[oss-security] 20170608 CVE-2017-9503 Qemu: scsi: null pointer dereference while processing megasas command

99010

https://bugzilla.redhat.com/show_bug.cgi?id=1459477

[debian-lts-announce] 20180906 [SECURITY] [DLA 1497-1] qemu security update

[debian-lts-announce] 20200726 [SECURITY] [DLA 2288-1] qemu security update

[qemu-devel] 20170606 [PATCH 4/7] megasas: do not read DCMD opcode more than once

[qemu-devel] 20170606 [PATCH 7/7] megasas: always store SCSIRequest* into Megasas

The following CVE(s) were reported against src:qemu :

CVE-2017-9503

QEMU (aka Quick Emulator), when built with MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) via vectors involving megasas command processing.

CVE-2019-12068

In QEMU 1:4.1-1 (1:2.8+dfsg-6+deb9u8), when executing script in lsi_execute_script(), the LSI scsi adapter emulator advances 's->dsp' index to read next opcode. This can lead to an infinite loop if the next opcode is empty. Move the existing loop exit after 10k iterations so that it covers no-op opcodes as well.

CVE-2019-20382

QEMU 4.1.0 has a memory leak in zrle_compress_data in ui/vnc-enc-zrle.c during a VNC disconnect operation because libz is misused, resulting in a situation where memory allocated in deflateInit2 is not freed in deflateEnd.

CVE-2020-1983

A use after free vulnerability in ip_reass() in ip_input.c of libslirp 4.2.0 and prior releases allows crafted packets to cause a denial of service.

CVE-2020-8608

In libslirp 4.1.0, as used in QEMU 4.2.0, tcp_subr.c misuses snprintf return values, leading to a buffer overflow in later code.

CVE-2020-10756

An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects versions of libslirp before 4.3.1.

CVE-2020-13361

In QEMU 5.0.0 and earlier, es1370_transfer_audio in hw/audio/es1370.c does not properly validate the frame count, which allows guest OS users to trigger an out-of-bounds access during an es1370_write() operation.

CVE-2020-13362

In QEMU 5.0.0 and earlier, megasas_lookup_frame in hw/scsi/megasas.c has an out-of-bounds read via a crafted reply_queue_head field from a guest OS user.

CVE-2020-13659

address_space_map in exec.c in QEMU 4.2.0 can trigger a NULL pointer dereference related to BounceBuffer.

CVE-2020-13754

hw/pci/msix.c in QEMU 4.2.0 allows guest OS users to trigger an out-of-bounds access via a crafted address in an msi-x mmio operation.

CVE-2020-13765

rom_copy() in hw/core/loader.c in QEMU 4.1.0 does not validate the relationship between two addresses, which allows attackers to trigger an invalid memory copy operation.

CVE-2020-15863

Stack-based overflow in xgmac_enet_send() in hw/net/xgmac.c.

For Debian 9 stretch, these problems have been fixed in version 1:2.8+dfsg-6+deb9u10.

We recommend that you upgrade your qemu packages.

For the detailed security status of qemu please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qemu

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the qemu-kvm packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In QEMU 3.0.0, tcp_emu in slirp/tcp_subr.c has a     heap-based buffer overflow.(CVE-2019-6778)

  - The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka     Quick Emulator) allows local guest OS privileged users     to cause a denial of service (NULL pointer dereference     and QEMU process crash) by leveraging failure to define     the .write method.(CVE-2015-7549)

  - The ne2000_receive function in the NE2000 NIC emulation     support (hw/net/ne2000.c) in QEMU before 2.5.1 allows     local guest OS administrators to cause a denial of     service (infinite loop and QEMU process crash) via     crafted values for the PSTART and PSTOP registers,     involving ring buffer control.(CVE-2016-2841)

  - Memory leak in QEMU (aka Quick Emulator), when built     with USB EHCI Emulation support, allows local guest OS     privileged users to cause a denial of service (memory     consumption) by repeatedly hot-unplugging the     device.(CVE-2017-9374)

  - Integer overflow in the macro ROUND_UP (n, d) in Quick     Emulator (Qemu) allows a user to cause a denial of     service (Qemu process crash).(CVE-2017-18043)

  - Memory leak in the serial_exit_core function in     hw/char/serial.c in QEMU (aka Quick Emulator) allows     local guest OS privileged users to cause a denial of     service (host memory consumption and QEMU process     crash) via a large number of device unplug     operations.(CVE-2017-5579)

  - The slirp_smb function in net/slirp.c in QEMU 2.3.0 and     earlier creates temporary files with predictable names,     which allows local users to cause a denial of service     (instantiation failure) by creating /tmp/qemu-smb.*-*     files before the program.(CVE-2015-4037)

  - The mcf_fec_do_tx function in hw/net/mcf_fec.c in QEMU     (aka Quick Emulator) does not properly limit the buffer     descriptor count when transmitting packets, which     allows local guest OS administrators to cause a denial     of service (infinite loop and QEMU process crash) via     vectors involving a buffer descriptor with a length of     0 and crafted values in bd.flags.(CVE-2016-7908)

  - hw/net/vmxnet3.c in QEMU 2.0.0-rc0, 1.7.1, and earlier     allows local guest users to cause a denial of service     or possibly execute arbitrary code via vectors related     to (1) RX or (2) TX queue numbers or (3) interrupt     indices. NOTE: some of these details are obtained from     third party information.(CVE-2013-4544)

  - Multiple integer overflows in the USB Net device     emulator (hw/usb/dev-network.c) in QEMU before 2.5.1     allow local guest OS administrators to cause a denial     of service (QEMU process crash) or obtain sensitive     host memory information via a remote NDIS control     message packet that is mishandled in the (1)     rndis_query_response, (2) rndis_set_response, or (3)     usb_net_handle_dataout function.(CVE-2016-2538)

  - Qemu emulator <= 3.0.0 built with the NE2000 NIC     emulation support is vulnerable to an integer overflow,     which could lead to buffer overflow issue. It could     occur when receiving packets over the network. A user     inside guest could use this flaw to crash the Qemu     process resulting in DoS.(CVE-2018-10839)

  - Memory leak in QEMU (aka Quick Emulator), when built     with IDE AHCI Emulation support, allows local guest OS     privileged users to cause a denial of service (memory     consumption) by repeatedly hot-unplugging the AHCI     device.(CVE-2017-9373)

  - tcp_emu in slirp/tcp_subr.c (aka slirp/src/tcp_subr.c)     in QEMU 3.0.0 uses uninitialized data in an snprintf     call, leading to Information disclosure.(CVE-2019-9824)

  - QEMU (aka Quick Emulator), when built with MegaRAID SAS     8708EM2 Host Bus Adapter emulation support, allows     local guest OS privileged users to cause a denial of     service (NULL pointer dereference and QEMU process     crash) via vectors involving megasas command     processing.(CVE-2017-9503)

  - Buffer overflow in hw/ide/ahci.c in QEMU before 1.7.2     allows remote attackers to cause a denial of service     and possibly execute arbitrary code via vectors related     to migrating ports.(CVE-2013-4526)

  - Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2     allows remote attackers to cause a denial of service or     possibly execute arbitrary code via crafted     tx_fifo_head and rx_fifo_head values in a savevm     image.(CVE-2013-4530)

  - Multiple buffer overflows in the tsc210x_load function     in hw/input/tsc210x.c in QEMU before 1.7.2 might allow     remote attackers to execute arbitrary code via a     crafted (1) precision, (2) nextprecision, (3) function,     or (4) nextfunction value in a savevm     image.(CVE-2013-4539)

  - Buffer overflow in scoop_gpio_handler_update in QEMU     before 1.7.2 might allow remote attackers to execute     arbitrary code via a large (1) prev_level, (2)     gpio_level, or (3) gpio_dir value in a savevm     image.(CVE-2013-4540)

  - The sdhci_sdma_transfer_multi_blocks function in     hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local     OS guest privileged users to cause a denial of service     (infinite loop and QEMU process crash) via vectors     involving the transfer mode register during multi block     transfer.(CVE-2017-5987)

  - Microarchitectural Store Buffer Data Sampling (MSBDS):
    Store buffers on some microprocessors utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access. A list of impacted products     can be found here:
    https://www.intel.com/content/dam/www/public/us/en/docu     ments/corporate-information/SA00233-microcode-update-gu     idance_05132019.pdf(CVE-2018-12126)

  - Microarchitectural Load Port Data Sampling (MLPDS):
    Load ports on some microprocessors utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access. A list of impacted products     can be found here:
    https://www.intel.com/content/dam/www/public/us/en/docu     ments/corporate-information/SA00233-microcode-update-gu     idance_05132019.pdf(CVE-2018-12127)

  - Microarchitectural Fill Buffer Data Sampling (MFBDS):
    Fill buffers on some microprocessors utilizing     speculative execution may allow an authenticated user     to potentially enable information disclosure via a side     channel with local access. A list of impacted products     can be found here:
    https://www.intel.com/content/dam/www/public/us/en/docu     ments/corporate-information/SA00233-microcode-update-gu     idance_05132019.pdf(CVE-2018-12130)

  - Microarchitectural Data Sampling Uncacheable Memory     (MDSUM): Uncacheable memory on some microprocessors     utilizing speculative execution may allow an     authenticated user to potentially enable information     disclosure via a side channel with local access. A list     of impacted products can be found here:
    https://www.intel.com/content/dam/www/public/us/en/docu     ments/corporate-information/SA00233-microcode-update-gu     idance_05132019.pdf(CVE-2019-11091)

  - interface_release_resource in hw/display/qxl.c in QEMU     4.0.0 has a NULL pointer dereference.(CVE-2019-12155)

  - Heap-based buffer overflow in the .receive callback of     xlnx.xps-ethernetlite in QEMU (aka Quick Emulator)     allows attackers to execute arbitrary code on the QEMU     host via a large ethlite packet.(CVE-2016-7161)

  - Heap-based buffer overflow in the ne2000_receive     function in hw/net/ne2000.c in QEMU before 2.4.0.1     allows guest OS users to cause a denial of service     (instance crash) or possibly execute arbitrary code via     vectors related to receiving packets.(CVE-2015-5279)

  - The sdhci_sdma_transfer_multi_blocks function in     hw/sd/sdhci.c in QEMU (aka Quick Emulator) allows local     guest OS privileged users to cause a denial of service     (out-of-bounds heap access and crash) or execute     arbitrary code on the QEMU host via vectors involving     the data transfer length.(CVE-2017-5667)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were found in qemu, a fast processor emulator :

CVE-2015-8666

Heap-based buffer overflow in QEMU when built with the Q35-chipset-based PC system emulator

CVE-2016-2198

NULL pointer dereference in ehci_caps_write in the USB EHCI support that may result in denial of service

CVE-2016-6833

Use after free while writing in the vmxnet3 device that could be used to cause a denial of service

CVE-2016-6835

Buffer overflow in vmxnet_tx_pkt_parse_headers() in vmxnet3 device that could result in denial of service

CVE-2016-8576

Infinite loop vulnerability in xhci_ring_fetch in the USB xHCI support

CVE-2016-8667 / CVE-2016-8669

Divide by zero errors in set_next_tick in the JAZZ RC4030 chipset emulator, and in serial_update_parameters of some serial devices, that could result in denial of service

CVE-2016-9602

Improper link following with VirtFS

CVE-2016-9603

Heap buffer overflow via vnc connection in the Cirrus CLGD 54xx VGA emulator support

CVE-2016-9776

Infinite loop while receiving data in the ColdFire Fast Ethernet Controller emulator

CVE-2016-9907

Memory leakage in the USB redirector usb-guest support 

CVE-2016-9911

Memory leakage in ehci_init_transfer in the USB EHCI support

CVE-2016-9914 / CVE-2016-9915 / CVE-2016-9916

Plan 9 File System (9pfs): add missing cleanup operation in FileOperations, in the handle backend and in the proxy backend driver

CVE-2016-9921 / CVE-2016-9922

Divide by zero in cirrus_do_copy in the Cirrus CLGD 54xx VGA Emulator support 

CVE-2016-10155

Memory leak in hw/watchdog/wdt_i6300esb.c allowing local guest OS privileged users to cause a denial of service via a large number of device unplug operations.

CVE-2017-2615 / CVE-2017-2620 / CVE-2017-18030 / CVE-2018-5683 / CVE-2017-7718

Out-of-bounds access issues in the Cirrus CLGD 54xx VGA emulator support, that could result in denial of service

CVE-2017-5525 / CVE-2017-5526

Memory leakage issues in the ac97 and es1370 device emulation

CVE-2017-5579

Most memory leakage in the 16550A UART emulation

CVE-2017-5667

Out-of-bounds access during multi block SDMA transfer in the SDHCI emulation support.

CVE-2017-5715

Mitigations against the Spectre v2 vulnerability. For more information please refer to https://www.qemu.org/2018/01/04/spectre/

CVE-2017-5856

Memory leak in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support

CVE-2017-5973 / CVE-2017-5987 / CVE-2017-6505

Infinite loop issues in the USB xHCI, in the transfer mode register of the SDHCI protocol, and the USB ohci_service_ed_list

CVE-2017-7377

9pfs: host memory leakage via v9fs_create

CVE-2017-7493

Improper access control issues in the host directory sharing via 9pfs support.

CVE-2017-7980

Heap-based buffer overflow in the Cirrus VGA device that could allow local guest OS users to execute arbitrary code or cause a denial of service

CVE-2017-8086

9pfs: host memory leakage via v9pfs_list_xattr

CVE-2017-8112

Infinite loop in the VMWare PVSCSI emulation

CVE-2017-8309 / CVE-2017-8379

Host memory leakage issues via the audio capture buffer and the keyboard input event handlers 

CVE-2017-9330

Infinite loop due to incorrect return value in USB OHCI that may result in denial of service

CVE-2017-9373 / CVE-2017-9374

Host memory leakage during hot unplug in IDE AHCI and USB emulated devices that could result in denial of service

CVE-2017-9503

NULL pointer dereference while processing megasas command

CVE-2017-10806

Stack buffer overflow in USB redirector

CVE-2017-10911

Xen disk may leak stack data via response ring

CVE-2017-11434

Out-of-bounds read while parsing Slirp/DHCP options

CVE-2017-14167

Out-of-bounds access while processing multiboot headers that could result in the execution of arbitrary code

CVE-2017-15038

9pfs: information disclosure when reading extended attributes

CVE-2017-15289

Out-of-bounds write access issue in the Cirrus graphic adaptor that could result in denial of service

CVE-2017-16845

Information leak in the PS/2 mouse and keyboard emulation support that could be exploited during instance migration 

CVE-2017-18043

Integer overflow in the macro ROUND_UP (n, d) that could result in denial of service

CVE-2018-7550

Incorrect handling of memory during multiboot that could may result in execution of arbitrary code

For Debian 8 'Jessie', these problems have been fixed in version 1:2.1+dfsg-12+deb8u7.

We recommend that you upgrade your qemu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for kvm fixes several issues. These security issues were fixed :

  - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the     bitblit copy routine cirrus_bitblt_cputovideo failed to     check the memory region, allowing for an out-of-bounds     write that allows for privilege escalation (bsc#1024972)

  - CVE-2017-2615: An error in the bitblt copy operation     could have allowed a malicious guest administrator to     cause an out of bounds memory access, possibly leading     to information disclosure or privilege escalation     (bsc#1023004)

  - CVE-2016-9776: The ColdFire Fast Ethernet Controller     emulator support was vulnerable to an infinite loop     issue while receiving packets in 'mcf_fec_receive'. A     privileged user/process inside guest could have used     this issue to crash the Qemu process on the host leading     to DoS (bsc#1013285)

  - CVE-2016-9911: The USB EHCI Emulation support was     vulnerable to a memory leakage issue while processing     packet data in 'ehci_init_transfer'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for the host (bsc#1014111)

  - CVE-2016-9907: The USB redirector usb-guest support was     vulnerable to a memory leakage flaw when destroying the     USB redirector in 'usbredir_handle_destroy'. A guest     user/process could have used this issue to leak host     memory, resulting in DoS for a host (bsc#1014109)

  - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support     was vulnerable to a divide by zero issue while copying     VGA data. A privileged user inside guest could have used     this flaw to crash the process instance on the host,     resulting in DoS (bsc#1014702)

  - CVE-2017-5898: The CCID Card device emulator support was     vulnerable to an integer overflow allowing a privileged     user inside the guest to crash the Qemu process     resulting in DoS (bnc#1023907)

  - CVE-2016-10155: The virtual hardware watchdog     'wdt_i6300esb' was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021129)

  - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a memory leakage     issue allowing a privileged user to leak host memory     resulting in DoS (bsc#1023053)

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427)

  - CVE-2016-9603: A privileged user within the guest VM     could have caused a heap overflow in the device model     process, potentially escalating their privileges to that     of the device model process (bsc#1028656)

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046636)

  - CVE-2017-10806: Stack-based buffer overflow allowed     local guest OS users to cause a denial of service (QEMU     process crash) via vectors related to logging debug     messages (bsc#1047674)

  - CVE-2017-11334: The address_space_write_continue     function allowed local guest OS privileged users to     cause a denial of service (out-of-bounds access and     guest instance crash) by leveraging use of     qemu_map_ram_ptr to access guest ram block area     (bsc#1048902)

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049381)

  - CVE-2017-13672: The VGA display emulator support allowed     local guest OS privileged users to cause a denial of     service (out-of-bounds read and QEMU process crash) via     vectors involving display update (bsc#1056334)

  - CVE-2017-14167: Integer overflow in the load_multiboot     function allowed local guest OS users to execute     arbitrary code on the host via crafted multiboot header     address values, which trigger an out-of-bounds write     (bsc#1057585)

  - CVE-2017-15038: Race condition in the v9fs_xattrwalk     function local guest OS users to obtain sensitive     information from host heap memory via vectors related to     reading extended attributes (bsc#1062069)

  - CVE-2017-15289: The mode4and5 write functions allowed     local OS guest privileged users to cause a denial of     service (out-of-bounds write access and Qemu process     crash) via vectors related to dst calculation     (bsc#1063122)

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021741)

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025109)

  - CVE-2017-6505: The ohci_service_ed_list function allowed     local guest OS users to cause a denial of service     (infinite loop) via vectors involving the number of link     endpoint list descriptors (bsc#1028184)

  - CVE-2017-7471: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper access control issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1034866)

  - CVE-2017-7493: The VirtFS, host directory sharing via     Plan 9 File System(9pfs) support, was vulnerable to an     improper access control issue. It could occur while     accessing virtfs metadata files in mapped-file security     mode. A guest user could have used this flaw to escalate     their privileges inside guest (bsc#1039495)

  - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local     guest OS privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     related to copying VGA data via the     cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_     functions (bsc#1034908)

  - CVE-2017-7980: An out-of-bounds r/w access issues in the     Cirrus CLGD 54xx VGA Emulator support allowed privileged     user inside guest to use this flaw to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code on a host with privileges of Qemu process     on the host (bsc#1035406)

  - CVE-2017-8086: A memory leak in the v9fs_list_xattr     function in hw/9pfs/9p-xattr.c allowed local guest OS     privileged users to cause a denial of service (memory     consumption) via vectors involving the orig_value     variable (bsc#1035950)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037242)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042159)

  - CVE-2017-9373: The IDE AHCI Emulation support was     vulnerable to a host memory leakage issue, which allowed     a privileged user inside guest to leak host memory     resulting in DoS (bsc#1042801)

  - CVE-2017-9375: The USB xHCI controller emulator support     was vulnerable to an infinite recursive call loop issue,     which allowed a privileged user inside guest to crash     the Qemu process resulting in DoS (bsc#1042800)

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043296)

  - Fix privilege escalation in TCG mode (bsc#1030624)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes several issues. These security issues were fixed :

  - CVE-2017-15289: The mode4and5 write functions allowed     local OS guest privileged users to cause a denial of     service (out-of-bounds write access and Qemu process     crash) via vectors related to dst calculation     (bsc#1063122)

  - CVE-2017-2633: The VNC display driver support was     vulnerable to an out-of-bounds memory access issue. A     user/process inside guest could use this flaw to cause     DoS (bsc#1026612)

  - CVE-2017-15038: Race condition in the v9fs_xattrwalk     function local guest OS users to obtain sensitive     information from host heap memory via vectors related to     reading extended attributes (bsc#1062069)

  - CVE-2017-14167: Integer overflow in the load_multiboot     function allowed local guest OS users to execute     arbitrary code on the host via crafted multiboot header     address values, which trigger an out-of-bounds write     (bsc#1057585)

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049381)

  - CVE-2017-11334: The address_space_write_continue     function allowed local guest OS privileged users to     cause a denial of service (out-of-bounds access and     guest instance crash) by leveraging use of     qemu_map_ram_ptr to access guest ram block area     (bsc#1048902)

  - CVE-2017-13672: The VGA display emulator support allowed     local guest OS privileged users to cause a denial of     service (out-of-bounds read and QEMU process crash) via     vectors involving display update (bsc#1056334)

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025109)

  - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks     function in hw/sd/sdhci.c allowed local OS guest     privileged users to cause a denial of service (infinite     loop and QEMU process crash) via vectors involving the     transfer mode register during multi block transfer     (bsc#1025311)

  - CVE-2017-6505: The ohci_service_ed_list function allowed     local guest OS users to cause a denial of service     (infinite loop) via vectors involving the number of link     endpoint list descriptors (bsc#1028184)

  - CVE-2016-9603: A privileged user within the guest VM     could have caused a heap overflow in the device model     process, potentially escalating their privileges to that     of the device model process (bsc#1028656)

  - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local     guest OS privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     related to copying VGA data via the     cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_     functions (bsc#1034908)

  - CVE-2017-7980: An out-of-bounds r/w access issues in the     Cirrus CLGD 54xx VGA Emulator support allowed privileged     user inside guest to use this flaw to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code on a host with privileges of Qemu process     on the host (bsc#1035406)

  - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest     OS privileged users to cause a denial of service     (infinite loop and CPU consumption) via the message ring     page count (bsc#1036211)

  - CVE-2017-9375: The USB xHCI controller emulator support     was vulnerable to an infinite recursive call loop issue,     which allowed a privileged user inside guest to crash     the Qemu process resulting in DoS (bsc#1042800)

  - CVE-2017-9373: The IDE AHCI Emulation support was     vulnerable to a host memory leakage issue, which allowed     a privileged user inside guest to leak host memory     resulting in DoS (bsc#1042801)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042159)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037242)

  - CVE-2017-7493: The VirtFS, host directory sharing via     Plan 9 File System(9pfs) support, was vulnerable to an     improper access control issue. It could occur while     accessing virtfs metadata files in mapped-file security     mode. A guest user could have used this flaw to escalate     their privileges inside guest (bsc#1039495)

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427)

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021741)

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043296)

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046636)

  - CVE-2017-10806: Stack-based buffer overflow allowed     local guest OS users to cause a denial of service (QEMU     process crash) via vectors related to logging debug     messages (bsc#1047674)

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427)

  - CVE-2017-7377: The v9fs_create and v9fs_lcreate     functions in hw/9pfs/9p.c allowed local guest OS     privileged users to cause a denial of service (file     descriptor or memory consumption) via vectors related to     an already in-use fid (bsc#1032075)

  - CVE-2017-8086: A memory leak in the v9fs_list_xattr     function in hw/9pfs/9p-xattr.c allowed local guest OS     privileged users to cause a denial of service (memory     consumption) via vectors involving the orig_value     variable (bsc#1035950)

  - CVE-2017-7471: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper access control issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1034866)

  - CVE-2016-6834: A infinite loop during packet     fragmentation in the VMWARE VMXNET3 NIC device support     allowed privileged user inside guest to crash the Qemu     instance resulting in DoS (bsc#994418)

  - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC     device support, causing an OOB read access (bsc#994605)

  - Fix privilege escalation in TCG mode (bsc#1030624)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for kvm fixes several issues. These security issues were fixed :

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427)

  - CVE-2016-9603: A privileged user within the guest VM     could have caused a heap overflow in the device model     process, potentially escalating their privileges to that     of the device model process (bsc#1028656)

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046636)

  - CVE-2017-10806: Stack-based buffer overflow allowed     local guest OS users to cause a denial of service (QEMU     process crash) via vectors related to logging debug     messages (bsc#1047674).

  - CVE-2017-11334: The address_space_write_continue     function allowed local guest OS privileged users to     cause a denial of service (out-of-bounds access and     guest instance crash) by leveraging use of     qemu_map_ram_ptr to access guest ram block area     (bsc#1048902).

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049381)

  - CVE-2017-13672: The VGA display emulator support allowed     local guest OS privileged users to cause a denial of     service (out-of-bounds read and QEMU process crash) via     vectors involving display update (bsc#1056334).

  - CVE-2017-14167: Integer overflow in the load_multiboot     function allowed local guest OS users to execute     arbitrary code on the host via crafted multiboot header     address values, which trigger an out-of-bounds write     (bsc#1057585).

  - CVE-2017-15038: Race condition in the v9fs_xattrwalk     function local guest OS users to obtain sensitive     information from host heap memory via vectors related to     reading extended attributes (bsc#1062069).

  - CVE-2017-15289: The mode4and5 write functions allowed     local OS guest privileged users to cause a denial of     service (out-of-bounds write access and Qemu process     crash) via vectors related to dst calculation     (bsc#1063122).

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021741)

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025109)

  - CVE-2017-6505: The ohci_service_ed_list function allowed     local guest OS users to cause a denial of service     (infinite loop) via vectors involving the number of link     endpoint list descriptors (bsc#1028184)

  - CVE-2017-7471: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper access control issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1034866)

  - CVE-2017-7493: The VirtFS, host directory sharing via     Plan 9 File System(9pfs) support, was vulnerable to an     improper access control issue. It could occur while     accessing virtfs metadata files in mapped-file security     mode. A guest user could have used this flaw to escalate     their privileges inside guest (bsc#1039495)

  - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local     guest OS privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     related to copying VGA data via the     cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_     functions (bsc#1034908)

  - CVE-2017-7980: An out-of-bounds r/w access issues in the     Cirrus CLGD 54xx VGA Emulator support allowed privileged     user inside guest to use this flaw to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code on a host with privileges of Qemu process     on the host (bsc#1035406)

  - CVE-2017-8086: A memory leak in the v9fs_list_xattr     function in hw/9pfs/9p-xattr.c allowed local guest OS     privileged users to cause a denial of service (memory     consumption) via vectors involving the orig_value     variable (bsc#1035950)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037242)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042159)

  - CVE-2017-9373: The IDE AHCI Emulation support was     vulnerable to a host memory leakage issue, which allowed     a privileged user inside guest to leak host memory     resulting in DoS (bsc#1042801)

  - CVE-2017-9375: The USB xHCI controller emulator support     was vulnerable to an infinite recursive call loop issue,     which allowed a privileged user inside guest to crash     the Qemu process resulting in DoS (bsc#1042800)

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043296)

  - Privilege escalation in TCG mode (bsc#1030624)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes several issues. These security issues were fixed :

  - CVE-2017-10911: The make_response function in the Linux     kernel allowed guest OS users to obtain sensitive     information from host OS (or other guest OS) kernel     memory by leveraging the copying of uninitialized     padding fields in Xen block-interface response     structures (bsc#1057378).

  - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator     support allowed local guest OS privileged users to cause     a denial of service (NULL pointer dereference and QEMU     process crash) by flushing an empty CDROM device drive     (bsc#1054724).

  - CVE-2017-15289: The mode4and5 write functions allowed     local OS guest privileged users to cause a denial of     service (out-of-bounds write access and Qemu process     crash) via vectors related to dst calculation     (bsc#1063122)

  - CVE-2017-15038: Race condition in the v9fs_xattrwalk     function local guest OS users to obtain sensitive     information from host heap memory via vectors related to     reading extended attributes (bsc#1062069)

  - CVE-2017-14167: Integer overflow in the load_multiboot     function allowed local guest OS users to execute     arbitrary code on the host via crafted multiboot header     address values, which trigger an out-of-bounds write     (bsc#1057585)

  - CVE-2017-11434: The dhcp_decode function in     slirp/bootp.c allowed local guest OS users to cause a     denial of service (out-of-bounds read) via a crafted     DHCP options string (bsc#1049381)

  - CVE-2017-11334: The address_space_write_continue     function allowed local guest OS privileged users to     cause a denial of service (out-of-bounds access and     guest instance crash) by leveraging use of     qemu_map_ram_ptr to access guest ram block area     (bsc#1048902)

  - CVE-2017-13672: The VGA display emulator support allowed     local guest OS privileged users to cause a denial of     service (out-of-bounds read and QEMU process crash) via     vectors involving display update (bsc#1056334)

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025109)

  - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks     function in hw/sd/sdhci.c allowed local OS guest     privileged users to cause a denial of service (infinite     loop and QEMU process crash) via vectors involving the     transfer mode register during multi block transfer     (bsc#1025311)

  - CVE-2017-6505: The ohci_service_ed_list function allowed     local guest OS users to cause a denial of service     (infinite loop) via vectors involving the number of link     endpoint list descriptors (bsc#1028184)

  - CVE-2016-9603: A privileged user within the guest VM     could have caused a heap overflow in the device model     process, potentially escalating their privileges to that     of the device model process (bsc#1028656)

  - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local     guest OS privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     related to copying VGA data via the     cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_     functions (bsc#1034908)

  - CVE-2017-7980: An out-of-bounds r/w access issues in the     Cirrus CLGD 54xx VGA Emulator support allowed privileged     user inside guest to use this flaw to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code on a host with privileges of Qemu process     on the host (bsc#1035406)

  - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest     OS privileged users to cause a denial of service     (infinite loop and CPU consumption) via the message ring     page count (bsc#1036211)

  - CVE-2017-9375: The USB xHCI controller emulator support     was vulnerable to an infinite recursive call loop issue,     which allowed a privileged user inside guest to crash     the Qemu process resulting in DoS (bsc#1042800)

  - CVE-2017-9374: Missing free of 's->ipacket', causes a     host memory leak, allowing for DoS (bsc#1043073)

  - CVE-2017-9373: The IDE AHCI Emulation support was     vulnerable to a host memory leakage issue, which allowed     a privileged user inside guest to leak host memory     resulting in DoS (bsc#1042801)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042159)

  - CVE-2017-8379: Memory leak in the keyboard input event     handlers support allowed local guest OS privileged users     to cause a denial of service (host memory consumption)     by rapidly generating large keyboard events     (bsc#1037334)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037242)

  - CVE-2017-8380: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to an out-of-bounds     read access issue which allowed a privileged user inside     guest to read host memory resulting in DoS (bsc#1037336)

  - CVE-2017-7493: The VirtFS, host directory sharing via     Plan 9 File System(9pfs) support, was vulnerable to an     improper access control issue. It could occur while     accessing virtfs metadata files in mapped-file security     mode. A guest user could have used this flaw to escalate     their privileges inside guest (bsc#1039495)

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427)

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021741)

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043296)

  - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which     allowed remote attackers to cause a denial of service     (daemon crash) by disconnecting during a     server-to-client reply attempt (bsc#1046636)

  - CVE-2017-10806: Stack-based buffer overflow allowed     local guest OS users to cause a denial of service (QEMU     process crash) via vectors related to logging debug     messages (bsc#1047674)

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427)

  - CVE-2017-7377: The v9fs_create and v9fs_lcreate     functions in hw/9pfs/9p.c allowed local guest OS     privileged users to cause a denial of service (file     descriptor or memory consumption) via vectors related to     an already in-use fid (bsc#1032075)

  - CVE-2017-8086: A memory leak in the v9fs_list_xattr     function in hw/9pfs/9p-xattr.c allowed local guest OS     privileged users to cause a denial of service (memory     consumption) via vectors involving the orig_value     variable (bsc#1035950)

  - CVE-2017-7471: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper access control issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1034866)

  - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC     device support, causing an OOB read access (bsc#994605)

  - CVE-2016-6834: A infinite loop during packet     fragmentation in the VMWARE VMXNET3 NIC device support     allowed privileged user inside guest to crash the Qemu     instance resulting in DoS (bsc#994418)

  - Fix privilege escalation in TCG mode (bsc#1030624)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

USN-3414-1 fixed vulnerabilities in QEMU. The patch backport for CVE-2017-9375 was incomplete and caused a regression in the USB xHCI controller emulation support. This update fixes the problem.

We apologize for the inconvenience.

Leo Gaspard discovered that QEMU incorrectly handled VirtFS access control. A guest attacker could use this issue to elevate privileges inside the guest. (CVE-2017-7493)

Li Qiang discovered that QEMU incorrectly handled VMware PVSCSI emulation. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources or crash, resulting in a denial of service. (CVE-2017-8112)

It was discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly to obtain sensitive host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-8380)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. This issue only affected Ubuntu 17.04. (CVE-2017-9060)

Li Qiang discovered that QEMU incorrectly handled the e1000e device. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. This issue only affected Ubuntu 17.04.
(CVE-2017-9310)

Li Qiang discovered that QEMU incorrectly handled USB OHCI emulation support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9330)

Li Qiang discovered that QEMU incorrectly handled IDE AHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9373)

Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9374)

Li Qiang discovered that QEMU incorrectly handled USB xHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2017-9375)

Zhangyanyu discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9503)

It was discovered that the QEMU qemu-nbd server incorrectly handled initialization. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-9524)

It was discovered that the QEMU qemu-nbd server incorrectly handled signals. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service.
(CVE-2017-10664)

Li Qiang discovered that the QEMU USB redirector incorrectly handled logging debug messages. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-10806)

Anthony Perard discovered that QEMU incorrectly handled Xen block-interface responses. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. (CVE-2017-10911)

Reno Robert discovered that QEMU incorrectly handled certain DHCP options strings. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-11434)

Ryan Salsamendi discovered that QEMU incorrectly handled empty CDROM device drives. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-12809).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Leo Gaspard discovered that QEMU incorrectly handled VirtFS access control. A guest attacker could use this issue to elevate privileges inside the guest. (CVE-2017-7493)

Li Qiang discovered that QEMU incorrectly handled VMware PVSCSI emulation. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources or crash, resulting in a denial of service. (CVE-2017-8112)

It was discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly to obtain sensitive host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-8380)

Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service.
This issue only affected Ubuntu 17.04. (CVE-2017-9060)

Li Qiang discovered that QEMU incorrectly handled the e1000e device. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. This issue only affected Ubuntu 17.04. (CVE-2017-9310)

Li Qiang discovered that QEMU incorrectly handled USB OHCI emulation support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9330)

Li Qiang discovered that QEMU incorrectly handled IDE AHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9373)

Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9374)

Li Qiang discovered that QEMU incorrectly handled USB xHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service.
(CVE-2017-9375)

Zhangyanyu discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9503)

It was discovered that the QEMU qemu-nbd server incorrectly handled initialization. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-9524)

It was discovered that the QEMU qemu-nbd server incorrectly handled signals. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-10664)

Li Qiang discovered that the QEMU USB redirector incorrectly handled logging debug messages. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2017-10806)

Anthony Perard discovered that QEMU incorrectly handled Xen block-interface responses. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. (CVE-2017-10911)

Reno Robert discovered that QEMU incorrectly handled certain DHCP options strings. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2017-11434)

Ryan Salsamendi discovered that QEMU incorrectly handled empty CDROM device drives. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04.
(CVE-2017-12809).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes several issues.

These security issues were fixed :

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042159).

  - CVE-2017-8379: Memory leak in the keyboard input event     handlers support allowed local guest OS privileged users     to cause a denial of service (host memory consumption)     by rapidly generating large keyboard events     (bsc#1037334).

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037242).

  - CVE-2017-7493: The VirtFS, host directory sharing via     Plan 9 File System(9pfs) support, was vulnerable to an     improper access control issue. It could occur while     accessing virtfs metadata files in mapped-file security     mode. A guest user could have used this flaw to escalate     their privileges inside guest (bsc#1039495).

  - CVE-2017-7377: The v9fs_create and v9fs_lcreate     functions in hw/9pfs/9p.c allowed local guest OS     privileged users to cause a denial of service (file     descriptor or memory consumption) via vectors related to     an already in-use fid (bsc#1032075).

  - CVE-2017-8086: A memory leak in the v9fs_list_xattr     function in hw/9pfs/9p-xattr.c allowed local guest OS     privileged users to cause a denial of service (memory     consumption) via vectors involving the orig_value     variable (bsc#1035950).

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025109)

  - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks     function in hw/sd/sdhci.c allowed local OS guest     privileged users to cause a denial of service (infinite     loop and QEMU process crash) via vectors involving the     transfer mode register during multi block transfer     (bsc#1025311).

  - CVE-2017-6505: The ohci_service_ed_list function in     hw/usb/hcd-ohci.c allowed local guest OS users to cause     a denial of service (infinite loop) via vectors     involving the number of link endpoint list descriptors     (bsc#1028184)

  - CVE-2016-9603: A privileged user within the guest VM     could have caused a heap overflow in the device model     process, potentially escalating their privileges to that     of the device model process (bsc#1028656)

  - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local     guest OS privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     related to copying VGA data via the     cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_     functions (bsc#1034908)

  - CVE-2017-7980: An out-of-bounds r/w access issues in the     Cirrus CLGD 54xx VGA Emulator support allowed privileged     user inside guest to use this flaw to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code on a host with privileges of Qemu process     on the host (bsc#1035406)

  - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest     OS privileged users to cause a denial of service     (infinite loop and CPU consumption) via the message ring     page count (bsc#1036211).

  - CVE-2017-9375: The USB xHCI controller emulator support     was vulnerable to an infinite recursive call loop issue,     which allowed a privileged user inside guest to crash     the Qemu process resulting in DoS (bsc#1042800).

  - CVE-2017-9374: Missing free of 's->ipacket', causes a     host memory leak, allowing for DoS (bsc#1043073).

  - CVE-2017-9373: The IDE AHCI Emulation support was     vulnerable to a host memory leakage issue, which allowed     a privileged user inside guest to leak host memory     resulting in DoS (bsc#1042801).

  - CVE-2017-8380: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to an out-of-bounds     read access issue which allowed a privileged user inside     guest to read host memory resulting in DoS     (bsc#1037336).

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427).

  - CVE-2017-7471: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper access control issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1034866).

  - Fix privilege escalation in TCG mode of QEMU. This is     not considered a security issue by the upstream project,     but is included as additional hardening (bsc#1030624)

  - Fix potential DoS in virtfs

  - CVE-2016-10028: The Virtio GPU Device emulator support     was vulnerable to an out of bounds memory access issue     allowing a guest user to crash the Qemu process instance     on a host, resulting in DoS (bsc#1017084, bsc#1016503)

  - CVE-2016-10029: The Virtio GPU Device emulator support     was vulnerable to an OOB read issue allowing a guest     user to crash the Qemu process instance resulting in Dos     (bsc#1017081, bsc#1016504)

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021741)

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043296).

This non-security issue was fixed :

  - Enable MONITOR/MWAIT support for guests (bsc#1031142)

This update was imported from the SUSE:SLE-12-SP2:Update update project.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-10911: blkif responses leaked backend stack     data, which allowed unprivileged guest to obtain     sensitive information from the host or other guests     (XSA-216, bsc#1042863)

  - CVE-2017-10912: Page transfer might have allowed PV     guest to elevate privilege (XSA-217, bsc#1042882)

  - CVE-2017-10913, CVE-2017-10914: Races in the grant table     unmap code allowed for informations leaks and     potentially privilege escalation (XSA-218, bsc#1042893)

  - CVE-2017-10915: Insufficient reference counts during     shadow emulation allowed a malicious pair of guest to     elevate their privileges to the privileges that XEN runs     under (XSA-219, bsc#1042915)

  - CVE-2017-10917: Missing NULL pointer check in event     channel poll allows guests to DoS the host (XSA-221,     bsc#1042924)

  - CVE-2017-10918: Stale P2M mappings due to insufficient     error checking allowed malicious guest to leak     information or elevate privileges (XSA-222, bsc#1042931)

  - CVE-2017-10922, CVE-2017-10921, CVE-2017-10920: Grant     table operations mishandled reference counts allowing     malicious guests to escape (XSA-224, bsc#1042938)

  - CVE-2017-10916: PKRU and BND* leakage between vCPU-s     might have leaked information to other guests (XSA-220,     bsc#1042923)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042160)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037243)

  - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest     OS privileged users to cause a denial of service     (infinite loop and CPU consumption) via the message ring     page count (bsc#1036470)

  - CVE-2017-8905: Xen a failsafe callback, which might have     allowed PV guest OS users to execute arbitrary code on     the host OS (XSA-215, bsc#1034845).

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043297)

  - CVE-2017-9374: Missing free of 's->ipacket', causes a     host memory leak, allowing for DoS (bsc#1043074)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043297)

  - CVE-2017-9374: Missing free of 's->ipacket', causes a     host memory leak, allowing for DoS (bsc#1043074)

  - CVE-2017-10911: blkif responses leaked backend stack     data, which allowed unprivileged guest to obtain     sensitive information from the host or other guests     (XSA-216, bsc#1042863)

  - CVE-2017-10912: Page transfer might have allowed PV     guest to elevate privilege (XSA-217, bsc#1042882)

  - CVE-2017-10913, CVE-2017-10914: Races in the grant table     unmap code allowed for informations leaks and     potentially privilege escalation (XSA-218, bsc#1042893)

  - CVE-2017-10915: Insufficient reference counts during     shadow emulation allowed a malicious pair of guest to     elevate their privileges to the privileges that XEN runs     under (XSA-219, bsc#1042915)

  - CVE-2017-10917: Missing NULL pointer check in event     channel poll allows guests to DoS the host (XSA-221,     bsc#1042924)

  - CVE-2017-10918: Stale P2M mappings due to insufficient     error checking allowed malicious guest to leak     information or elevate privileges (XSA-222, bsc#1042931)

  - CVE-2017-10920, CVE-2017-10921, CVE-2017-10922: Grant     table operations mishandled reference counts allowing     malicious guests to escape (XSA-224, bsc#1042938)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042160)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037243)

  - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest     OS privileged users to cause a denial of service     (infinite loop and CPU consumption) via the message ring     page count (bsc#1036470)

  - CVE-2017-8905: Xen a failsafe callback, which might have     allowed PV guest OS users to execute arbitrary code on     the host OS (XSA-215, bsc#1034845).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes several issues. These security issues were fixed :

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042159).

  - CVE-2017-8379: Memory leak in the keyboard input event     handlers support allowed local guest OS privileged users     to cause a denial of service (host memory consumption)     by rapidly generating large keyboard events     (bsc#1037334).

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037242).

  - CVE-2017-7493: The VirtFS, host directory sharing via     Plan 9 File System(9pfs) support, was vulnerable to an     improper access control issue. It could occur while     accessing virtfs metadata files in mapped-file security     mode. A guest user could have used this flaw to escalate     their privileges inside guest (bsc#1039495).

  - CVE-2017-7377: The v9fs_create and v9fs_lcreate     functions in hw/9pfs/9p.c allowed local guest OS     privileged users to cause a denial of service (file     descriptor or memory consumption) via vectors related to     an already in-use fid (bsc#1032075).

  - CVE-2017-8086: A memory leak in the v9fs_list_xattr     function in hw/9pfs/9p-xattr.c allowed local guest OS     privileged users to cause a denial of service (memory     consumption) via vectors involving the orig_value     variable (bsc#1035950).

  - CVE-2017-5973: A infinite loop while doing control     transfer in xhci_kick_epctx allowed privileged user     inside the guest to crash the host process resulting in     DoS (bsc#1025109)

  - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks     function in hw/sd/sdhci.c allowed local OS guest     privileged users to cause a denial of service (infinite     loop and QEMU process crash) via vectors involving the     transfer mode register during multi block transfer     (bsc#1025311).

  - CVE-2017-6505: The ohci_service_ed_list function in     hw/usb/hcd-ohci.c allowed local guest OS users to cause     a denial of service (infinite loop) via vectors     involving the number of link endpoint list descriptors     (bsc#1028184)

  - CVE-2016-9603: A privileged user within the guest VM     could have caused a heap overflow in the device model     process, potentially escalating their privileges to that     of the device model process (bsc#1028656)

  - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local     guest OS privileged users to cause a denial of service     (out-of-bounds read and QEMU process crash) via vectors     related to copying VGA data via the     cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_     functions (bsc#1034908)

  - CVE-2017-7980: An out-of-bounds r/w access issues in the     Cirrus CLGD 54xx VGA Emulator support allowed privileged     user inside guest to use this flaw to crash the Qemu     process resulting in DoS or potentially execute     arbitrary code on a host with privileges of Qemu process     on the host (bsc#1035406)

  - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest     OS privileged users to cause a denial of service     (infinite loop and CPU consumption) via the message ring     page count (bsc#1036211).

  - CVE-2017-9375: The USB xHCI controller emulator support     was vulnerable to an infinite recursive call loop issue,     which allowed a privileged user inside guest to crash     the Qemu process resulting in DoS (bsc#1042800).

  - CVE-2017-9374: Missing free of 's->ipacket', causes a     host memory leak, allowing for DoS (bsc#1043073).

  - CVE-2017-9373: The IDE AHCI Emulation support was     vulnerable to a host memory leakage issue, which allowed     a privileged user inside guest to leak host memory     resulting in DoS (bsc#1042801).

  - CVE-2017-8380: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to an out-of-bounds     read access issue which allowed a privileged user inside     guest to read host memory resulting in DoS     (bsc#1037336).

  - CVE-2016-9602: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper link following issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1020427).

  - CVE-2017-7471: The VirtFS host directory sharing via     Plan 9 File System(9pfs) support was vulnerable to an     improper access control issue which allowed a privileged     user inside guest to access host file system beyond the     shared folder and potentially escalating their     privileges on a host (bsc#1034866).

  - Fix privilege escalation in TCG mode of QEMU. This is     not considered a security issue by the upstream project,     but is included as additional hardening (bsc#1030624)

  - Fix potential DoS in virtfs

  - CVE-2016-10028: The Virtio GPU Device emulator support     was vulnerable to an out of bounds memory access issue     allowing a guest user to crash the Qemu process instance     on a host, resulting in DoS (bsc#1017084, bsc#1016503)

  - CVE-2016-10029: The Virtio GPU Device emulator support     was vulnerable to an OOB read issue allowing a guest     user to crash the Qemu process instance resulting in Dos     (bsc#1017081, bsc#1016504)

  - CVE-2017-5579: The 16550A UART serial device emulation     support was vulnerable to a memory leakage issue     allowing a privileged user to cause a DoS and/or     potentially crash the Qemu process on the host     (bsc#1021741)

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043296).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes several issues. These security issues were fixed :

  - blkif responses leaked backend stack data, which allowed     unprivileged guest to obtain sensitive information from     the host or other guests (XSA-216, bsc#1042863)

  - Page transfer might have allowed PV guest to elevate     privilege (XSA-217, bsc#1042882)

  - Races in the grant table unmap code allowed for     informations leaks and potentially privilege escalation     (XSA-218, bsc#1042893)

  - Insufficient reference counts during shadow emulation     allowed a malicious pair of guest to elevate their     privileges to the privileges that XEN runs under     (XSA-219, bsc#1042915)

  - Stale P2M mappings due to insufficient error checking     allowed malicious guest to leak information or elevate     privileges (XSA-222, bsc#1042931)

  - Grant table operations mishandled reference counts     allowing malicious guests to escape (XSA-224,     bsc#1042938)

  - CVE-2017-9330: USB OHCI Emulation in qemu allowed local     guest OS users to cause a denial of service (infinite     loop) by leveraging an incorrect return value     (bsc#1042160)

  - CVE-2017-8309: Memory leak in the audio/audio.c allowed     remote attackers to cause a denial of service (memory     consumption) by repeatedly starting and stopping audio     capture (bsc#1037243)

  - CVE-2017-8905: Xen a failsafe callback, which might have     allowed PV guest OS users to execute arbitrary code on     the host OS (XSA-215, bsc#1034845).

  - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter     emulation support was vulnerable to a NULL pointer     dereference issue which allowed a privileged user inside     guest to crash the Qemu process on the host resulting in     DoS (bsc#1043297)

  - CVE-2017-9374: Missing free of 's->ipacket', causes a     host memory leak, allowing for DoS (bsc#1043074)

  - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest     OS privileged users to cause a denial of service     (infinite loop and CPU consumption) via the message ring     page count (bsc#1036470)

  - Missing NULL pointer check in event channel poll allows     guests to DoS the host (XSA-221, bsc#1042924)

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
138911	Debian DLA-2288-1 : qemu security update	Nessus	Debian Local Security Checks	high
130689	EulerOS 2.0 SP5 : qemu-kvm (EulerOS-SA-2019-2227)	Nessus	Huawei Local Security Checks	critical
117351	Debian DLA-1497-1 : qemu security update (Spectre)	Nessus	Debian Local Security Checks	high
104780	SUSE SLES11 Security Update : kvm (SUSE-SU-2017:3084-1)	Nessus	SuSE Local Security Checks	high
104495	SUSE SLES12 Security Update : qemu (SUSE-SU-2017:2969-1)	Nessus	SuSE Local Security Checks	high
104494	SUSE SLES11 Security Update : kvm (SUSE-SU-2017:2963-1)	Nessus	SuSE Local Security Checks	high
104471	SUSE SLES12 Security Update : qemu (SUSE-SU-2017:2946-1)	Nessus	SuSE Local Security Checks	high
103372	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : qemu regression (USN-3414-2)	Nessus	Ubuntu Local Security Checks	high
103217	Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : qemu vulnerabilities (USN-3414-1)	Nessus	Ubuntu Local Security Checks	high
101758	openSUSE Security Update : qemu (openSUSE-2017-822)	Nessus	SuSE Local Security Checks	high
101350	SUSE SLES12 Security Update : xen (SUSE-SU-2017:1812-1)	Nessus	SuSE Local Security Checks	critical
101293	SUSE SLES12 Security Update : xen (SUSE-SU-2017:1795-1)	Nessus	SuSE Local Security Checks	critical
101227	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2017:1774-1)	Nessus	SuSE Local Security Checks	high
101224	SUSE SLES11 Security Update : xen (SUSE-SU-2017:1770-1)	Nessus	SuSE Local Security Checks	high

CVE-2017-9503

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins