read uninitialised
    stack memory contents (bsc#1129623).
    
    Other issues fixed: Fixed an issue where VMs crashing when migrating
    between dom0 hosts (bsc#1031382).
    
    Upstream bug fixes (bsc#1027519)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1027519"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1031382"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1123157"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126140"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126141"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126192"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126195"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126196"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126198"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1126201"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1127400"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1129623"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-6778/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-9824/"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-201914001-1.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?6757a2c0"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Software Development Kit 11-SP4:zypper in -t
    patch sdksp4-xen-14001=1
    
    SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
    slessp4-xen-14001=1
    
    SUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch
    dbgsp4-xen-14001=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-doc-html");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-default");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-kmp-pae");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:xen-tools-domU");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/04/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/04/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = eregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    if (cpu >!< "i386|i486|i586|i686|x86_64") audit(AUDIT_ARCH_NOT, "i386 / i486 / i586 / i686 / x86_64", cpu);
    
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! ereg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-kmp-default-4.4.4_40_3.0.101_108.87-61.43.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-libs-4.4.4_40-61.43.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-tools-domU-4.4.4_40-61.43.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-4.4.4_40-61.43.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-doc-html-4.4.4_40-61.43.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-libs-32bit-4.4.4_40-61.43.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-tools-4.4.4_40-61.43.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"x86_64", reference:"xen-kmp-pae-4.4.4_40_3.0.101_108.87-61.43.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"xen-kmp-default-4.4.4_40_3.0.101_108.87-61.43.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"xen-libs-4.4.4_40-61.43.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"xen-tools-domU-4.4.4_40-61.43.2")) flag++;
    if (rpm_check(release:"SLES11", sp:"4", cpu:"i586", reference:"xen-kmp-pae-4.4.4_40_3.0.101_108.87-61.43.2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "xen");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0845-1.NASL
    descriptionThis update for qemu fixes the following issues : CVE-2020-7039: Fixed a heap buffer overflow in tcp_emu() routine while emulating IRC and other protocols (bsc#1161066). CVE-2019-15034: Fixed a buffer overflow in hw/display/bochs-display.c due to improper PCI config space allocation (bsc#1166379). CVE-2020-1711: Fixed an out of bounds heap buffer access iscsi_co_block_status() routine which could have allowed a remote denial of service or arbitrary code with privileges of the QEMU process on the host (bsc#1166240). CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() routine while emulating the identification protocol and copying message data to a socket buffer (bsc#1123156). CVE-2020-8608: Fixed a heap buffer overflow in tcp_emu() routine while emulating IRC and other protocols (bsc#1163018). CVE-2019-20382: Fixed a memory leak in the VNC display driver which could have led to exhaustion of the host memory leading to a potential Denial of service (bsc#1165776). Fixed live migration errors (bsc#1154790, bsc#1156794, bsc#1156642). Fixed an issue where migrating VMs on KVM gets missing features:ospke error (bsc#1162729). Fixed an issue where booting up a guest system with mdev passthrough device as installation device was failing (bsc#1158880). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-07
    modified2020-04-02
    plugin id135169
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135169
    titleSUSE SLES12 Security Update : qemu (SUSE-SU-2020:0845-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2020:0845-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135169);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/21");
    
      script_cve_id("CVE-2019-15034", "CVE-2019-20382", "CVE-2019-6778", "CVE-2020-1711", "CVE-2020-7039", "CVE-2020-8608");
    
      script_name(english:"SUSE SLES12 Security Update : qemu (SUSE-SU-2020:0845-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "This update for qemu fixes the following issues :
    
    CVE-2020-7039: Fixed a heap buffer overflow in tcp_emu() routine while
    emulating IRC and other protocols (bsc#1161066).
    
    CVE-2019-15034: Fixed a buffer overflow in hw/display/bochs-display.c
    due to improper PCI config space allocation (bsc#1166379).
    
    CVE-2020-1711: Fixed an out of bounds heap buffer access
    iscsi_co_block_status() routine which could have allowed a remote
    denial of service or arbitrary code with privileges of the QEMU
    process on the host (bsc#1166240).
    
    CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() routine while
    emulating the identification protocol and copying message data to a
    socket buffer (bsc#1123156).
    
    CVE-2020-8608: Fixed a heap buffer overflow in tcp_emu() routine while
    emulating IRC and other protocols (bsc#1163018).
    
    CVE-2019-20382: Fixed a memory leak in the VNC display driver which
    could have led to exhaustion of the host memory leading to a potential
    Denial of service (bsc#1165776).
    
    Fixed live migration errors (bsc#1154790, bsc#1156794, bsc#1156642).
    
    Fixed an issue where migrating VMs on KVM gets missing features:ospke
    error (bsc#1162729).
    
    Fixed an issue where booting up a guest system with mdev passthrough
    device as installation device was failing (bsc#1158880).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1123156"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1154790"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1156642"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1156794"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1158880"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1161066"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1162161"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1162729"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1163018"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1165776"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1166240"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1166379"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-15034/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-20382/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-6778/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2020-1711/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2020-7039/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2020-8608/"
      );
      # https://www.suse.com/support/update/announcement/2020/suse-su-20200845-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?0287d340"
      );
      script_set_attribute(
        attribute:"solution",
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 12-SP5:zypper in -t patch
    SUSE-SLE-SERVER-12-SP5-2020-845=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-8608");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-audio-alsa");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-audio-alsa-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-audio-oss");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-audio-oss-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-audio-pa");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-audio-pa-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-audio-sdl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-audio-sdl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-curl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-iscsi");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-iscsi-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-rbd-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-ssh");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-block-ssh-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-guest-agent-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-lang");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-s390");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-s390-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-tools-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-ui-curses");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-ui-curses-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-ui-gtk");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-ui-gtk-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-ui-sdl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-ui-sdl-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:qemu-x86");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/03/21");
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/01");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/02");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(5)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP5", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"5", cpu:"x86_64", reference:"qemu-block-rbd-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", cpu:"x86_64", reference:"qemu-block-rbd-debuginfo-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", cpu:"x86_64", reference:"qemu-x86-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", cpu:"s390x", reference:"qemu-s390-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", cpu:"s390x", reference:"qemu-s390-debuginfo-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-audio-alsa-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-audio-alsa-debuginfo-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-audio-oss-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-audio-oss-debuginfo-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-audio-pa-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-audio-pa-debuginfo-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-audio-sdl-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-audio-sdl-debuginfo-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-block-curl-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-block-curl-debuginfo-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-block-iscsi-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-block-iscsi-debuginfo-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-block-ssh-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-block-ssh-debuginfo-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-debugsource-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-guest-agent-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-guest-agent-debuginfo-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-lang-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-tools-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-tools-debuginfo-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-ui-curses-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-ui-curses-debuginfo-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-ui-gtk-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-ui-gtk-debuginfo-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-ui-sdl-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-ui-sdl-debuginfo-3.1.1.1-3.9.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"5", reference:"qemu-kvm-3.1.1.1-3.9.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-13962-1.NASL
    descriptionThis update for kvm fixes the following issues : Security issues fixed : CVE-2019-6778: Fixed a heap buffer overflow issue in the SLiRP networking implementation (bsc#1123156). CVE-2018-19489: Fixed a denial of service vulnerability in virtfs (bsc#1117275). CVE-2018-19364: Fixed a use-after-free if the virtfs interface resulting in a denial of service (bsc#1116717). Non-security issue fixed: Fixed LAPIC TSC deadline timer save/restore (bsc#1109544) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id122313
    published2019-02-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122313
    titleSUSE SLES11 Security Update : kvm (SUSE-SU-2019:13962-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2019:13962-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(122313);
      script_version("1.4");
      script_cvs_date("Date: 2020/02/10");
    
      script_cve_id("CVE-2018-19364", "CVE-2018-19489", "CVE-2019-6778");
    
      script_name(english:"SUSE SLES11 Security Update : kvm (SUSE-SU-2019:13962-1)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for kvm fixes the following issues :
    
    Security issues fixed :
    
    CVE-2019-6778: Fixed a heap buffer overflow issue in the SLiRP
    networking implementation (bsc#1123156).
    
    CVE-2018-19489: Fixed a denial of service vulnerability in virtfs
    (bsc#1117275).
    
    CVE-2018-19364: Fixed a use-after-free if the virtfs interface
    resulting in a denial of service (bsc#1116717).
    
    Non-security issue fixed: Fixed LAPIC TSC deadline timer save/restore
    (bsc#1109544)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1109544"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1116717"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1117275"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1123156"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19364/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-19489/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2019-6778/"
      );
      # https://www.suse.com/support/update/announcement/2019/suse-su-201913962-1.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?ee5fa190"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE Linux Enterprise Server 11-SP4:zypper in -t patch
    slessp4-kvm-13962=1"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:kvm");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/12/13");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/02/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/02/19");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLES11)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLES11", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES11" && (! preg(pattern:"^(4)$", string:sp))) audit(AUDIT_OS_NOT, "SLES11 SP4", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES11", sp:"4", reference:"kvm-1.4.2-60.21.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kvm");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2227.NASL
    descriptionAccording to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.(CVE-2019-6778) - The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method.(CVE-2015-7549) - The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTOP registers, involving ring buffer control.(CVE-2016-2841) - Memory leak in QEMU (aka Quick Emulator), when built with USB EHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the device.(CVE-2017-9374) - Integer overflow in the macro ROUND_UP (n, d) in Quick Emulator (Qemu) allows a user to cause a denial of service (Qemu process crash).(CVE-2017-18043) - Memory leak in the serial_exit_core function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption and QEMU process crash) via a large number of device unplug operations.(CVE-2017-5579) - The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program.(CVE-2015-4037) - The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.(CVE-2016-7908) - hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information.(CVE-2013-4544) - Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function.(CVE-2016-2538) - Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.(CVE-2018-10839) - Memory leak in QEMU (aka Quick Emulator), when built with IDE AHCI Emulation support, allows local guest OS privileged users to cause a denial of service (memory consumption) by repeatedly hot-unplugging the AHCI device.(CVE-2017-9373) - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c) in QEMU 3.0.0 uses uninitialized data in an snprintf call, leading to Information disclosure.(CVE-2019-9824) - QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing.(CVE-2017-9503) - Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via vectors related to migrating ports.(CVE-2013-4526) - Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image.(CVE-2013-4530) - Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image.(CVE-2013-4539) - Buffer overflow in scoop_gpio_handler_update in QEMU before 1.7.2 might allow remote attackers to execute arbitrary code via a large (1) prev_level, (2) gpio_level, or (3) gpio_dir value in a savevm image.(CVE-2013-4540) - The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local OS guest privileged users to cause a denial of service (infinite loop and QEMU process crash) via vectors involving the transfer mode register during multi block transfer.(CVE-2017-5987) - Microarchitectural Store Buffer Data Sampling (MSBDS): Store buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12126) - Microarchitectural Load Port Data Sampling (MLPDS): Load ports on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12127) - Microarchitectural Fill Buffer Data Sampling (MFBDS): Fill buffers on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2018-12130) - Microarchitectural Data Sampling Uncacheable Memory (MDSUM): Uncacheable memory on some microprocessors utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access. A list of impacted products can be found here: https://www.intel.com/content/dam/www/public/us/en/docu ments/corporate-information/SA00233-microcode-update-gu idance_05132019.pdf(CVE-2019-11091) - interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NULL pointer dereference.(CVE-2019-12155) - Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.(CVE-2016-7161) - Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets.(CVE-2015-5279) - The sdhci_sdma_transfer_multi_blocks function in hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds heap access and crash) or execute arbitrary code on the QEMU host via vectors involving the data transfer length.(CVE-2017-5667) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-08
    modified2019-11-08
    plugin id130689
    published2019-11-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/130689
    titleEulerOS 2.0 SP5 : qemu-kvm (EulerOS-SA-2019-2227)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(130689);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2013-4526",
        "CVE-2013-4530",
        "CVE-2013-4539",
        "CVE-2013-4540",
        "CVE-2013-4544",
        "CVE-2015-4037",
        "CVE-2015-5279",
        "CVE-2015-7549",
        "CVE-2016-2538",
        "CVE-2016-2841",
        "CVE-2016-7161",
        "CVE-2016-7908",
        "CVE-2017-18043",
        "CVE-2017-5579",
        "CVE-2017-5667",
        "CVE-2017-5987",
        "CVE-2017-9373",
        "CVE-2017-9374",
        "CVE-2017-9503",
        "CVE-2018-10839",
        "CVE-2018-12126",
        "CVE-2018-12127",
        "CVE-2018-12130",
        "CVE-2019-11091",
        "CVE-2019-12155",
        "CVE-2019-6778",
        "CVE-2019-9824"
      );
      script_bugtraq_id(
        66955,
        67483,
        74809
      );
    
      script_name(english:"EulerOS 2.0 SP5 : qemu-kvm (EulerOS-SA-2019-2227)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the qemu-kvm packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a
        heap-based buffer overflow.(CVE-2019-6778)
    
      - The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka
        Quick Emulator) allows local guest OS privileged users
        to cause a denial of service (NULL pointer dereference
        and QEMU process crash) by leveraging failure to define
        the .write method.(CVE-2015-7549)
    
      - The ne2000_receive function in the NE2000 NIC emulation
        support (hw/net/ne2000.c) in QEMU before 2.5.1 allows
        local guest OS administrators to cause a denial of
        service (infinite loop and QEMU process crash) via
        crafted values for the PSTART and PSTOP registers,
        involving ring buffer control.(CVE-2016-2841)
    
      - Memory leak in QEMU (aka Quick Emulator), when built
        with USB EHCI Emulation support, allows local guest OS
        privileged users to cause a denial of service (memory
        consumption) by repeatedly hot-unplugging the
        device.(CVE-2017-9374)
    
      - Integer overflow in the macro ROUND_UP (n, d) in Quick
        Emulator (Qemu) allows a user to cause a denial of
        service (Qemu process crash).(CVE-2017-18043)
    
      - Memory leak in the serial_exit_core function in
        hw/char/serial.c in QEMU (aka Quick Emulator) allows
        local guest OS privileged users to cause a denial of
        service (host memory consumption and QEMU process
        crash) via a large number of device unplug
        operations.(CVE-2017-5579)
    
      - The slirp_smb function in net/slirp.c in QEMU 2.3.0 and
        earlier creates temporary files with predictable names,
        which allows local users to cause a denial of service
        (instantiation failure) by creating /tmp/qemu-smb.*-*
        files before the program.(CVE-2015-4037)
    
      - The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU
        (aka Quick Emulator) does not properly limit the buffer
        descriptor count when transmitting packets, which
        allows local guest OS administrators to cause a denial
        of service (infinite loop and QEMU process crash) via
        vectors involving a buffer descriptor with a length of
        0 and crafted values in bd.flags.(CVE-2016-7908)
    
      - hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier
        allows local guest users to cause a denial of service
        or possibly execute arbitrary code via vectors related
        to (1) RX or (2) TX queue numbers or (3) interrupt
        indices. NOTE: some of these details are obtained from
        third party information.(CVE-2013-4544)
    
      - Multiple integer overflows in the USB Net device
        emulator (hw/usb/dev-network.c) in QEMU before 2.5.1
        allow local guest OS administrators to cause a denial
        of service (QEMU process crash) or obtain sensitive
        host memory information via a remote NDIS control
        message packet that is mishandled in the (1)
        rndis_query_response, (2) rndis_set_response, or (3)
        usb_net_handle_dataout function.(CVE-2016-2538)
    
      - Qemu emulator <= 3.0.0 built with the NE2000 NIC
        emulation support is vulnerable to an integer overflow,
        which could lead to buffer overflow issue. It could
        occur when receiving packets over the network. A user
        inside guest could use this flaw to crash the Qemu
        process resulting in DoS.(CVE-2018-10839)
    
      - Memory leak in QEMU (aka Quick Emulator), when built
        with IDE AHCI Emulation support, allows local guest OS
        privileged users to cause a denial of service (memory
        consumption) by repeatedly hot-unplugging the AHCI
        device.(CVE-2017-9373)
    
      - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c)
        in QEMU 3.0.0 uses uninitialized data in an snprintf
        call, leading to Information disclosure.(CVE-2019-9824)
    
      - QEMU (aka Quick Emulator), when built with MegaRAID SAS
        8708EM2 Host Bus Adapter emulation support, allows
        local guest OS privileged users to cause a denial of
        service (NULL pointer dereference and QEMU process
        crash) via vectors involving megasas command
        processing.(CVE-2017-9503)
    
      - Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2
        allows remote attackers to cause a denial of service
        and possibly execute arbitrary code via vectors related
        to migrating ports.(CVE-2013-4526)
    
      - Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2
        allows remote attackers to cause a denial of service or
        possibly execute arbitrary code via crafted
        tx_fifo_head and rx_fifo_head values in a savevm
        image.(CVE-2013-4530)
    
      - Multiple buffer overflows in the tsc210x_load function
        in hw/input/tsc210x.c in QEMU before 1.7.2 might allow
        remote attackers to execute arbitrary code via a
        crafted (1) precision, (2) nextprecision, (3) function,
        or (4) nextfunction value in a savevm
        image.(CVE-2013-4539)
    
      - Buffer overflow in scoop_gpio_handler_update in QEMU
        before 1.7.2 might allow remote attackers to execute
        arbitrary code via a large (1) prev_level, (2)
        gpio_level, or (3) gpio_dir value in a savevm
        image.(CVE-2013-4540)
    
      - The sdhci_sdma_transfer_multi_blocks function in
        hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local
        OS guest privileged users to cause a denial of service
        (infinite loop and QEMU process crash) via vectors
        involving the transfer mode register during multi block
        transfer.(CVE-2017-5987)
    
      - Microarchitectural Store Buffer Data Sampling (MSBDS):
        Store buffers on some microprocessors utilizing
        speculative execution may allow an authenticated user
        to potentially enable information disclosure via a side
        channel with local access. A list of impacted products
        can be found here:
        https://www.intel.com/content/dam/www/public/us/en/docu
        ments/corporate-information/SA00233-microcode-update-gu
        idance_05132019.pdf(CVE-2018-12126)
    
      - Microarchitectural Load Port Data Sampling (MLPDS):
        Load ports on some microprocessors utilizing
        speculative execution may allow an authenticated user
        to potentially enable information disclosure via a side
        channel with local access. A list of impacted products
        can be found here:
        https://www.intel.com/content/dam/www/public/us/en/docu
        ments/corporate-information/SA00233-microcode-update-gu
        idance_05132019.pdf(CVE-2018-12127)
    
      - Microarchitectural Fill Buffer Data Sampling (MFBDS):
        Fill buffers on some microprocessors utilizing
        speculative execution may allow an authenticated user
        to potentially enable information disclosure via a side
        channel with local access. A list of impacted products
        can be found here:
        https://www.intel.com/content/dam/www/public/us/en/docu
        ments/corporate-information/SA00233-microcode-update-gu
        idance_05132019.pdf(CVE-2018-12130)
    
      - Microarchitectural Data Sampling Uncacheable Memory
        (MDSUM): Uncacheable memory on some microprocessors
        utilizing speculative execution may allow an
        authenticated user to potentially enable information
        disclosure via a side channel with local access. A list
        of impacted products can be found here:
        https://www.intel.com/content/dam/www/public/us/en/docu
        ments/corporate-information/SA00233-microcode-update-gu
        idance_05132019.pdf(CVE-2019-11091)
    
      - interface_release_resource in hw/display/qxl.c in QEMU
        4.0.0 has a NULL pointer dereference.(CVE-2019-12155)
    
      - Heap-based buffer overflow in the .receive callback of
        xlnx.xps-ethernetlite in QEMU (aka Quick Emulator)
        allows attackers to execute arbitrary code on the QEMU
        host via a large ethlite packet.(CVE-2016-7161)
    
      - Heap-based buffer overflow in the ne2000_receive
        function in hw/net/ne2000.c in QEMU before 2.4.0.1
        allows guest OS users to cause a denial of service
        (instance crash) or possibly execute arbitrary code via
        vectors related to receiving packets.(CVE-2015-5279)
    
      - The sdhci_sdma_transfer_multi_blocks function in
        hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local
        guest OS privileged users to cause a denial of service
        (out-of-bounds heap access and crash) or execute
        arbitrary code on the QEMU host via vectors involving
        the data transfer length.(CVE-2017-5667)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2227
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?95b359a0");
      script_set_attribute(attribute:"solution", value:
    "Update the affected qemu-kvm packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-img");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm-common");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["qemu-img-1.5.3-156.5.h14.eulerosv2r7",
            "qemu-kvm-1.5.3-156.5.h14.eulerosv2r7",
            "qemu-kvm-common-1.5.3-156.5.h14.eulerosv2r7"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-kvm");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2352.NASL
    descriptionAccording to the versions of the qemu-kvm packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.(CVE-2019-6778) - A flaw was found in QEMU
    last seen2020-06-01
    modified2020-06-02
    plugin id131517
    published2019-12-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131517
    titleEulerOS Virtualization for ARM 64 3.0.3.0 : qemu-kvm (EulerOS-SA-2019-2352)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(131517);
      script_version("1.2");
      script_cvs_date("Date: 2019/12/10");
    
      script_cve_id(
        "CVE-2018-16872",
        "CVE-2018-19364",
        "CVE-2018-19489",
        "CVE-2019-3812",
        "CVE-2019-6778"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.3.0 : qemu-kvm (EulerOS-SA-2019-2352)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the qemu-kvm packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a
        heap-based buffer overflow.(CVE-2019-6778)
    
      - A flaw was found in QEMU's Media Transfer Protocol
        (MTP). The code opening files in usb_mtp_get_object and
        usb_mtp_get_partial_object and directories in
        usb_mtp_object_readdir doesn't consider that the
        underlying filesystem may have changed since the time
        lstat(2) was called in usb_mtp_object_alloc, a
        classical TOCTTOU problem. An attacker with write
        access to the host filesystem, shared with a guest, can
        use this property to navigate the host filesystem in
        the context of the QEMU process and read any file the
        QEMU process has access to. Access to the filesystem
        may be local or via a network share protocol such as
        CIFS.(CVE-2018-16872)
    
      - hw/9pfs/cofile.c and hw/9pfs/9p.c in QEMU can modify an
        fid path while it is being accessed by a second thread,
        leading to (for example) a use-after-free
        outcome.(CVE-2018-19364)
    
      - v9fs_wstat in hw/9pfs/9p.c in QEMU allows guest OS
        users to cause a denial of service (crash) because of a
        race condition during file renaming.(CVE-2018-19489)
    
      - QEMU, through version 2.10 and through version 3.1.0,
        is vulnerable to an out-of-bounds read of up to 128
        bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A
        local attacker with permission to execute i2c commands
        could exploit this to read stack memory of the qemu
        process on the host.(CVE-2019-3812)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2352
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?47616c15");
      script_set_attribute(attribute:"solution", value:
    "Update the affected qemu-kvm packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2019/12/03");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/12/03");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-img");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm-common");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:qemu-kvm-tools");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.3.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.3.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.3.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["qemu-img-2.8.1-30.092",
            "qemu-kvm-2.8.1-30.092",
            "qemu-kvm-common-2.8.1-30.092",
            "qemu-kvm-tools-2.8.1-30.092"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-kvm");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1430.NASL
    descriptionAccording to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code.(CVE-2020-8608) - This vulnerability has been modified since it was last analyzed by the NVD. It is awaiting reanalysis which may result in further changes to the information provided.(CVE-2019-11135) - tcp_emu in tcp_subr.c in libslirp 4.1.0, as used in QEMU 4.2.0, mismanages memory, as demonstrated by IRC DCC commands in EMU_IRC. This can cause a heap-based buffer overflow or other out-of-bounds access which can lead to a DoS or potential execute arbitrary code.(CVE-2020-7039) - ip_reass in ip_input.c in libslirp 4.0.0 has a heap-based buffer overflow via a large packet because it mishandles a case involving the first fragment.(CVE-2019-14378) - Integer overflow in the VNC display driver in QEMU before 2.1.0 allows attachers to cause a denial of service (process crash) via a CLIENT_CUT_TEXT message, which triggers an infinite loop.(CVE-2015-5239) - Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message.(CVE-2015-5745) - The ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows attackers to cause a denial of service (infinite loop and instance crash) or possibly execute arbitrary code via vectors related to receiving packets.(CVE-2015-5278) - The process_tx_desc function in hw/net/e1000.c in QEMU before 2.4.0.1 does not properly process transmit descriptor data when sending a network packet, which allows attackers to cause a denial of service (infinite loop and guest crash) via unspecified vectors.(CVE-2015-6815) - Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets.(CVE-2015-5279) - Heap-based buffer overflow in the .receive callback of xlnx.xps-ethernetlite in QEMU (aka Quick Emulator) allows attackers to execute arbitrary code on the QEMU host via a large ethlite packet.(CVE-2016-7161) - hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier allows local guest users to cause a denial of service or possibly execute arbitrary code via vectors related to (1) RX or (2) TX queue numbers or (3) interrupt indices. NOTE: some of these details are obtained from third party information.(CVE-2013-4544) - The slirp_smb function in net/slirp.c in QEMU 2.3.0 and earlier creates temporary files with predictable names, which allows local users to cause a denial of service (instantiation failure) by creating /tmp/qemu-smb.*-* files before the program.(CVE-2015-4037) - hw/ide/core.c in QEMU does not properly restrict the commands accepted by an ATAPI device, which allows guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash.(CVE-2015-6855) - hw/virtio/virtio.c in the Virtual Network Device (virtio-net) support in QEMU, when big or mergeable receive buffers are not supported, allows remote attackers to cause a denial of service (guest network consumption) via a flood of jumbo frames on the (1) tuntap or (2) macvtap interface.(CVE-2015-7295) - The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method.(CVE-2015-7549) - The eepro100 emulator in QEMU qemu-kvm blank allows local guest users to cause a denial of service (application crash and infinite loop) via vectors involving the command block list.(CVE-2015-8345) - Qemu, when built with VNC display driver support, allows remote attackers to cause a denial of service (arithmetic exception and application crash) via crafted SetPixelFormat messages from a client.(CVE-2015-8504) - The ehci_process_itd function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular isochronous transfer descriptor (iTD) list.(CVE-2015-8558) - Memory leak in net/vmxnet3.c in QEMU allows remote attackers to cause a denial of service (memory consumption).(CVE-2015-8567) - Memory leak in QEMU, when built with a VMWARE VMXNET3 paravirtual NIC emulator support, allows local guest users to cause a denial of service (host memory consumption) by trying to activate the vmxnet3 device repeatedly.(CVE-2015-8568) - Stack-based buffer overflow in the megasas_ctrl_get_info function in QEMU, when built with SCSI MegaRAID SAS HBA emulation support, allows local guest users to cause a denial of service (QEMU instance crash) via a crafted SCSI controller CTRL_GET_INFO command.(CVE-2015-8613) - Use-after-free vulnerability in hw/ide/ahci.c in QEMU, when built with IDE AHCI Emulation support, allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via an invalid AHCI Native Command Queuing (NCQ) AIO command.(CVE-2016-1568) - QEMU (aka Quick Emulator) built with the USB EHCI emulation support is vulnerable to a null pointer dereference flaw. It could occur when an application attempts to write to EHCI capabilities registers. A privileged user inside quest could use this flaw to crash the QEMU process instance resulting in DoS.(CVE-2016-2198) - The ohci_bus_start function in the USB OHCI emulation support (hw/usb/hcd-ohci.c) in QEMU allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors related to multiple eof_timers.(CVE-2016-2391) - The is_rndis function in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 does not properly validate USB configuration descriptor objects, which allows local guest OS administrators to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving a remote NDIS control message packet.(CVE-2016-2392) - Multiple integer overflows in the USB Net device emulator (hw/usb/dev-network.c) in QEMU before 2.5.1 allow local guest OS administrators to cause a denial of service (QEMU process crash) or obtain sensitive host memory information via a remote NDIS control message packet that is mishandled in the (1) rndis_query_response, (2) rndis_set_response, or (3) usb_net_handle_dataout function.(CVE-2016-2538) - The ne2000_receive function in the NE2000 NIC emulation support (hw/net/ne2000.c) in QEMU before 2.5.1 allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via crafted values for the PSTART and PSTOP registers, involving ring buffer control.(CVE-2016-2841) - QEMU, when built with the Pseudo Random Number Generator (PRNG) back-end support, allows local guest OS users to cause a denial of service (process crash) via an entropy request, which triggers arbitrary stack based allocation and memory corruption.(CVE-2016-2858) - Buffer overflow in the stellaris_enet_receive function in hw/net/stellaris_enet.c in QEMU, when the Stellaris ethernet controller is configured to accept large packets, allows remote attackers to cause a denial of service (QEMU crash) via a large packet.(CVE-2016-4001) - Buffer overflow in the mipsnet_receive function in hw/net/mipsnet.c in QEMU, when the guest NIC is configured to accept large packets, allows remote attackers to cause a denial of service (memory corruption and QEMU crash) or possibly execute arbitrary code via a packet larger than 1514 bytes.(CVE-2016-4002) - The ehci_advance_state function in hw/usb/hcd-ehci.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via a circular split isochronous transfer descriptor (siTD) list, a related issue to CVE-2015-8558.(CVE-2016-4037) - The vmsvga_fifo_run function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a VGA command.(CVE-2016-4453) - The vmsvga_fifo_read_raw function in hw/display/vmware_vga.c in QEMU allows local guest OS administrators to obtain sensitive host memory information or cause a denial of service (QEMU process crash) by changing FIFO registers and issuing a VGA command, which triggers an out-of-bounds read.(CVE-2016-4454) - The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length.(CVE-2016-6834) - The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length.(CVE-2016-6835) - The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object.(CVE-2016-6836) - Integer overflow in the net_tx_pkt_init function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU process crash) via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference.(CVE-2016-6888) - Directory traversal vulnerability in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to access host files outside the export path via a .. (dot dot) in an unspecified string.(CVE-2016-7116) - The pvscsi_ring_pop_req_descr function in hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit process IO loop to the ring size.(CVE-2016-7421) - The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU (aka Quick Emulator) does not properly limit the buffer descriptor count when transmitting packets, which allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via vectors involving a buffer descriptor with a length of 0 and crafted values in bd.flags.(CVE-2016-7908) - The pcnet_rdra_addr function in hw/net/pcnet.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by setting the (1) receive or (2) transmit descriptor ring length to 0.(CVE-2016-7909) - The xhci_ring_fetch function in hw/usb/hcd-xhci.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) by leveraging failure to limit the number of link Transfer Request Blocks (TRB) to process.(CVE-2016-8576) - The serial_update_parameters function in hw/char/serial.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (divide-by-zero error and QEMU process crash) via vectors involving a value of divider greater than baud base.(CVE-2016-8669) - The intel_hda_xfer function in hw/audio/intel-hda.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) via an entry with the same value for buffer length and pointer position.(CVE-2016-8909) - The rtl8139_cplus_transmit function in hw/net/rtl8139.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and CPU consumption) by leveraging failure to limit the ring descriptor count.(CVE-2016-8910) - Memory leak in the v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) via a large number of Txattrcreate messages with the same fid number.(CVE-2016-9102) - The v9fs_xattrcreate function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host heap memory information by reading xattribute values before writing to them.(CVE-2016-9103) - Multiple integer overflows in the (1) v9fs_xattr_read and (2) v9fs_xattr_write functions in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allow local guest OS administrators to cause a denial of service (QEMU process crash) via a crafted offset, which triggers an out-of-bounds access.(CVE-2016-9104) - Memory leak in the v9fs_link function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) via vectors involving a reference to the source fid object.(CVE-2016-9105) - Memory leak in the v9fs_write function in hw/9pfs/9p.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (memory consumption) by leveraging failure to free an IO vector.(CVE-2016-9106) - Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a
    last seen2020-05-06
    modified2020-04-15
    plugin id135559
    published2020-04-15
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135559
    titleEulerOS 2.0 SP3 : qemu-kvm (EulerOS-SA-2020-1430)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0921-1.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : Fixed an issue which could allow malicious PV guests may cause a host crash or gain access to data pertaining to other guests.Additionally, vulnerable configurations are likely to be unstable even in the absence of an attack (bsc#1126198). Fixed multiple access violations introduced by XENMEM_exchange hypercall which could allow a single PV guest to leak arbitrary amounts of memory, leading to a denial of service (bsc#1126192). Fixed an issue which could allow a malicious unprivileged guest userspace process to escalate its privilege to that of other userspace processes in the same guest and potentially thereby to that of the guest operating system (bsc#1126201). Fixed an issue which could allow a malicious or buggy x86 PV guest kernels can mount a Denial of Service attack affecting the whole system (bsc#1126196). Fixed an issue which could allow an untrusted PV domain with access to a physical device to DMA into its own pagetables leading to privilege escalation (bsc#1126195). CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() found in slirp (bsc#1123157). Fixed an issue which could allow malicious 64bit PV guests to cause a host crash (bsc#1127400). Fixed an issue which could allow malicious or buggy guests with passed through PCI devices to be able to escalate their privileges, crash the host, or access data belonging to other guests. Additionally memory leaks were also possible (bsc#1126140). Fixed a race condition issue which could allow malicious PV guests to escalate their privilege to that of the hypervisor (bsc#1126141). CVE-2019-9824: Fixed an information leak in SLiRP networking implementation which could allow a user/process to read uninitialised stack memory contents (bsc#1129623). CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up the host, resulting in a Denial of Service (DoS). (XSA-282) (bsc#1114988) Other issue addressed: Added Xen cmdline option
    last seen2020-06-01
    modified2020-06-02
    plugin id123993
    published2019-04-11
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123993
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2019:0921-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0457-1.NASL
    descriptionThis update for qemu fixes the following issues : Security issues fixed : CVE-2019-6778: Fixed a heap buffer overflow issue in the SLiRP networking implementation (bsc#1123156). CVE-2018-19489: Fixed a denial of service vulnerability in virtfs (bsc#1117275). CVE-2018-19364: Fixed a use-after-free if the virtfs interface resulting in a denial of service (bsc#1116717). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id122397
    published2019-02-22
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122397
    titleSUSE SLES12 Security Update : qemu (SUSE-SU-2019:0457-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-2223-1.NASL
    descriptionThis is a version update for podman to version 1.4.4 (bsc#1143386). Additional changes by SUSE on top : Remove fuse-overlayfs because it
    last seen2020-06-01
    modified2020-06-02
    plugin id128302
    published2019-08-28
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128302
    titleSUSE SLES15 Security Update : podman, slirp4netns / libcontainers-common (SUSE-SU-2019:2223-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4454.NASL
    descriptionMultiple security issues were discovered in QEMU, a fast processor emulator, which could result in denial of service, the execution of arbitrary code or information disclosure. In addition this update backports support to passthrough the new md-clear CPU flag added in the intel-microcode update shipped in DSA 4447 to x86-based guests.
    last seen2020-06-01
    modified2020-06-02
    plugin id125609
    published2019-05-31
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125609
    titleDebian DSA-4454-1 : qemu - security update
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0211_QEMU-KVM.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.06, has qemu-kvm packages installed that are affected by multiple vulnerabilities: - m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. (CVE-2018-11806) - Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. (CVE-2018-10839) - Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. (CVE-2018-17962) - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap- based buffer overflow. (CVE-2019-6778) - interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NULL pointer dereference. (CVE-2019-12155) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id131771
    published2019-12-06
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131771
    titleNewStart CGSL MAIN 4.06 : qemu-kvm Multiple Vulnerabilities (NS-SA-2019-0211)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0582-1.NASL
    descriptionThis update for qemu fixes the following issues : Security vulnerabilities addressed : CVE-2019-6778: Fixed an out-of-bounds access in slirp (bsc#1123156) CVE-2018-16872: Fixed a host security vulnerability related to handling symlinks in usb-mtp (bsc#1119493) CVE-2018-19489: Fixed a Denial-of-Service in virtfs (bsc#1117275) CVE-2018-19364: Fixed an use-after-free vulnerability if virtfs interface is deliberately abused (bsc#1116717) CVE-2018-18954: Fixed an out-of-bounds access performing PowerNV memory operations (bsc#1114957) CVE-2017-13673: Fixed a reachable assert failure during during display update (bsc#1056386) CVE-2017-13672: Fixed an out-of-bounds read access during display update (bsc#1056334) CVE-2018-7858: Fixed an out-of-bounds access in cirrus when updating vga display allowing for Denial-of-Service (bsc#1084604) Other bug fixes and changes: Fix pwrite64/pread64/write to return 0 over -1 for a zero length NULL buffer in qemu (bsc#1121600) Fix bad guest time after migration (bsc#1113231) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id122776
    published2019-03-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122776
    titleSUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2019:0582-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190729_QEMU_KVM_ON_SL7_X.NASL
    descriptionKernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-ma packages provide the user-space component for running virtual machines that use KVM on the IBM z Systems, IBM Power, and 64-bit ARM architectures. Security Fix(es) : - QEMU: device_tree: heap buffer overflow while loading device tree blob (CVE-2018-20815) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Bug Fix(es) : - As newer machine remove csske feature, detection of the processor fail and machine used old version as fallback. This update make feature conditional so detection of newer cpu works properly. (BZ#1720262)
    last seen2020-03-18
    modified2019-08-12
    plugin id127728
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127728
    titleScientific Linux Security Update : qemu-kvm on SL7.x x86_64 (20190729)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-2892.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams (CVE-2018-11806) * QEMU: slirp: heap buffer overflow in tcp_emu() (CVE-2019-6778) * QEMU: ne2000: integer overflow leads to buffer overflow issue (CVE-2018-10839) * QEMU: pcnet: integer overflow leads to buffer overflow (CVE-2018-17962) * QEMU: qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id129473
    published2019-10-01
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129473
    titleCentOS 6 : qemu-kvm (CESA-2019:2892)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2019-0045.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - kvm-slirp-fix-big-little-endian-conversion-in-ident-prot .patch - kvm-slirp-ensure-there-is-enough-space-in-mbuf-to-null-t .patch - kvm-slirp-don-t-manipulate-so_rcv-in-tcp_emu.patch [bz#1669066] - kvm-qxl-check-release-info-object.patch [bz#1712728] - kvm-net-Use-iov-helper-functions.patch [bz#1636415] - kvm-net-increase-buffer-size-to-accommodate-Jumbo-frame- .patch - kvm-net-ignore-packet-size-greater-than-INT_MAX.patch [bz#1636415] - kvm-net-drop-too-large-packet-early.patch [bz#1636415] - kvm-PATCH-slirp-fix-buffer-overrun.patch [bz#1586251] - kvm-Fix-build-from-previous-commit.patch [bz#1586251] - kvm-slirp-remove-mbuf-m_hdr-m_dat-indirection.patch [bz#1586251] - kvm-slirp-Convert-mbufs-to-use-g_malloc-and-g_free.patch [bz#1586251] - kvm-slirp-correct-size-computation-while-concatenating-m .patch - kvm-pcnet-fix-possible-buffer-overflow.patch [bz#1636774] - Resolves: bz#1586251 (CVE-2018-11806 qemu-kvm: QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams [rhel-6.10.z]) - Resolves: bz#1636415 (CVE-2018-10839 qemu-kvm: Qemu: ne2000: integer overflow leads to buffer overflow issue [rhel-6]) - Resolves: bz#1636774 (CVE-2018-17962 qemu-kvm: Qemu: pcnet: integer overflow leads to buffer overflow [rhel-6]) - Resolves: bz#1669066 (CVE-2019-6778 qemu-kvm: QEMU: slirp: heap buffer overflow in tcp_emu [rhel-6.10.z]) - Resolves: bz#1712728 (CVE-2019-12155 qemu-kvm: QEMU: qxl: null pointer dereference while releasing spice resources [rhel-6])
    last seen2020-06-01
    modified2020-06-02
    plugin id129370
    published2019-09-26
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129370
    titleOracleVM 3.4 : qemu-kvm (OVMSA-2019-0045)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-0664C7724D.NASL
    description - fix crash with virgl enabled (bz #1692323) - linux-user: make pwrite64/pread64(fd, NULL, 0, offset) return 0 (bz #1174267) - Fix build with latest gluster (bz #1684298) - CVE-2018-20123: pvrdma: memory leakage in device hotplug (bz #1658964) - CVE-2018-16872: usb-mtp: path traversal issue (bz #1659150) - CVE-2018-20191: pvrdma: uar_read leads to NULL deref (bz #1660315) - CVE-2019-6501: scsi-generic: possible OOB access (bz #1669005) - CVE-2019-6778: slirp: heap buffer overflow (bz #1669072) - CVE-2019-3812: Out-of-bounds read in hw/i2c/i2c-ddc.c allows for memory disclosure (bz #1678081) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id124467
    published2019-05-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124467
    titleFedora 30 : 2:qemu (2019-0664c7724d)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0471-1.NASL
    descriptionThis update for qemu fixes the following issues : Security issue fixed : CVE-2019-6778: Fixed a heap buffer overflow issue in the SLiRP networking implementation (bsc#1123156). CVE-2018-16872: Fixed a host security vulnerability related to handling symlinks in usb-mtp (bsc#1119493). CVE-2018-19489: Fixed a denial of service vulnerability in virtfs (bsc#1117275). CVE-2018-19364: Fixed a use-after-free if the virtfs interface resulting in a denial of service (bsc#1116717). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id122419
    published2019-02-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122419
    titleSUSE SLES12 Security Update : qemu (SUSE-SU-2019:0471-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1694.NASL
    descriptionSeveral vulnerabilities were found in QEMU, a fast processor emulator : CVE-2018-12617 The qmp_guest_file_read function (qga/commands-posix.c) is affected by an integer overflow and subsequent memory allocation failure. This weakness might be leveraged by remote attackers to cause denial of service (application crash). CVE-2018-16872 The usb_mtp_get_object, usb_mtp_get_partial_object and usb_mtp_object_readdir functions (hw/usb/dev-mtp.c) are affected by a symlink attack. Remote attackers might leverage this vulnerability to perform information disclosure. CVE-2019-6778 The tcp_emu function (slirp/tcp_subr.c) is affected by a heap buffer overflow caused by insufficient validation of available space in the sc_rcv->sb_data buffer. Remote attackers might leverage this flaw to cause denial of service, or any other unspecified impact. For Debian 8
    last seen2020-06-01
    modified2020-06-02
    plugin id122511
    published2019-03-01
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122511
    titleDebian DLA-1694-1 : qemu security update
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-2044.NASL
    descriptionThis is a version update for podman to version 1.4.4 (bsc#1143386). Additional changes by SUSE on top : - Remove fuse-overlayfs because it
    last seen2020-06-01
    modified2020-06-02
    plugin id128458
    published2019-09-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128458
    titleopenSUSE Security Update : podman / slirp4netns and libcontainers-common (openSUSE-2019-2044)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0423-1.NASL
    descriptionThis update for qemu fixes the following issues : Security issues fixed : CVE-2019-6778: Fixed a heap buffer overflow issue in the SLiRP networking implementation (bsc#1123156). CVE-2018-16872: Fixed a host security vulnerability related to handling symlinks in usb-mtp (bsc#1119493). CVE-2018-19489: Fixed a denial of service vulnerability in virtfs (bsc#1117275). CVE-2018-19364: Fixed a use-after-free if the virtfs interface resulting in a denial of service (bsc#1116717). CVE-2018-18954: Fixed a denial of service vulnerability related to PowerPC PowerNV memory operations (bsc#1114957). Non-security issues fixed: Improved disk performance for qemu on xen (bsc#1100408). Fixed xen offline migration (bsc#1079730, bsc#1101982, bsc#1063993). Fixed pwrite64/pread64/write to return 0 over -1 for a zero length NULL buffer in qemu (bsc#1121600). Use /bin/bash to echo value into sys fs for ksm control (bsc#1112646). Return specification exception for unimplemented diag 308 subcodes rather than a hardware error (bsc#1123179). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id122309
    published2019-02-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122309
    titleSUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2019:0423-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2020-468.NASL
    descriptionThis update for qemu fixes the following issues : - CVE-2020-7039: Fixed a heap buffer overflow in tcp_emu() routine while emulating IRC and other protocols (bsc#1161066). - CVE-2019-15034: Fixed a buffer overflow in hw/display/bochs-display.c due to improper PCI config space allocation (bsc#1166379). - CVE-2020-1711: Fixed an out of bounds heap buffer access iscsi_co_block_status() routine which could have allowed a remote denial of service or arbitrary code with privileges of the QEMU process on the host (bsc#1166240). - CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() routine while emulating the identification protocol and copying message data to a socket buffer (bsc#1123156). - CVE-2020-8608: Fixed a heap buffer overflow in tcp_emu() routine while emulating IRC and other protocols (bsc#1163018). - CVE-2019-20382: Fixed a memory leak in the VNC display driver which could have led to exhaustion of the host memory leading to a potential Denial of service (bsc#1165776). - Fixed a live migration error (bsc#1154790). - Fixed an issue where migrating VMs on KVM gets missing features:ospke error (bsc#1162729). This update was imported from the SUSE:SLE-15-SP1:Update update project.
    last seen2020-04-12
    modified2020-04-07
    plugin id135265
    published2020-04-07
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135265
    titleopenSUSE Security Update : qemu (openSUSE-2020-468)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2020-0019_QEMU-KVM.NASL
    descriptionThe remote NewStart CGSL host, running version MAIN 4.05, has qemu-kvm packages installed that are affected by multiple vulnerabilities: - m_cat in slirp/mbuf.c in Qemu has a heap-based buffer overflow via incoming fragmented datagrams. (CVE-2018-11806) - Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS. (CVE-2018-10839) - Qemu has a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used. (CVE-2018-17962) - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap- based buffer overflow. (CVE-2019-6778) - interface_release_resource in hw/display/qxl.c in QEMU 4.0.0 has a NULL pointer dereference. (CVE-2019-12155) Note that Nessus has not tested for this issue but has instead relied only on the application
    last seen2020-03-18
    modified2020-03-08
    plugin id134319
    published2020-03-08
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134319
    titleNewStart CGSL MAIN 4.05 : qemu-kvm Multiple Vulnerabilities (NS-SA-2020-0019)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1266.NASL
    descriptionAccording to the versions of the qemu-kvm packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a heap-based buffer overflow.(CVE-2019-6778) - A flaw was found in QEMU
    last seen2020-03-19
    modified2020-03-13
    plugin id134555
    published2020-03-13
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/134555
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : qemu-kvm (EulerOS-SA-2020-1266)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3923-1.NASL
    descriptionMichael Hanselmann discovered that QEMU incorrectly handled the Media Transfer Protocol (MTP). An attacker inside the guest could use this issue to read or write arbitrary files and cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.10. (CVE-2018-16867) Michael Hanselmann discovered that QEMU incorrectly handled the Media Transfer Protocol (MTP). An attacker inside the guest could use this issue to read arbitrary files, contrary to expectations. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16872) Zhibin Hu discovered that QEMU incorrectly handled the Plan 9 File System support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-19489) Li Quang and Saar Amar discovered multiple issues in the QEMU PVRDMA device. An attacker inside the guest could use these issues to cause a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 18.10. These issues were resolved by disabling PVRDMA support in Ubuntu 18.10. (CVE-2018-20123, CVE-2018-20124, CVE-2018-20125, CVE-2018-20126, CVE-2018-20191, CVE-2018-20216) Michael Hanselmann discovered that QEMU incorrectly handled certain i2c commands. A local attacker could possibly use this issue to read QEMU process memory. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2019-3812) It was discovered that QEMU incorrectly handled the Slirp networking back-end. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2019-6778). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123457
    published2019-03-28
    reporterUbuntu Security Notice (C) 2019-2020 Canonical, Inc. / NASL script (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123457
    titleUbuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : qemu vulnerabilities (USN-3923-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2431.NASL
    descriptionAccording to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Race condition in QEMU in Xen allows local x86 HVM guest OS administrators to gain privileges by changing certain data on shared rings, aka a
    last seen2020-05-08
    modified2019-12-04
    plugin id131585
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131585
    titleEulerOS 2.0 SP2 : qemu-kvm (EulerOS-SA-2019-2431)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2019-1883.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: slirp: heap buffer overflow in tcp_emu() (CVE-2019-6778) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127471
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127471
    titleCentOS 7 : qemu-kvm (CESA-2019:1883)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-2892.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams (CVE-2018-11806) * QEMU: slirp: heap buffer overflow in tcp_emu() (CVE-2019-6778) * QEMU: ne2000: integer overflow leads to buffer overflow issue (CVE-2018-10839) * QEMU: pcnet: integer overflow leads to buffer overflow (CVE-2018-17962) * QEMU: qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id129332
    published2019-09-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129332
    titleRHEL 6 : qemu-kvm (RHSA-2019:2892)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1074.NASL
    descriptionThis update for qemu fixes the following issues : Security vulnerabilities addressed : - CVE-2019-6778: Fixed an out-of-bounds access in slirp (bsc#1123156) - CVE-2018-16872: Fixed a host security vulnerability related to handling symlinks in usb-mtp (bsc#1119493) - CVE-2018-19489: Fixed a Denial-of-Service in virtfs (bsc#1117275) - CVE-2018-19364: Fixed an use-after-free vulnerability if virtfs interface is deliberately abused (bsc#1116717) - CVE-2018-18954: Fixed an out-of-bounds access performing PowerNV memory operations (bsc#1114957) - CVE-2017-13673: Fixed a reachable assert failure during during display update (bsc#1056386) - CVE-2017-13672: Fixed an out-of-bounds read access during display update (bsc#1056334) - CVE-2018-7858: Fixed an out-of-bounds access in cirrus when updating vga display allowing for Denial-of-Service (bsc#1084604) Other bug fixes and changes : - Fix pwrite64/pread64/write to return 0 over -1 for a zero length NULL buffer in qemu (bsc#1121600) - Fix bad guest time after migration (bsc#1113231) This update was imported from the SUSE:SLE-12-SP3:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id123493
    published2019-03-29
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123493
    titleopenSUSE Security Update : qemu (openSUSE-2019-1074)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1226.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : - CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up the host, resulting in a Denial of Service (DoS). (XSA-282) (bsc#1114988) - CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() found in slirp (bsc#1123157). - Fixed an issue which could allow malicious or buggy guests with passed through PCI devices to be able to escalate their privileges, crash the host, or access data belonging to other guests. Additionally memory leaks were also possible (bsc#1126140). - Fixed a race condition issue which could allow malicious PV guests to escalate their privilege to that of the hypervisor (bsc#1126141). - Fixed an issue which could allow a malicious unprivileged guest userspace process to escalate its privilege to that of other userspace processes in the same guest and potentially thereby to that of the guest operating system (bsc#1126201). - CVE-2019-9824: Fixed an information leak in SLiRP networking implementation which could allow a user/process to read uninitialised stack memory contents (bsc#1129623). - CVE-2018-19961 CVE-2018-19962: Fixed insufficient TLB flushing / improper large page mappings with AMD IOMMUs (XSA-275)(bsc#1115040). - CVE-2018-19965: Fixed denial of service issue from attempting to use INVPCID with a non-canonical addresses (XSA-279)(bsc#1115045). - CVE-2018-19966: Fixed issue introduced by XSA-240 that could have caused conflicts with shadow paging (XSA-280)(bsc#1115047). - Fixed an issue which could allow malicious PV guests may cause a host crash or gain access to data pertaining to other guests.Additionally, vulnerable configurations are likely to be unstable even in the absence of an attack (bsc#1126198). - Fixed multiple access violations introduced by XENMEM_exchange hypercall which could allow a single PV guest to leak arbitrary amounts of memory, leading to a denial of service (bsc#1126192). - Fixed an issue which could allow malicious 64bit PV guests to cause a host crash (bsc#1127400). - Fixed an issue which could allow malicious or buggy x86 PV guest kernels to mount a Denial of Service attack affecting the whole system (bsc#1126197). - Fixed an issue which could allow an untrusted PV domain with access to a physical device to DMA into its own pagetables leading to privilege escalation (bsc#1126195). - Fixed an issue which could allow a malicious or buggy x86 PV guest kernels can mount a Denial of Service attack affecting the whole system (bsc#1126196). Other issues addressed : - Upstream bug fixes (bsc#1027519) - Fixed an issue where live migrations were failing when spectre was enabled on xen boot cmdline (bsc#1116380). - Fixed an issue where setup of grant_tables and other variables may fail (bsc#1126325). - Fixed a building issue (bsc#1119161). - Fixed an issue where xpti=no-dom0 was not working as expected (bsc#1105528). - Packages should no longer use /var/adm/fillup-templates (bsc#1069468). - Added Xen cmdline option
    last seen2020-06-01
    modified2020-06-02
    plugin id124147
    published2019-04-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/124147
    titleopenSUSE Security Update : xen (openSUSE-2019-1226)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-1968.NASL
    descriptionAn update for qemu-kvm-rhev is now available for Red Hat Virtualization for Red Hat Virtualization Host 7. Red Hat Product Security has rated this update as having a Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Security Fix(es) : * CVE-2018-20815 QEMU: device_tree: heap buffer overflow while loading device tree blob * CVE-2019-6778 QEMU: slirp: heap buffer overflow in tcp_em This update fixes the following bug : * 1705364 RHV VM pauses when
    last seen2020-06-01
    modified2020-06-02
    plugin id127640
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127640
    titleRHEL 7 : Virtualization Manager (RHSA-2019:1968)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-2892.NASL
    descriptionFrom Red Hat Security Advisory 2019:2892 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams (CVE-2018-11806) * QEMU: slirp: heap buffer overflow in tcp_emu() (CVE-2019-6778) * QEMU: ne2000: integer overflow leads to buffer overflow issue (CVE-2018-10839) * QEMU: pcnet: integer overflow leads to buffer overflow (CVE-2018-17962) * QEMU: qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id129329
    published2019-09-25
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129329
    titleOracle Linux 6 : qemu-kvm (ELSA-2019-2892)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0825-1.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : CVE-2018-18849: Fixed an out of bounds memory access issue that was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin. It could occur during migration if the
    last seen2020-06-01
    modified2020-06-02
    plugin id123633
    published2019-04-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123633
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2019:0825-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-254.NASL
    descriptionThis update for qemu fixes the following issues : Security issues fixed : - CVE-2019-6778: Fixed a heap buffer overflow issue in the SLiRP networking implementation (bsc#1123156). - CVE-2018-16872: Fixed a host security vulnerability related to handling symlinks in usb-mtp (bsc#1119493). - CVE-2018-19489: Fixed a denial of service vulnerability in virtfs (bsc#1117275). - CVE-2018-19364: Fixed a use-after-free if the virtfs interface resulting in a denial of service (bsc#1116717). - CVE-2018-18954: Fixed a denial of service vulnerability related to PowerPC PowerNV memory operations (bsc#1114957). Non-security issues fixed : - Improved disk performance for qemu on xen (bsc#1100408). - Fixed xen offline migration (bsc#1079730, bsc#1101982, bsc#1063993). - Fixed pwrite64/pread64/write to return 0 over -1 for a zero length NULL buffer in qemu (bsc#1121600). - Use /bin/bash to echo value into sys fs for ksm control (bsc#1112646). - Return specification exception for unimplemented diag 308 subcodes rather than a hardware error (bsc#1123179). This update was imported from the SUSE:SLE-15:Update update project.
    last seen2020-06-01
    modified2020-06-02
    plugin id122495
    published2019-02-28
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122495
    titleopenSUSE Security Update : qemu (openSUSE-2019-254)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-1883.NASL
    descriptionFrom Red Hat Security Advisory 2019:1883 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: slirp: heap buffer overflow in tcp_emu() (CVE-2019-6778) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127605
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127605
    titleOracle Linux 7 : qemu-kvm (ELSA-2019-1883)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2020-0844-1.NASL
    descriptionThis update for qemu fixes the following issues : CVE-2020-7039: Fixed a heap buffer overflow in tcp_emu() routine while emulating IRC and other protocols (bsc#1161066). CVE-2019-15034: Fixed a buffer overflow in hw/display/bochs-display.c due to improper PCI config space allocation (bsc#1166379). CVE-2020-1711: Fixed an out of bounds heap buffer access iscsi_co_block_status() routine which could have allowed a remote denial of service or arbitrary code with privileges of the QEMU process on the host (bsc#1166240). CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() routine while emulating the identification protocol and copying message data to a socket buffer (bsc#1123156). CVE-2020-8608: Fixed a heap buffer overflow in tcp_emu() routine while emulating IRC and other protocols (bsc#1163018). CVE-2019-20382: Fixed a memory leak in the VNC display driver which could have led to exhaustion of the host memory leading to a potential Denial of service (bsc#1165776). Fixed a live migration error (bsc#1154790). Fixed an issue where migrating VMs on KVM gets missing features:ospke error (bsc#1162729). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-04-07
    modified2020-04-02
    plugin id135168
    published2020-04-02
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135168
    titleSUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2020:0844-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-88A98CE795.NASL
    description - CVE-2018-19364: 9pfs: use-after-free (bz #1651359) - CVE-2018-19489: 9pfs: use-after-free renaming files (bz #1653157) - CVE-2018-16867: usb-mtp: path traversal issue (bz #1656746) - CVE-2018-16872: usb-mtp: path traversal issue (bz #1659150) - CVE-2018-20191: pvrdma: uar_read leads to NULL deref (bz #1660315) - CVE-2019-6778: slirp: heap buffer overflow (bz #1669072) - CVE-2019-3812: Out-of-bounds read in hw/i2c/i2c-ddc.c allows for memory disclosure (bz #1678081) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123101
    published2019-03-26
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123101
    titleFedora 29 : 2:qemu (2019-88a98ce795)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0827-1.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() found in slirp (bsc#1123157). CVE-2017-13672: Fixed an out of bounds read access during display update (bsc#1056336). Fixed an issue which could allow malicious or buggy guests with passed through PCI devices to be able to escalate their privileges, crash the host, or access data belonging to other guests. Additionally memory leaks were also possible (bsc#1126140) Fixed a race condition issue which could allow malicious PV guests to escalate their privilege to that of the hypervisor (bsc#1126141). CVE-2018-18849: Fixed an out of bounds msg buffer access which could lead to denial of service (bsc#1114423). Fixed an issue which could allow a malicious unprivileged guest userspace process to escalate its privilege to that of other userspace processes in the same guest and potentially thereby to that of the guest operating system (bsc#1126201). CVE-2018-17958: Fixed an integer overflow leading to a buffer overflow in the rtl8139 component (bsc#1111007) CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up the host, resulting in a Denial of Service (DoS). (XSA-282) (bsc#1114988) CVE-2018-19665: Fixed an integer overflow resulting in memory corruption in various Bluetooth functions, allowing this to crash qemu process resulting in Denial of Service (DoS). (bsc#1117756). CVE-2019-9824: Fixed an information leak in SLiRP networking implementation which could allow a user/process to read uninitialised stack memory contents (bsc#1129623). CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient TLB flushing with AMD IOMMUs, which potentially allowed a guest to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access. (XSA-275) (bsc#1115040) CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240, which conflicted with shadow paging and allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS) (XSA-280) (bsc#1115047). CVE-2018-10839: Fixed an integer overflow leading to a buffer overflow in the ne2000 component (bsc#1110924). CVE-2018-19965: Fixed an issue related to the INVPCID instruction in case non-canonical addresses are accessed, which may allow a guest to cause Xen to crash, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-279) (bsc#1115045). Fixed an issue which could allow malicious 64bit PV guests to cause a host crash (bsc#1127400). Fixed an issue which could allow malicious PV guests may cause a host crash or gain access to data pertaining to other guests.Additionally, vulnerable configurations are likely to be unstable even in the absence of an attack (bsc#1126198). Fixed multiple access violations introduced by XENMEM_exchange hypercall which could allow a single PV guest to leak arbitrary amounts of memory, leading to a denial of service (bsc#1126192). CVE-2018-17963: Fixed an integer overflow in relation to large packet sizes, leading to a denial of service (DoS). (bsc#1111014). Fixed an issue which could allow a malicious or buggy x86 PV guest kernels can mount a Denial of Service attack affecting the whole system (bsc#1126196). Fixed an issue which could allow an untrusted PV domain with access to a physical device to DMA into its own pagetables leading to privilege escalation (bsc#1126195). CVE-2018-17962: Fixed an integer overflow leading to a buffer overflow in the pcnet component (bsc#1111011) CVE-2018-18438: Fixed an integer overflow in ccid_card_vscard_read function which could lead to memory corruption (bsc#1112188). Other issues fixed: Upstream bug fixes (bsc#1027519) Fixed an issue where XEN SLE12-SP1 domU hangs on SLE12-SP3 HV1108940 (bsc#1108940). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id123634
    published2019-04-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123634
    titleSUSE SLES12 Security Update : xen (SUSE-SU-2019:0827-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-1883.NASL
    descriptionAn update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * QEMU: slirp: heap buffer overflow in tcp_emu() (CVE-2019-6778) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id127621
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127621
    titleRHEL 7 : qemu-kvm (RHSA-2019:1883)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0489-1.NASL
    descriptionThis update for qemu fixes the following issues : Security issues fixed : CVE-2019-6778: Fixed a heap buffer overflow issue in the SLiRP networking implementation (bsc#1123156). CVE-2018-16872: Fixed a host security vulnerability related to handling symlinks in usb-mtp (bsc#1119493). CVE-2018-19489: Fixed a denial of service vulnerability in virtfs (bsc#1117275). CVE-2018-19364: Fixed a use-after-free if the virtfs interface resulting in a denial of service (bsc#1116717). CVE-2018-7858: Fixed a denial of service which could occur while updating the VGA display, after guest has adjusted the display dimensions (bsc#1084604). CVE-2017-13673: Fixed a denial of service in the cpu_physical_memory_snapshot_get_dirty function. CVE-2017-13672: Fixed a denial of service via vectors involving display update. Non-security issues fixed: Fixed bad guest time after migration (bsc#1113231). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id122471
    published2019-02-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122471
    titleSUSE SLES12 Security Update : qemu (SUSE-SU-2019:0489-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0435-1.NASL
    descriptionThis update for qemu fixes the following issues : Security issues fixed : CVE-2019-6778: Fixed a heap buffer overflow issue in the SLiRP networking implementation (bsc#1123156). CVE-2018-16872: Fixed a host security vulnerability related to handling symlinks in usb-mtp (bsc#1119493). CVE-2018-19489: Fixed a denial of service vulnerability in virtfs (bsc#1117275). CVE-2018-19364: Fixed a use-after-free if the virtfs interface resulting in a denial of service (bsc#1116717). CVE-2018-18954: Fixed a denial of service vulnerability related to PowerPC PowerNV memory operations (bsc#1114957). Non-security issues fixed: Improved disk performance for qemu on xen (bsc#1100408). Fixed xen offline migration (bsc#1079730, bsc#1101982, bsc#1063993). Fixed pwrite64/pread64/write to return 0 over -1 for a zero length NULL buffer in qemu (bsc#1121600). Use /bin/bash to echo value into sys fs for ksm control (bsc#1112646). Return specification exception for unimplemented diag 308 subcodes rather than a hardware error (bsc#1123179). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id122341
    published2019-02-20
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122341
    titleSUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2019:0435-1)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20190924_QEMU_KVM_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - QEMU: slirp: heap buffer overflow while reassembling fragmented datagrams (CVE-2018-11806) - QEMU: slirp: heap buffer overflow in tcp_emu() (CVE-2019-6778) - QEMU: ne2000: integer overflow leads to buffer overflow issue (CVE-2018-10839) - QEMU: pcnet: integer overflow leads to buffer overflow (CVE-2018-17962) - QEMU: qxl: NULL pointer dereference while releasing spice resources (CVE-2019-12155)
    last seen2020-03-18
    modified2019-09-25
    plugin id129334
    published2019-09-25
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129334
    titleScientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64 (20190924)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2019-0891-1.NASL
    descriptionThis update for xen fixes the following issues : Security issues fixed : Fixed an issue which could allow malicious PV guests may cause a host crash or gain access to data pertaining to other guests.Additionally, vulnerable configurations are likely to be unstable even in the absence of an attack (bsc#1126198). Fixed multiple access violations introduced by XENMEM_exchange hypercall which could allow a single PV guest to leak arbitrary amounts of memory, leading to a denial of service (bsc#1126192). Fixed an issue which could allow a malicious unprivileged guest userspace process to escalate its privilege to that of other userspace processes in the same guest and potentially thereby to that of the guest operating system (bsc#1126201). Fixed an issue which could allow malicious or buggy x86 PV guest kernels to mount a Denial of Service attack affecting the whole system (bsc#1126197). Fixed an issue which could allow an untrusted PV domain with access to a physical device to DMA into its own pagetables leading to privilege escalation (bsc#1126195). Fixed an issue which could allow a malicious or buggy x86 PV guest kernels can mount a Denial of Service attack affecting the whole system (bsc#1126196). CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() found in slirp (bsc#1123157). Fixed an issue which could allow malicious 64bit PV guests to cause a host crash (bsc#1127400). Fixed an issue which could allow malicious or buggy guests with passed through PCI devices to be able to escalate their privileges, crash the host, or access data belonging to other guests. Additionally memory leaks were also possible (bsc#1126140). Fixed a race condition issue which could allow malicious PV guests to escalate their privilege to that of the hypervisor (bsc#1126141). CVE-2019-9824: Fixed an information leak in SLiRP networking implementation which could allow a user/process to read uninitialised stack memory contents (bsc#1129623). Other issues addressed: Upstream bug fixes (bsc#1027519) Packages should no longer use /var/adm/fillup-templates (bsc#1069468). Added Xen cmdline option
    last seen2020-06-01
    modified2020-06-02
    plugin id123825
    published2019-04-08
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123825
    titleSUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2019:0891-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1815.NASL
    descriptionAccording to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A flaw was found in QEMU
    last seen2020-05-03
    modified2019-08-27
    plugin id128184
    published2019-08-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/128184
    titleEulerOS 2.0 SP8 : qemu-kvm (EulerOS-SA-2019-1815)

Redhat

advisories
  • bugzilla
    id1664205
    titleCVE-2019-6778 QEMU: slirp: heap buffer overflow in tcp_emu()
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 7 is installed
        ovaloval:com.redhat.rhba:tst:20150364027
      • OR
        • AND
          • commentqemu-img is earlier than 10:1.5.3-160.el7_6.3
            ovaloval:com.redhat.rhsa:tst:20191883001
          • commentqemu-img is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345006
        • AND
          • commentqemu-kvm-common is earlier than 10:1.5.3-160.el7_6.3
            ovaloval:com.redhat.rhsa:tst:20191883003
          • commentqemu-kvm-common is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140704004
        • AND
          • commentqemu-kvm is earlier than 10:1.5.3-160.el7_6.3
            ovaloval:com.redhat.rhsa:tst:20191883005
          • commentqemu-kvm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345004
        • AND
          • commentqemu-kvm-tools is earlier than 10:1.5.3-160.el7_6.3
            ovaloval:com.redhat.rhsa:tst:20191883007
          • commentqemu-kvm-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345002
    rhsa
    idRHSA-2019:1883
    released2019-07-29
    severityImportant
    titleRHSA-2019:1883: qemu-kvm security update (Important)
  • bugzilla
    id1712670
    titleCVE-2019-12155 QEMU: qxl: null pointer dereference while releasing spice resources
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 6 is installed
        ovaloval:com.redhat.rhba:tst:20111656003
      • OR
        • AND
          • commentqemu-kvm-tools is earlier than 2:0.12.1.2-2.506.el6_10.5
            ovaloval:com.redhat.rhsa:tst:20192892001
          • commentqemu-kvm-tools is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345002
        • AND
          • commentqemu-kvm is earlier than 2:0.12.1.2-2.506.el6_10.5
            ovaloval:com.redhat.rhsa:tst:20192892003
          • commentqemu-kvm is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345004
        • AND
          • commentqemu-img is earlier than 2:0.12.1.2-2.506.el6_10.5
            ovaloval:com.redhat.rhsa:tst:20192892005
          • commentqemu-img is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110345006
        • AND
          • commentqemu-guest-agent is earlier than 2:0.12.1.2-2.506.el6_10.5
            ovaloval:com.redhat.rhsa:tst:20192892007
          • commentqemu-guest-agent is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20121234002
    rhsa
    idRHSA-2019:2892
    released2019-09-24
    severityImportant
    titleRHSA-2019:2892: qemu-kvm security update (Important)
  • rhsa
    idRHSA-2019:1968
  • rhsa
    idRHSA-2019:2425
rpms
  • qemu-img-10:1.5.3-160.el7_6.3
  • qemu-kvm-10:1.5.3-160.el7_6.3
  • qemu-kvm-common-10:1.5.3-160.el7_6.3
  • qemu-kvm-debuginfo-10:1.5.3-160.el7_6.3
  • qemu-kvm-tools-10:1.5.3-160.el7_6.3
  • qemu-img-rhev-10:2.12.0-18.el7_6.7
  • qemu-kvm-common-rhev-10:2.12.0-18.el7_6.7
  • qemu-kvm-rhev-10:2.12.0-18.el7_6.7
  • qemu-kvm-rhev-debuginfo-10:2.12.0-18.el7_6.7
  • qemu-kvm-tools-rhev-10:2.12.0-18.el7_6.7
  • qemu-img-rhev-10:2.12.0-33.el7
  • qemu-kvm-common-rhev-10:2.12.0-33.el7
  • qemu-kvm-rhev-10:2.12.0-33.el7
  • qemu-kvm-rhev-debuginfo-10:2.12.0-33.el7
  • qemu-kvm-tools-rhev-10:2.12.0-33.el7
  • qemu-guest-agent-2:0.12.1.2-2.506.el6_10.5
  • qemu-img-2:0.12.1.2-2.506.el6_10.5
  • qemu-kvm-2:0.12.1.2-2.506.el6_10.5
  • qemu-kvm-debuginfo-2:0.12.1.2-2.506.el6_10.5
  • qemu-kvm-tools-2:0.12.1.2-2.506.el6_10.5

References