101277

RHSA-2018:0816

RHSA-2018:1104

https://bugs.launchpad.net/qemu/+bug/1718964

[qemu-devel] 20171010 [PATCH v1 1/7] io: monitor encoutput buffer size from websocket GSource

USN-3575-1

DSA-4213

According to the versions of the qemu packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An integer overflow issue was found in the NE200 NIC     emulation. It could occur while receiving packets from     the network, if the size value was greater than     INT_MAX. Such overflow would lead to stack buffer     overflow issue. A user inside guest could use this flaw     to crash the QEMU process, resulting in DoS scenario.
    (CVE-2018-10839)

  - qmp_guest_file_read in qga/commands-posix.c and     qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent)     in QEMU 2.12.50 has an integer overflow causing a     g_malloc0() call to trigger a segmentation fault when     trying to allocate a large memory chunk. The     vulnerability can be exploited by sending a crafted QMP     command (including guest-file-read with a large count     value) to the agent via the listening     socket.(CVE-2018-12617)

  - Qemu before version 2.9 is vulnerable to an improper     link following when built with the VirtFS. A privileged     user inside guest could use this flaw to access host     file system beyond the shared folder and potentially     escalating their privileges on a host. (CVE-2016-9602)

  - Quick Emulator (QEMU), compiled with the PC System     Emulator with multiboot feature support, is vulnerable     to an OOB r/w memory access issue. The issue could     occur while loading a kernel image during the guest     boot, if mh_load_end_addr address is greater than the     mh_bss_end_addr address. A user or process could use     this flaw to potentially achieve arbitrary code     execution on a host.(CVE-2018-7550)

  - An out-of-bounds read access issue was found in the VGA     display emulator built into the Quick emulator (QEMU).
    It could occur while reading VGA memory to update     graphics display. A privileged user/process inside     guest could use this flaw to crash the QEMU process on     the host resulting in denial of service     situation.(CVE-2017-13672)

  - An assert failure issue was found in the VGA display     emulator built into the Quick emulator (QEMU). It could     occur while updating graphics display, due to     miscalculating region for dirty bitmap snapshot in     split screen mode. A privileged user/process inside     guest could use this flaw to crash the QEMU process on     the host resulting in denial of service.
    (CVE-2017-13673)

  - The Network Block Device (NBD) server in Quick Emulator     (QEMU), is vulnerable to a denial of service issue. It     could occur if a client sent large option requests,     making the server waste CPU time on reading up to 4GB     per request. A client could use this flaw to keep the     NBD server from serving other requests, resulting in     DoS.(CVE-2017-15119)

  - QEMU (aka Quick Emulator) before 2.9.0, when built with     the USB OHCI Emulation support, allows local guest OS     users to cause a denial of service (infinite loop) by     leveraging an incorrect return value, a different     vulnerability than CVE-2017-6505.(CVE-2017-9330)

  - Integer overflow in the macro ROUND_UP (n, d) in Quick     Emulator (Qemu) allows a user to cause a denial of     service (Qemu process crash). (CVE-2017-18043)

  - VNC server implementation in Quick Emulator (QEMU) was     found to be vulnerable to an unbounded memory     allocation issue, as it did not throttle the     framebuffer updates sent to its client. If the client     did not consume these updates, VNC server allocates     growing memory to hold onto this data. A malicious     remote VNC client could use this flaw to cause DoS to     the server host.(CVE-2017-15124)

  - A memory leakage issue was found in the I/O channels     websockets implementation of the Quick Emulator (QEMU).
    It could occur while sending screen updates to a     client, which is slow to read and process them further.
    A privileged guest user could use this flaw to cause a     denial of service on the host and/or potentially crash     the QEMU process instance on the host.(CVE-2017-15268)

  - Quick Emulator (QEMU), compiled with the PC System     Emulator with multiboot feature support, is vulnerable     to an OOB r/w memory access issue. The issue could     occur due to an integer overflow while loading a kernel     image during a guest boot. A user or process could use     this flaw to potentially achieve arbitrary code     execution on a host.(CVE-2017-14167)

  - Memory leak in QEMU (aka Quick Emulator), when built     with IDE AHCI Emulation support, allows local guest OS     privileged users to cause a denial of service (memory     consumption) by repeatedly hot-unplugging the AHCI     device.(CVE-2017-9373)

  - Memory leak in the serial_exit_core function in     hw/char/serial.c in QEMU (aka Quick Emulator) allows     local guest OS privileged users to cause a denial of     service (host memory consumption and QEMU process     crash) via a large number of device unplug     operations.(CVE-2017-5579)

  - ** DISPUTED ** The disas_insn function in     target/i386/translate.c in QEMU before 2.9.0, when TCG     mode without hardware acceleration is used, does not     limit the instruction size, which allows local users to     gain privileges by creating a modified basic block that     injects code into a setuid program, as demonstrated by     procmail. NOTE: the vendor has stated 'this bug does     not violate any security guarantees QEMU     makes.'(CVE-2017-8284)

  - Memory leak in the keyboard input event handlers     support in QEMU (aka Quick Emulator) allows local guest     OS privileged users to cause a denial of service (host     memory consumption) by rapidly generating large     keyboard events.(CVE-2017-8379)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - An integer overflow issue was found in the NE200 NIC     emulation. It could occur while receiving packets from     the network, if the size value was greater than     INT_MAX. Such overflow would lead to stack buffer     overflow issue. A user inside guest could use this flaw     to crash the QEMU process, resulting in DoS scenario.
    (CVE-2018-10839)

  - qmp_guest_file_read in qga/commands-posix.c and     qga/commands-win32.c in qemu-ga (aka QEMU Guest Agent)     in QEMU 2.12.50 has an integer overflow causing a     g_malloc0() call to trigger a segmentation fault when     trying to allocate a large memory chunk. The     vulnerability can be exploited by sending a crafted QMP     command (including guest-file-read with a large count     value) to the agent via the listening     socket.(CVE-2018-12617)

  - Qemu before version 2.9 is vulnerable to an improper     link following when built with the VirtFS. A privileged     user inside guest could use this flaw to access host     file system beyond the shared folder and potentially     escalating their privileges on a host. (CVE-2016-9602)

  - Quick Emulator (QEMU), compiled with the PC System     Emulator with multiboot feature support, is vulnerable     to an OOB r/w memory access issue. The issue could     occur while loading a kernel image during the guest     boot, if mh_load_end_addr address is greater than the     mh_bss_end_addr address. A user or process could use     this flaw to potentially achieve arbitrary code     execution on a host.(CVE-2018-7550)

  - An out-of-bounds read access issue was found in the VGA     display emulator built into the Quick emulator (QEMU).
    It could occur while reading VGA memory to update     graphics display. A privileged user/process inside     guest could use this flaw to crash the QEMU process on     the host resulting in denial of service     situation.(CVE-2017-13672)

  - An assert failure issue was found in the VGA display     emulator built into the Quick emulator (QEMU). It could     occur while updating graphics display, due to     miscalculating region for dirty bitmap snapshot in     split screen mode. A privileged user/process inside     guest could use this flaw to crash the QEMU process on     the host resulting in denial of service.
    (CVE-2017-13673)

  - The Network Block Device (NBD) server in Quick Emulator     (QEMU), is vulnerable to a denial of service issue. It     could occur if a client sent large option requests,     making the server waste CPU time on reading up to 4GB     per request. A client could use this flaw to keep the     NBD server from serving other requests, resulting in     DoS.(CVE-2017-15119)

  - QEMU (aka Quick Emulator) before 2.9.0, when built with     the USB OHCI Emulation support, allows local guest OS     users to cause a denial of service (infinite loop) by     leveraging an incorrect return value, a different     vulnerability than CVE-2017-6505.(CVE-2017-9330)

  - Integer overflow in the macro ROUND_UP (n, d) in Quick     Emulator (Qemu) allows a user to cause a denial of     service (Qemu process crash). (CVE-2017-18043)

  - VNC server implementation in Quick Emulator (QEMU) was     found to be vulnerable to an unbounded memory     allocation issue, as it did not throttle the     framebuffer updates sent to its client. If the client     did not consume these updates, VNC server allocates     growing memory to hold onto this data. A malicious     remote VNC client could use this flaw to cause DoS to     the server host.(CVE-2017-15124)

  - A memory leakage issue was found in the I/O channels     websockets implementation of the Quick Emulator (QEMU).
    It could occur while sending screen updates to a     client, which is slow to read and process them further.
    A privileged guest user could use this flaw to cause a     denial of service on the host and/or potentially crash     the QEMU process instance on the host.(CVE-2017-15268)

  - Quick Emulator (QEMU), compiled with the PC System     Emulator with multiboot feature support, is vulnerable     to an OOB r/w memory access issue. The issue could     occur due to an integer overflow while loading a kernel     image during a guest boot. A user or process could use     this flaw to potentially achieve arbitrary code     execution on a host.(CVE-2017-14167)

  - Memory leak in QEMU (aka Quick Emulator), when built     with IDE AHCI Emulation support, allows local guest OS     privileged users to cause a denial of service (memory     consumption) by repeatedly hot-unplugging the AHCI     device.(CVE-2017-9373)

  - Memory leak in the serial_exit_core function in     hw/char/serial.c in QEMU (aka Quick Emulator) allows     local guest OS privileged users to cause a denial of     service (host memory consumption and QEMU process     crash) via a large number of device unplug     operations.(CVE-2017-5579)

  - ** DISPUTED ** The disas_insn function in     target/i386/translate.c in QEMU before 2.9.0, when TCG     mode without hardware acceleration is used, does not     limit the instruction size, which allows local users to     gain privileges by creating a modified basic block that     injects code into a setuid program, as demonstrated by     procmail. NOTE: the vendor has stated 'this bug does     not violate any security guarantees QEMU     makes.'(CVE-2017-8284)

  - Memory leak in the keyboard input event handlers     support in QEMU (aka Quick Emulator) allows local guest     OS privileged users to cause a denial of service (host     memory consumption) by rapidly generating large     keyboard events.(CVE-2017-8379)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - QEMU (aka Quick Emulator), when built with the VGA     display emulator support, allows local guest OS     privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     involving display update.(CVE-2017-13672)

  - Use-after-free vulnerability in the sofree function in     slirp/socket.c in QEMU (aka Quick Emulator) allows     attackers to cause a denial of service (QEMU instance     crash) by leveraging failure to properly clear ifq_so     from pending packets.(CVE-2017-13711)

  - VNC server implementation in Quick Emulator (QEMU)     2.11.0 and older was found to be vulnerable to an     unbounded memory allocation issue, as it did not     throttle the framebuffer updates sent to its client. If     the client did not consume these updates, VNC server     allocates growing memory to hold onto this data. A     malicious remote VNC client could use this flaw to     cause DoS to the server host.(CVE-2017-15124)

  - Qemu through 2.10.0 allows remote attackers to cause a     memory leak by triggering slow data-channel read     operations, related to     io/channel-websock.c.(CVE-2017-15268)

  - The vga_draw_text function in Qemu allows local OS     guest privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) by     leveraging improper memory address     validation.(CVE-2018-5683)

  - An industry-wide issue was found in the way many modern     microprocessor designs have implemented speculative     execution of Load & Store instructions (a commonly used     performance optimization). It relies on the presence of     a precisely-defined instruction sequence in the     privileged code as well as the fact that memory read     from address to which a recent memory write has     occurred may see an older value and subsequently cause     an update into the microprocessor's data cache even for     speculatively executed instructions that never actually     commit (retire). As a result, an unprivileged attacker     could use this flaw to read privileged memory by     conducting targeted cache side-channel attacks.
    (CVE-2018-3639)

  - Quick Emulator (aka QEMU), when built with the Cirrus     CLGD 54xx VGA Emulator support, allows local guest OS     privileged users to cause a denial of service     (out-of-bounds access and QEMU process crash) by     leveraging incorrect region calculation when updating     VGA display.(CVE-2018-7858)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An out-of-bounds read access issue was found in the VGA display emulator built into the Quick emulator (QEMU). It could occur while reading VGA memory to update graphics display. A privileged user/process inside guest could use this flaw to crash the QEMU process on the host resulting in denial of service situation.(CVE-2017-13672)

A memory leakage issue was found in the I/O channels websockets implementation of the Quick Emulator (QEMU). It could occur while sending screen updates to a client, which is slow to read and process them further. A privileged guest user could use this flaw to cause a denial of service on the host and/or potentially crash the QEMU process instance on the host.(CVE-2017-15268)

A use-after-free issue was found in the Slirp networking implementation of the Quick emulator (QEMU). It occurs when a Socket referenced from multiple packets is freed while responding to a message. A user/process could use this flaw to crash the QEMU process on the host resulting in denial of service.(CVE-2017-13711 )

Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by leveraging incorrect region calculation when updating VGA display.(CVE-2018-7858)

VNC server implementation in Quick Emulator (QEMU) was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host.(CVE-2017-15124)

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor's data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.(CVE-2018-3639)

An out-of-bounds read access issue was found in the VGA emulator of QEMU. It could occur in vga_draw_text routine, while updating display area for a vnc client. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS.(CVE-2018-5683)

Several vulnerabilities were discovered in qemu, a fast processor emulator.

  - CVE-2017-15038     Tuomas Tynkkynen discovered an information leak in 9pfs.

  - CVE-2017-15119     Eric Blake discovered that the NBD server insufficiently     restricts large option requests, resulting in denial of     service.

  - CVE-2017-15124     Daniel Berrange discovered that the integrated VNC     server insufficiently restricted memory allocation,     which could result in denial of service.

  - CVE-2017-15268     A memory leak in websockets support may result in denial     of service.

  - CVE-2017-15289     Guoxiang Niu discovered an OOB write in the emulated     Cirrus graphics adaptor which could result in denial of     service.

  - CVE-2017-16845     Cyrille Chatras discovered an information leak in PS/2     mouse and keyboard emulation which could be exploited     during instance migration.

  - CVE-2017-17381     Dengzhan Heyuandong Bijunhua and Liweichao discovered     that an implementation error in the virtio vring     implementation could result in denial of service.

  - CVE-2017-18043     Eric Blake discovered an integer overflow in an     internally used macro which could result in denial of     service.

  - CVE-2018-5683     Jiang Xin and Lin ZheCheng discovered an OOB memory     access in the emulated VGA adaptor which could result in     denial of service.

  - CVE-2018-7550     Cyrille Chatras discovered that an OOB memory write when     using multiboot could result in the execution of     arbitrary code.

This update also backports a number of mitigations against the Spectre v2 vulnerability affecting modern CPUs (CVE-2017-5715 ). For additional information please refer to https://www.qemu.org/2018/01/04/spectre/

According to the versions of the qemu-kvm package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - QEMU (aka Quick Emulator), when built with the VGA     display emulator support, allows local guest OS     privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     involving display update.(CVE-2017-13672)

  - Use-after-free vulnerability in the sofree function in     slirp/socket.c in QEMU (aka Quick Emulator) allows     attackers to cause a denial of service (QEMU instance     crash) by leveraging failure to properly clear ifq_so     from pending packets.(CVE-2017-13711)

  - VNC server implementation in Quick Emulator (QEMU)     2.11.0 and older was found to be vulnerable to an     unbounded memory allocation issue, as it did not     throttle the framebuffer updates sent to its client. If     the client did not consume these updates, VNC server     allocates growing memory to hold onto this data. A     malicious remote VNC client could use this flaw to     cause DoS to the server host.(CVE-2017-15124)

  - Qemu through 2.10.0 allows remote attackers to cause a     memory leak by triggering slow data-channel read     operations, related to     io/channel-websock.c.(CVE-2017-15268)

  - The vga_draw_text function in Qemu allows local OS     guest privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) by     leveraging improper memory address     validation.(CVE-2018-5683)

  - Quick Emulator (aka QEMU), when built with the Cirrus     CLGD 54xx VGA Emulator support, allows local guest OS     privileged users to cause a denial of service     (out-of-bounds access and QEMU process crash) by     leveraging incorrect region calculation when updating     VGA display.(CVE-2018-7858)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - QEMU (aka Quick Emulator), when built with the VGA     display emulator support, allows local guest OS     privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     involving display update.(CVE-2017-13672)

  - Use-after-free vulnerability in the sofree function in     slirp/socket.c in QEMU (aka Quick Emulator) allows     attackers to cause a denial of service (QEMU instance     crash) by leveraging failure to properly clear ifq_so     from pending packets.(CVE-2017-13711)

  - VNC server implementation in Quick Emulator (QEMU)     2.11.0 and older was found to be vulnerable to an     unbounded memory allocation issue, as it did not     throttle the framebuffer updates sent to its client. If     the client did not consume these updates, VNC server     allocates growing memory to hold onto this data. A     malicious remote VNC client could use this flaw to     cause DoS to the server host.(CVE-2017-15124)

  - Qemu through 2.10.0 allows remote attackers to cause a     memory leak by triggering slow data-channel read     operations, related to     io/channel-websock.c.(CVE-2017-15268)

  - The vga_draw_text function in Qemu allows local OS     guest privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) by     leveraging improper memory address     validation.(CVE-2018-5683)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security Fix(es) :

  - Qemu: vga: OOB read access during display update     (CVE-2017-13672)

  - Qemu: Slirp: use-after-free when sending response     (CVE-2017-13711)

  - Qemu: memory exhaustion through framebuffer update     request message in VNC server (CVE-2017-15124)

  - Qemu: I/O: potential memory exhaustion via websock     connection to VNC (CVE-2017-15268)

  - Qemu: Out-of-bounds read in vga_draw_text routine     (CVE-2018-5683)

Additional Changes :

An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section.

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.

Security Fix(es) :

* Qemu: vga: OOB read access during display update (CVE-2017-13672)

* Qemu: Slirp: use-after-free when sending response (CVE-2017-13711)

* Qemu: memory exhaustion through framebuffer update request message in VNC server (CVE-2017-15124)

* Qemu: I/O: potential memory exhaustion via websock connection to VNC (CVE-2017-15268)

* Qemu: Out-of-bounds read in vga_draw_text routine (CVE-2018-5683)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank David Buchanan for reporting CVE-2017-13672; Wjjzhang (Tencent.com) for reporting CVE-2017-13711;
and Jiang Xin and Lin ZheCheng for reporting CVE-2018-5683. The CVE-2017-15124 issue was discovered by Daniel Berrange (Red Hat).

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

From Red Hat Security Advisory 2018:0816 :

An update for qemu-kvm is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section.

Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM.

Security Fix(es) :

* Qemu: vga: OOB read access during display update (CVE-2017-13672)

* Qemu: Slirp: use-after-free when sending response (CVE-2017-13711)

* Qemu: memory exhaustion through framebuffer update request message in VNC server (CVE-2017-15124)

* Qemu: I/O: potential memory exhaustion via websock connection to VNC (CVE-2017-15268)

* Qemu: Out-of-bounds read in vga_draw_text routine (CVE-2018-5683)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank David Buchanan for reporting CVE-2017-13672; Wjjzhang (Tencent.com) for reporting CVE-2017-13711;
and Jiang Xin and Lin ZheCheng for reporting CVE-2018-5683. The CVE-2017-15124 issue was discovered by Daniel Berrange (Red Hat).

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.

An update for qemu-kvm-rhev is now available for Red Hat Virtualization 4 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products.

The following packages have been upgraded to a later upstream version:
qemu-kvm-rhev (2.10.0). (BZ#1470749)

Security Fix(es) :

* Qemu: stack-based buffer overflow in NBD server triggered via long export name (CVE-2017-15118)

* Qemu: DoS via large option request (CVE-2017-15119)

* Qemu: vga: OOB read access during display update (CVE-2017-13672)

* Qemu: vga: reachable assert failure during display update (CVE-2017-13673)

* Qemu: Slirp: use-after-free when sending response (CVE-2017-13711)

* Qemu: memory exhaustion through framebuffer update request message in VNC server (CVE-2017-15124)

* Qemu: I/O: potential memory exhaustion via websock connection to VNC (CVE-2017-15268)

* Qemu: Out-of-bounds read in vga_draw_text routine (CVE-2018-5683)

For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.

Red Hat would like to thank David Buchanan for reporting CVE-2017-13672 and CVE-2017-13673; Wjjzhang (Tencent.com) for reporting CVE-2017-13711; and Jiang Xin and Lin ZheCheng for reporting CVE-2018-5683. The CVE-2017-15118 and CVE-2017-15119 issues were discovered by Eric Blake (Red Hat) and the CVE-2017-15124 issue was discovered by Daniel Berrange (Red Hat).

USN-3575-1 fixed vulnerabilities in QEMU. The fix for CVE-2017-11334 caused a regression in Xen environments. This update removes the problematic fix pending further investigation.

We apologize for the inconvenience.

Original advisory details :

It was discovered that QEMU incorrectly handled guest ram. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-11334) David Buchanan discovered that QEMU incorrectly handled the VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue was only addressed in Ubuntu 17.10. (CVE-2017-13672) Thomas Garnier discovered that QEMU incorrectly handled multiboot. An attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-14167) Tuomas Tynkkynen discovered that QEMU incorrectly handled VirtFS directory sharing. An attacker could use this issue to obtain sensitive information from host memory. (CVE-2017-15038) Eric Blake discovered that QEMU incorrectly handled memory in the NBD server. An attacker could use this issue to cause the NBD server to crash, resulting in a denial of service. This issue only affected Ubuntu 17.10.
(CVE-2017-15118) Eric Blake discovered that QEMU incorrectly handled certain options to the NBD server. An attacker could use this issue to cause the NBD server to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS.
(CVE-2017-15119) Daniel Berrange discovered that QEMU incorrectly handled the VNC server. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. This issue was only addressed in Ubuntu 17.10. (CVE-2017-15124) Carl Brassey discovered that QEMU incorrectly handled certain websockets. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. This issue only affected Ubuntu 17.10.
(CVE-2017-15268) Guoxiang Niu discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-15289) Cyrille Chatras discovered that QEMU incorrectly handled certain PS2 values during migration. An attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-16845) It was discovered that QEMU incorrectly handled the Virtio Vring implementation. An attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-17381) Eric Blake discovered that QEMU incorrectly handled certain rounding operations. An attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-18043) Jiang Xin and Lin ZheCheng discovered that QEMU incorrectly handled the VGA device.
A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-5683).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that QEMU incorrectly handled guest ram. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-11334)

David Buchanan discovered that QEMU incorrectly handled the VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue was only addressed in Ubuntu 17.10. (CVE-2017-13672)

Thomas Garnier discovered that QEMU incorrectly handled multiboot. An attacker could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-14167)

Tuomas Tynkkynen discovered that QEMU incorrectly handled VirtFS directory sharing. An attacker could use this issue to obtain sensitive information from host memory. (CVE-2017-15038)

Eric Blake discovered that QEMU incorrectly handled memory in the NBD server. An attacker could use this issue to cause the NBD server to crash, resulting in a denial of service. This issue only affected Ubuntu 17.10. (CVE-2017-15118)

Eric Blake discovered that QEMU incorrectly handled certain options to the NBD server. An attacker could use this issue to cause the NBD server to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15119)

Daniel Berrange discovered that QEMU incorrectly handled the VNC server. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. This issue was only addressed in Ubuntu 17.10. (CVE-2017-15124)

Carl Brassey discovered that QEMU incorrectly handled certain websockets. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. This issue only affected Ubuntu 17.10. (CVE-2017-15268)

Guoxiang Niu discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2017-15289)

Cyrille Chatras discovered that QEMU incorrectly handled certain PS2 values during migration. An attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-16845)

It was discovered that QEMU incorrectly handled the Virtio Vring implementation. An attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2017-17381)

Eric Blake discovered that QEMU incorrectly handled certain rounding operations. An attacker could possibly use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-18043)

Jiang Xin and Lin ZheCheng discovered that QEMU incorrectly handled the VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2018-5683).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Fix ppc64 KVM failure (bz #1501936)

  - CVE-2017-15038: 9p: information disclosure when reading     extended attributes (bz #1499111)

  - CVE-2017-15268: potential memory exhaustion via websock     connection to VNC (bz #1496882)

----

qemu-pr-helper didn't work due to a change in the libmultipath/libmpathpersist APIs exposed by device-mapper-multipath-devel. This has been fixed now. Other small changes to the qemu-pr-helper service are included.

----

Backport qemu-pr-helper from QEMU 2.11. This daemon allows unprivileged users (who have access to the daemon) to use persistent reservation commands on both regular disks and multipath block devices.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Fix usb3 drive issues with windows guests (bz #1493196)

  - CVE-2017-15038: 9p: information disclosure when reading     extended attributes (bz #1499111)

  - CVE-2017-15268: potential memory exhaustion via websock     connection to VNC (bz #1496882)

  - CVE-2017-14167: multiboot OOB access while loading     kernel image (bz #1489376)

  - CVE-2017-13672: vga: OOB read access during display     update (bz #1486561)

  - CVE-2017-12809: flushing of empty CDROM drives leads to     NULL deref (bz #1483536)

  - CVE-2017-11434 slirp: out-of-bounds read while parsing     dhcp options (bz #1472612)

  - Fix sending multimedia keys through spice (bz #1471758)

  - Another ppc64le binfmt fix (bz #1500526)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes several issues. These security issues were fixed :

  - CVE-2017-15268: Qemu allowed remote attackers to cause a     memory leak by triggering slow data-channel read     operations, related to io/channel-websock.c     (bsc#1062942).

  - CVE-2017-9524: The qemu-nbd server when built with the     Network Block Device (NBD) Server support allowed remote     attackers to cause a denial of service (segmentation     fault and server crash) by leveraging failure to ensure     that all initialization occurs talking to a client in     the nbd_negotiate function (bsc#1043808).

  - CVE-2017-15289: The mode4and5 write functions allowed     local OS guest privileged users to cause a denial of     service (out-of-bounds write access and Qemu process     crash) via vectors related to dst calculation     (bsc#1063122)

  - CVE-2017-15038: Race condition in the v9fs_xattrwalk     function local guest OS users to obtain sensitive     information from host heap memory via vectors related to     reading extended attributes (bsc#1062069)

  - CVE-2017-10911: The make_response function in the Linux     kernel allowed guest OS users to obtain sensitive     information from host OS (or other guest OS) kernel     memory by leveraging the copying of uninitialized     padding fields in Xen block-interface response     structures (bsc#1057378)

  - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator     support allowed local guest OS privileged users to cause     a denial of service (NULL pointer dereference and QEMU     process crash) by flushing an empty CDROM device drive     (bsc#1054724)

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046636)

  - CVE-2017-10806: Stack-based buffer overflow allowed     local guest OS users to cause a denial of service (QEMU     process crash) via vectors related to logging debug     messages (bsc#1047674)

  - CVE-2017-14167: Integer overflow in the load_multiboot     function allowed local guest OS users to execute     arbitrary code on the host via crafted multiboot header     address values, which trigger an out-of-bounds write     (bsc#1057585)

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049381)

  - CVE-2017-11334: The address_space_write_continue     function allowed local guest OS privileged users to     cause a denial of service (out-of-bounds access and     guest instance crash) by leveraging use of     qemu_map_ram_ptr to access guest ram block area     (bsc#1048902)

  - CVE-2017-13672: The VGA display emulator support allowed     local guest OS privileged users to cause a denial of     service (out-of-bounds read and QEMU process crash) via     vectors involving display update (bsc#1056334)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes several issues.

These security issues were fixed :

  - CVE-2017-15268: Qemu allowed remote attackers to cause a     memory leak by triggering slow data-channel read     operations, related to io/channel-websock.c     (bsc#1062942).

  - CVE-2017-9524: The qemu-nbd server when built with the     Network Block Device (NBD) Server support allowed remote     attackers to cause a denial of service (segmentation     fault and server crash) by leveraging failure to ensure     that all initialization occurs talking to a client in     the nbd_negotiate function (bsc#1043808).

  - CVE-2017-15289: The mode4and5 write functions allowed     local OS guest privileged users to cause a denial of     service (out-of-bounds write access and Qemu process     crash) via vectors related to dst calculation     (bsc#1063122)

  - CVE-2017-15038: Race condition in the v9fs_xattrwalk     function local guest OS users to obtain sensitive     information from host heap memory via vectors related to     reading extended attributes (bsc#1062069)

  - CVE-2017-10911: The make_response function in the Linux     kernel allowed guest OS users to obtain sensitive     information from host OS (or other guest OS) kernel     memory by leveraging the copying of uninitialized     padding fields in Xen block-interface response     structures (bsc#1057378)

  - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator     support allowed local guest OS privileged users to cause     a denial of service (NULL pointer dereference and QEMU     process crash) by flushing an empty CDROM device drive     (bsc#1054724)

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046636)

  - CVE-2017-10806: Stack-based buffer overflow allowed     local guest OS users to cause a denial of service (QEMU     process crash) via vectors related to logging debug     messages (bsc#1047674)

  - CVE-2017-14167: Integer overflow in the load_multiboot     function allowed local guest OS users to execute     arbitrary code on the host via crafted multiboot header     address values, which trigger an out-of-bounds write     (bsc#1057585)

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049381)

  - CVE-2017-11334: The address_space_write_continue     function allowed local guest OS privileged users to     cause a denial of service (out-of-bounds access and     guest instance crash) by leveraging use of     qemu_map_ram_ptr to access guest ram block area     (bsc#1048902)

  - CVE-2017-13672: The VGA display emulator support allowed     local guest OS privileged users to cause a denial of     service (out-of-bounds read and QEMU process crash) via     vectors involving display update (bsc#1056334)

These non-security issues were fixed :

  - Fixed not being able to build from rpm sources due to     undefined macro (bsc#1057966)

  - Fixed wrong permissions for kvm_stat.1 file

  - Fixed KVM lun resize not working as expected on SLES12     SP2 HV (bsc#1043176)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for qemu to version 2.9.1 fixes several issues.

It also announces that the qed storage format will be no longer supported in Leap 15.0.

These security issues were fixed :

  - CVE-2017-15268: Qemu allowed remote attackers to cause a     memory leak by triggering slow data-channel read     operations, related to io/channel-websock.c     (bsc#1062942)

  - CVE-2017-15289: The mode4and5 write functions allowed     local OS guest privileged users to cause a denial of     service (out-of-bounds write access and Qemu process     crash) via vectors related to dst calculation     (bsc#1063122)

  - CVE-2017-15038: Race condition in the v9fs_xattrwalk     function local guest OS users to obtain sensitive     information from host heap memory via vectors related to     reading extended attributes (bsc#1062069)

  - CVE-2017-10911: The make_response function in the Linux     kernel allowed guest OS users to obtain sensitive     information from host OS (or other guest OS) kernel     memory by leveraging the copying of uninitialized     padding fields in Xen block-interface response     structures (bsc#1057378)

  - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator     support allowed local guest OS privileged users to cause     a denial of service (NULL pointer dereference and QEMU     process crash) by flushing an empty CDROM device drive     (bsc#1054724)

  - CVE-2017-14167: Integer overflow in the load_multiboot     function allowed local guest OS users to execute     arbitrary code on the host via crafted multiboot header     address values, which trigger an out-of-bounds write     (bsc#1057585)

  - CVE-2017-13672: The VGA display emulator support allowed     local guest OS privileged users to cause a denial of     service (out-of-bounds read and QEMU process crash) via     vectors involving display update (bsc#1056334)

  - CVE-2017-13711: Use-after-free vulnerability allowed     attackers to cause a denial of service (QEMU instance     crash) by leveraging failure to properly clear ifq_so     from pending packets (bsc#1056291).

These non-security issues were fixed :

  - Fixed not being able to build from rpm sources due to     undefined macro (bsc#1057966)

  - Fiedx package build failure against new glibc     (bsc#1055587)

This update was imported from the SUSE:SLE-12-SP3:Update update project.

This update for qemu to version 2.9.1 fixes several issues. It also announces that the qed storage format will be no longer supported in SLE 15 (fate#324200). These security issues were fixed :

  - CVE-2017-15268: Qemu allowed remote attackers to cause a     memory leak by triggering slow data-channel read     operations, related to io/channel-websock.c     (bsc#1062942)

  - CVE-2017-15289: The mode4and5 write functions allowed     local OS guest privileged users to cause a denial of     service (out-of-bounds write access and Qemu process     crash) via vectors related to dst calculation     (bsc#1063122)

  - CVE-2017-15038: Race condition in the v9fs_xattrwalk     function local guest OS users to obtain sensitive     information from host heap memory via vectors related to     reading extended attributes (bsc#1062069)

  - CVE-2017-10911: The make_response function in the Linux     kernel allowed guest OS users to obtain sensitive     information from host OS (or other guest OS) kernel     memory by leveraging the copying of uninitialized     padding fields in Xen block-interface response     structures (bsc#1057378)

  - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator     support allowed local guest OS privileged users to cause     a denial of service (NULL pointer dereference and QEMU     process crash) by flushing an empty CDROM device drive     (bsc#1054724)

  - CVE-2017-14167: Integer overflow in the load_multiboot     function allowed local guest OS users to execute     arbitrary code on the host via crafted multiboot header     address values, which trigger an out-of-bounds write     (bsc#1057585)

  - CVE-2017-13672: The VGA display emulator support allowed     local guest OS privileged users to cause a denial of     service (out-of-bounds read and QEMU process crash) via     vectors involving display update (bsc#1056334)

  - CVE-2017-13711: Use-after-free vulnerability allowed     attackers to cause a denial of service (QEMU instance     crash) by leveraging failure to properly clear ifq_so     from pending packets (bsc#1056291).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
124947	EulerOS Virtualization 3.0.1.0 : qemu (EulerOS-SA-2019-1444)	Nessus	Huawei Local Security Checks	high
124908	EulerOS : qemu-kvm (EulerOS-SA-2019-1405)	Nessus	Huawei Local Security Checks	high
110865	EulerOS 2.0 SP3 : qemu-kvm (EulerOS-SA-2018-1201)	Nessus	Huawei Local Security Checks	high
110457	Amazon Linux AMI : qemu-kvm (ALAS-2018-1034) (Spectre)	Nessus	Amazon Linux Local Security Checks	high
110451	Amazon Linux 2 : qemu-kvm (ALAS-2018-1034) (Spectre)	Nessus	Amazon Linux Local Security Checks	high
110208	Debian DSA-4213-1 : qemu - security update (Spectre)	Nessus	Debian Local Security Checks	high
110148	EulerOS 2.0 SP1 : qemu-kvm (EulerOS-SA-2018-1144)	Nessus	Huawei Local Security Checks	high
109511	EulerOS 2.0 SP2 : qemu-kvm (EulerOS-SA-2018-1113)	Nessus	Huawei Local Security Checks	high
109458	Scientific Linux Security Update : qemu-kvm on SL7.x x86_64	Nessus	Scientific Linux Local Security Checks	high
109372	CentOS 7 : qemu-kvm (CESA-2018:0816)	Nessus	CentOS Local Security Checks	high
109106	Oracle Linux 7 : qemu-kvm (ELSA-2018-0816)	Nessus	Oracle Linux Local Security Checks	high
109070	RHEL 7 : Virtualization (RHSA-2018:1104)	Nessus	Red Hat Local Security Checks	high
108986	RHEL 7 : qemu-kvm (RHSA-2018:0816)	Nessus	Red Hat Local Security Checks	high
107145	Ubuntu 14.04 LTS / 16.04 LTS : qemu regression (USN-3575-2)	Nessus	Ubuntu Local Security Checks	high
106927	Ubuntu 14.04 LTS / 16.04 LTS / 17.10 : qemu vulnerabilities (USN-3575-1)	Nessus	Ubuntu Local Security Checks	high
105928	Fedora 27 : 2:qemu (2017-8db9c497f9)	Nessus	Fedora Local Security Checks	medium
104446	Fedora 26 : 2:qemu (2017-9149114fba)	Nessus	Fedora Local Security Checks	high
104429	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:2936-1)	Nessus	SuSE Local Security Checks	high
104424	openSUSE Security Update : qemu (openSUSE-2017-1249)	Nessus	SuSE Local Security Checks	high
104423	openSUSE Security Update : qemu (openSUSE-2017-1248)	Nessus	SuSE Local Security Checks	high
104376	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:2924-1)	Nessus	SuSE Local Security Checks	high

CVE-2017-15268

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins