[oss-security] 20181008 Qemu: integer overflow issues

[debian-lts-announce] 20181130 [SECURITY] [DLA 1599-1] qemu security update

[qemu-devel] 20180926 [PULL 24/25] net: ignore packet size greater than INT_MAX

USN-3826-1

DSA-4338

This update for xen fixes the following issues :

Security issues fixed :

CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() found in slirp (bsc#1123157).

CVE-2017-13672: Fixed an out of bounds read access during display update (bsc#1056336).

Fixed an issue which could allow malicious or buggy guests with passed through PCI devices to be able to escalate their privileges, crash the host, or access data belonging to other guests. Additionally memory leaks were also possible (bsc#1126140)

Fixed a race condition issue which could allow malicious PV guests to escalate their privilege to that of the hypervisor (bsc#1126141).

CVE-2018-18849: Fixed an out of bounds msg buffer access which could lead to denial of service (bsc#1114423).

Fixed an issue which could allow a malicious unprivileged guest userspace process to escalate its privilege to that of other userspace processes in the same guest and potentially thereby to that of the guest operating system (bsc#1126201).

CVE-2018-17958: Fixed an integer overflow leading to a buffer overflow in the rtl8139 component (bsc#1111007)

CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up the host, resulting in a Denial of Service (DoS). (XSA-282) (bsc#1114988)

CVE-2018-19665: Fixed an integer overflow resulting in memory corruption in various Bluetooth functions, allowing this to crash qemu process resulting in Denial of Service (DoS). (bsc#1117756).

CVE-2019-9824: Fixed an information leak in SLiRP networking implementation which could allow a user/process to read uninitialised stack memory contents (bsc#1129623).

CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient TLB flushing with AMD IOMMUs, which potentially allowed a guest to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access. (XSA-275) (bsc#1115040)

CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240, which conflicted with shadow paging and allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS) (XSA-280) (bsc#1115047).

CVE-2018-10839: Fixed an integer overflow leading to a buffer overflow in the ne2000 component (bsc#1110924).

CVE-2018-19965: Fixed an issue related to the INVPCID instruction in case non-canonical addresses are accessed, which may allow a guest to cause Xen to crash, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-279) (bsc#1115045).

Fixed an issue which could allow malicious 64bit PV guests to cause a host crash (bsc#1127400).

Fixed an issue which could allow malicious PV guests may cause a host crash or gain access to data pertaining to other guests.Additionally, vulnerable configurations are likely to be unstable even in the absence of an attack (bsc#1126198).

Fixed multiple access violations introduced by XENMEM_exchange hypercall which could allow a single PV guest to leak arbitrary amounts of memory, leading to a denial of service (bsc#1126192).

CVE-2018-17963: Fixed an integer overflow in relation to large packet sizes, leading to a denial of service (DoS). (bsc#1111014).

Fixed an issue which could allow a malicious or buggy x86 PV guest kernels can mount a Denial of Service attack affecting the whole system (bsc#1126196).

Fixed an issue which could allow an untrusted PV domain with access to a physical device to DMA into its own pagetables leading to privilege escalation (bsc#1126195).

CVE-2018-17962: Fixed an integer overflow leading to a buffer overflow in the pcnet component (bsc#1111011)

CVE-2018-18438: Fixed an integer overflow in ccid_card_vscard_read function which could lead to memory corruption (bsc#1112188).

Other issues fixed: Upstream bug fixes (bsc#1027519)

Fixed an issue where XEN SLE12-SP1 domU hangs on SLE12-SP3 HV1108940 (bsc#1108940).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

Security issues fixed :

CVE-2018-18849: Fixed an out of bounds memory access issue that was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin. It could occur during migration if the 'msg_len' field has an invalid value. A user/process could use this flaw to crash the Qemu process resulting in DoS (bsc#1114423).

CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up the host, resulting in a Denial of Service (DoS). (XSA-282) (bsc#1114988)

CVE-2018-19665: Fixed an integer overflow in Bluetooth routines allows memory corruption (bsc#1117756).

CVE-2018-18438: Fixed an integer overflow in ccid_card_vscard_read function which allows memory corruption (bsc#1112188).

CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used (bsc#1111011).

Fixed an issue which could allow a malicious unprivileged guest userspace process to escalate its privilege to that of other userspace processes in the same guest and potentially thereby to that of the guest operating system (bsc#1126201).

CVE-2018-19961 CVE-2018-19962: Fixed insufficient TLB flushing / improper large page mappings with AMD IOMMUs (XSA-275)(bsc#1115040).

CVE-2018-17963: Fixed qemu_deliver_packet_iov in net/net.c that accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.
(bsc#1111014)

Fixed an issue which could allow an untrusted PV domain with access to a physical device to DMA into its own pagetables leading to privilege escalation (bsc#1126195).

Fixed an issue which could allow a malicious or buggy x86 PV guest kernels can mount a Denial of Service attack affecting the whole system (bsc#1126196)

CVE-2018-17958: Fixed a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used (bsc#1111007).

CVE-2018-10839: Fixed an integer overflow which could lead to a buffer overflow issue (bsc#1110924).

CVE-2019-6778: Fixed a heap buffer overflow in tcp_emu() found in slirp (bsc#1123157).

CVE-2018-19966: Fixed issue introduced by XSA-240 that could have caused conflicts with shadow paging (XSA-280)(bsc#1115047).

CVE-2017-13672: Fixed an out of bounds read access during display update (bsc#1056336).

Fixed multiple access violations introduced by XENMEM_exchange hypercall which could allow a single PV guest to leak arbitrary amounts of memory, leading to a denial of service (bsc#1126192).

Fixed an issue which could allow malicious or buggy guests with passed through PCI devices to be able to escalate their privileges, crash the host, or access data belonging to other guests. Additionally memory leaks were also possible (bsc#1126140).

Fixed a race condition issue which could allow malicious PV guests to escalate their privilege to that of the hypervisor (bsc#1126141).

CVE-2019-9824: Fixed an information leak in SLiRP networking implementation which could allow a user/process to read uninitialised stack memory contents (bsc#1129623).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Security issues fixed :

  - CVE-2018-10839: Fixed NE2000 NIC emulation support that     is vulnerable to an integer overflow, which could lead     to buffer overflow issue. It could occur when receiving     packets over the network. A user inside guest could use     this flaw to crash the Qemu process resulting in DoS     (bsc#1110910).

  - CVE-2018-15746: Fixed qemu-seccomp.c that might allow     local OS guest users to cause a denial of service (guest     crash) by leveraging mishandling of the seccomp policy     for threads other than the main thread (bsc#1106222).

  - CVE-2018-16847: Fixed an OOB heap buffer r/w access     issue that was found in the NVM Express Controller     emulation in QEMU. It could occur in nvme_cmb_ops     routines in nvme device. A guest user/process could use     this flaw to crash the QEMU process resulting in DoS or     potentially run arbitrary code with privileges of the     QEMU process (bsc#1114529).

  - CVE-2018-17958: Fixed a Buffer Overflow in     rtl8139_do_receive in hw/net/rtl8139.c because an     incorrect integer data type is used (bsc#1111006).

  - CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive     in hw/net/pcnet.c because an incorrect integer data type     is used (bsc#1111010).

  - CVE-2018-17963: Fixed qemu_deliver_packet_iov in     net/net.c that accepts packet sizes greater than     INT_MAX, which allows attackers to cause a denial of     service or possibly have unspecified other impact.
    (bsc#1111013)

  - CVE-2018-18849: Fixed an out of bounds memory access     issue that was found in the LSI53C895A SCSI Host Bus     Adapter emulation while writing a message in     lsi_do_msgin. It could occur during migration if the     'msg_len' field has an invalid value. A user/process     could use this flaw to crash the Qemu process resulting     in DoS (bsc#1114422).

Non-security issues fixed :

  - Fix slowness in arm32 emulation (bsc#1112499).

  - In order to improve spectre mitigation for s390x, add a     new feature in the QEMU cpu model to provide the etoken     cpu feature for guests (bsc#1107489).

This update was imported from the SUSE:SLE-15:Update update project.

This update for xen fixes the following issues :

Security vulnerabilities fixed :

CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient TLB flushing with AMD IOMMUs, which potentially allowed a guest to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access. (XSA-275) (bsc#1115040)

CVE-2018-19965: Fixed an issue related to the INVPCID instruction in case non-canonical addresses are accessed, which may allow a guest to cause Xen to crash, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-279) (bsc#1115045)

CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240, which conflicted with shadow paging and allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS) (XSA-280) (bsc#1115047)

CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up the host, resulting in a Denial of Service (DoS). (XSA-282) (bsc#1114988)

CVE-2018-19665: Fixed an integer overflow resulting in memory corruption in various Bluetooth functions, allowing this to crash qemu process resulting in Denial of Service (DoS). (bsc#1117756).

CVE-2018-18849: Fixed an out of bounds memory access in the LSI53C895A SCSI host bus adapter emulation, which allowed a user and/or process to crash the qemu process resulting in a Denial of Service (DoS).
(bsc#1114423)

Fixed an integer overflow in ccid_card_vscard_read(), which allowed for memory corruption. (bsc#1112188)

CVE-2017-13672: Fixed an out of bounds read access during display update (bsc#1056336)

CVE-2018-17958: Fixed an integer overflow leading to a buffer overflow in the rtl8139 component (bsc#1111007)

CVE-2018-17962: Fixed an integer overflow leading to a buffer overflow in the pcnet component (bsc#1111011)

CVE-2018-17963: Fixed an integer overflow in relation to large packet sizes, leading to a denial of service (DoS). (bsc#1111014)

CVE-2018-10839: Fixed an integer overflow leading to a buffer overflow in the ne2000 component (bsc#1110924)

Other bugs fixed: Fixed an issue related to a domU hang on SLE12-SP3 HV (bsc#1108940)

Upstream bug fixes (bsc#1027519)

Fixed crashing VMs when migrating between dom0 hosts (bsc#1031382)

Fixed an issue with xpti=no-dom0 not working as expected (bsc#1105528)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

Update to Xen 4.11.1 bug fix release (bsc#1027519)

CVE-2018-17963: Fixed an integer overflow issue in the QEMU emulator, which could occur when a packet with large packet size is processed. A user inside a guest could have used this flaw to crash the qemu process resulting in a Denial of Service (DoS). (bsc#1111014)

CVE-2018-18849: Fixed an out of bounds memory access in the LSI53C895A SCSI host bus adapter emulation, which allowed a user and/or process to crash the qemu process resulting in a Denial of Service (DoS).
(bsc#1114423)

CVE-2018-18883: Fixed an issue related to inproper restriction of nested VT-x, which allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS). (XSA-278) (bsc#1114405)

CVE-2018-19961, CVE-2018-19962: Fixed an issue related to insufficient TLB flushing with AMD IOMMUs, which potentially allowed a guest to escalate its privileges, may cause a Denial of Service (DoS) affecting the entire host, or may be able to access data it is not supposed to access. (XSA-275) (bsc#1115040)

CVE-2018-19963: Fixed the allocation of pages used to communicate with external emulators, which may have cuased Xen to crash, resulting in a Denial of Service (DoS). (XSA-276) (bsc#1115043)

CVE-2018-19965: Fixed an issue related to the INVPCID instruction in case non-canonical addresses are accessed, which may allow a guest to cause Xen to crash, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-279) (bsc#1115045)

CVE-2018-19966: Fixed an issue related to a previous fix for XSA-240, which conflicted with shadow paging and allowed a guest to cause Xen to crash, resulting in a Denial of Service (DoS) (XSA-280) (bsc#1115047)

CVE-2018-19967: Fixed HLE constructs that allowed guests to lock up the host, resulting in a Denial of Service (DoS). (XSA-282) (bsc#1114988)

CVE-2018-19964: Fixed the incorrect error handling of p2m page removals, which allowed a guest to cause a deadlock, resulting in a Denial of Service (DoS) affecting the entire host. (XSA-277) (bsc#1115044)

CVE-2018-19665: Fixed an integer overflow resulting in memory corruption in various Bluetooth functions, allowing this to crash qemu process resulting in Denial of Service (DoS). (bsc#1117756).

Other bugs fixed: Fixed an issue related to a domU hang on SLE12-SP3 HV (bsc#1108940)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Fix cpu model crash on AMD hosts (bz #1640140)

  - CVE-2018-15746: seccomp blacklist is not applied to all     threads (bz #1618357)

  - Fix assertion in address_space_stw_le_cached (bz     #1644728)

  - CVE-2018-10839: ne2000: fix possible out of bound access     (bz #1636429)

  - CVE-2018-17958: rtl8139: fix possible out of bound     access (bz #1636729)

  - CVE-2018-17962: pcnet: fix possible buffer overflow (bz     #1636775)

  - CVE-2018-17963: net: ignore packet size greater than     INT_MAX (bz #1636782)

  - CVE-2018-18849: lsi53c895a: OOB msg buffer access leads     to DoS (bz #1644977)

  - CVE-2018-18954: ppc64: Out-of-bounds r/w stack access in     pnv_lpc_do_eccb (bz #1645442)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Security issues fixed :

CVE-2018-10839: Fixed NE2000 NIC emulation support that is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS (bsc#1110910).

CVE-2018-15746: Fixed qemu-seccomp.c that might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread (bsc#1106222).

CVE-2018-16847: Fixed an OOB heap buffer r/w access issue that was found in the NVM Express Controller emulation in QEMU. It could occur in nvme_cmb_ops routines in nvme device. A guest user/process could use this flaw to crash the QEMU process resulting in DoS or potentially run arbitrary code with privileges of the QEMU process (bsc#1114529).

CVE-2018-17958: Fixed a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used (bsc#1111006).

CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used (bsc#1111010).

CVE-2018-17963: Fixed qemu_deliver_packet_iov in net/net.c that accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.
(bsc#1111013)

CVE-2018-18849: Fixed an out of bounds memory access issue that was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin. It could occur during migration if the 'msg_len' field has an invalid value. A user/process could use this flaw to crash the Qemu process resulting in DoS (bsc#1114422).

Non-security issues fixed: Fix slowness in arm32 emulation (bsc#1112499).

In order to improve spectre mitigation for s390x, add a new feature in the QEMU cpu model to provide the etoken cpu feature for guests (bsc#1107489).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Security issues fixed :

CVE-2018-10839: Fixed NE2000 NIC emulation support that is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS (bsc#1110910).

CVE-2018-15746: Fixed qemu-seccomp.c that might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread (bsc#1106222).

CVE-2018-17958: Fixed a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used (bsc#1111006).

CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used (bsc#1111010).

CVE-2018-17963: Fixed qemu_deliver_packet_iov in net/net.c that accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.
(bsc#1111013)

CVE-2018-18849: Fixed an out of bounds memory access issue that was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin. It could occur during migration if the 'msg_len' field has an invalid value. A user/process could use this flaw to crash the Qemu process resulting in DoS (bsc#1114422).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Security issues fixed :

CVE-2018-10839: Fixed NE2000 NIC emulation support that is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS (bsc#1110910).

CVE-2018-15746: Fixed qemu-seccomp.c that might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread (bsc#1106222).

CVE-2018-17958: Fixed a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used (bsc#1111006).

CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used (bsc#1111010).

CVE-2018-17963: Fixed qemu_deliver_packet_iov in net/net.c that accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.
(bsc#1111013)

CVE-2018-18849: Fixed an out of bounds memory access issue that was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin. It could occur during migration if the 'msg_len' field has an invalid value. A user/process could use this flaw to crash the Qemu process resulting in DoS (bsc#1114422).

CVE-2018-16847: Fixed an out of bounds r/w buffer access in cmb operations (bsc#1114529).

Non-security issue fixed: Fixed a condition when retry logic does not have been executed in case of data transmit failure or connection hungup (bsc#1108474).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Security issues fixed :

CVE-2018-10839: Fixed NE2000 NIC emulation support that is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS (bsc#1110910).

CVE-2018-15746: Fixed qemu-seccomp.c that might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread (bsc#1106222).

CVE-2018-17958: Fixed a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used (bsc#1111006).

CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used (bsc#1111010).

CVE-2018-17963: Fixed qemu_deliver_packet_iov in net/net.c that accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.
(bsc#1111013)

CVE-2018-18849: Fixed an out of bounds memory access issue that was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin. It could occur during migration if the 'msg_len' field has an invalid value. A user/process could use this flaw to crash the Qemu process resulting in DoS (bsc#1114422).

Non-security issues fixed: Improving disk performance for qemu on xen (bsc#1100408)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for qemu fixes the following issues :

Security issues fixed :

  - CVE-2018-10839: Fixed NE2000 NIC emulation support that     is vulnerable to an integer overflow, which could lead     to buffer overflow issue. It could occur when receiving     packets over the network. A user inside guest could use     this flaw to crash the Qemu process resulting in DoS     (bsc#1110910).

  - CVE-2018-15746: Fixed qemu-seccomp.c that might allow     local OS guest users to cause a denial of service (guest     crash) by leveraging mishandling of the seccomp policy     for threads other than the main thread (bsc#1106222).

  - CVE-2018-17958: Fixed a Buffer Overflow in     rtl8139_do_receive in hw/net/rtl8139.c because an     incorrect integer data type is used (bsc#1111006).

  - CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive     in hw/net/pcnet.c because an incorrect integer data type     is used (bsc#1111010).

  - CVE-2018-17963: Fixed qemu_deliver_packet_iov in     net/net.c that accepts packet sizes greater than     INT_MAX, which allows attackers to cause a denial of     service or possibly have unspecified other impact.
    (bsc#1111013)

  - CVE-2018-18849: Fixed an out of bounds memory access     issue that was found in the LSI53C895A SCSI Host Bus     Adapter emulation while writing a message in     lsi_do_msgin. It could occur during migration if the     'msg_len' field has an invalid value. A user/process     could use this flaw to crash the Qemu process resulting     in DoS (bsc#1114422).

Non-security issues fixed :

  - Improving disk performance for qemu on xen (bsc#1100408)

This update was imported from the SUSE:SLE-12-SP3:Update update project.

This update for kvm fixes the following issues :

Security issues fixed :

CVE-2018-10839: Fixed NE2000 NIC emulation support that is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS (bsc#1110910).

CVE-2018-15746: Fixed qemu-seccomp.c that might allow local OS guest users to cause a denial of service (guest crash) by leveraging mishandling of the seccomp policy for threads other than the main thread (bsc#1106222).

CVE-2018-17958: Fixed a Buffer Overflow in rtl8139_do_receive in hw/net/rtl8139.c because an incorrect integer data type is used (bsc#1111006).

CVE-2018-17962: Fixed a Buffer Overflow in pcnet_receive in hw/net/pcnet.c because an incorrect integer data type is used (bsc#1111010).

CVE-2018-17963: Fixed qemu_deliver_packet_iov in net/net.c that accepts packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact.
(bsc#1111013)

CVE-2018-18849: Fixed an out of bounds memory access issue that was found in the LSI53C895A SCSI Host Bus Adapter emulation while writing a message in lsi_do_msgin. It could occur during migration if the 'msg_len' field has an invalid value. A user/process could use this flaw to crash the Qemu process resulting in DoS (bsc#1114422).

CVE-2018-18438: Fixed integer overflows because IOReadHandler and its associated functions use a signed integer data type for a size value (bnc#1112185).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities were found in QEMU, a fast processor emulator :

CVE-2016-2391

Zuozhi Fzz discovered that eof_times in USB OHCI emulation support could be used to cause a denial of service, via a NULL pointer dereference.

CVE-2016-2392 / CVE-2016-2538

Qinghao Tang found a NULL pointer dereference and multiple integer overflows in the USB Net device support that could allow local guest OS administrators to cause a denial of service. These issues related to remote NDIS control message handling.

CVE-2016-2841

Yang Hongke reported an infinite loop vulnerability in the NE2000 NIC emulation support.

CVE-2016-2857

Liu Ling found a flaw in QEMU IP checksum routines. Attackers could take advantage of this issue to cause QEMU to crash.

CVE-2016-2858

Arbitrary stack based allocation in the Pseudo Random Number Generator (PRNG) back-end support.

CVE-2016-4001 / CVE-2016-4002

Oleksandr Bazhaniuk reported buffer overflows in the Stellaris and the MIPSnet ethernet controllers emulation. Remote malicious users could use these issues to cause QEMU to crash.

CVE-2016-4020

Donghai Zdh reported that QEMU incorrectly handled the access to the Task Priority Register (TPR), allowing local guest OS administrators to obtain sensitive information from host stack memory.

CVE-2016-4037

Du Shaobo found an infinite loop vulnerability in the USB EHCI emulation support.

CVE-2016-4439 / CVE-2016-4441 / CVE-2016-5238 / CVE-2016-5338 / CVE-2016-6351

Li Qiang found different issues in the QEMU 53C9X Fast SCSI Controller (FSC) emulation support, that made it possible for local guest OS privileged users to cause denials of service or potentially execute arbitrary code.

CVE-2016-4453 / CVE-2016-4454

Li Qiang reported issues in the QEMU VMWare VGA module handling, that may be used to cause QEMU to crash, or to obtain host sensitive information.

CVE-2016-4952 / CVE-2016-7421 / CVE-2016-7156

Li Qiang reported flaws in the VMware paravirtual SCSI bus emulation support. These issues concern an out-of-bounds access and infinite loops, that allowed local guest OS privileged users to cause a denial of service.

CVE-2016-5105 / CVE-2016-5106 / CVE-2016-5107 / CVE-2016-5337

Li Qiang discovered several issues in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. These issues include stack information leakage while reading configuration and out-of-bounds write and read.

CVE-2016-6834

Li Qiang reported an infinite loop vulnerability during packet fragmentation in the network transport abstraction layer support.
Local guest OS privileged users could made use of this flaw to cause a denial of service.

CVE-2016-6836 / CVE-2016-6888

Li Qiang found issues in the VMWare VMXNET3 network card emulation support, relating to information leak and integer overflow in packet initialisation.

CVE-2016-7116

Felix Wilhel discovered a directory traversal flaw in the Plan 9 File System (9pfs), exploitable by local guest OS privileged users.

CVE-2016-7155

Tom Victor and Li Qiang reported an out-of-bounds read and an infinite loop in the VMware paravirtual SCSI bus emulation support.

CVE-2016-7161

Hu Chaojian reported a heap overflow in the xlnx.xps-ethernetlite emulation support. Privileged users in local guest OS could made use of this to cause QEMU to crash.

CVE-2016-7170

Qinghao Tang and Li Qiang reported a flaw in the QEMU VMWare VGA module, that could be used by privileged user in local guest OS to cause QEMU to crash via an out-of-bounds stack memory access.

CVE-2016-7908 / CVE-2016-7909

Li Qiang reported infinite loop vulnerabilities in the ColdFire Fast Ethernet Controller and the AMD PC-Net II (Am79C970A) emulations.
These flaws allowed local guest OS administrators to cause a denial of service.

CVE-2016-8909

Huawei PSIRT found an infinite loop vulnerability in the Intel HDA emulation support, relating to DMA buffer stream processing.
Privileged users in local guest OS could made use of this to cause a denial of service.

CVE-2016-8910

Andrew Henderson reported an infinite loop in the RTL8139 ethernet controller emulation support. Privileged users inside a local guest OS could made use of this to cause a denial of service.

CVE-2016-9101

Li Qiang reported a memory leakage in the i8255x (PRO100) ethernet controller emulation support.

CVE-2016-9102 / CVE-2016-9103 / CVE-2016-9104 / CVE-2016-9105 / CVE-2016-9106 / CVE-2016-8577 / CVE-2016-8578

Li Qiang reported various Plan 9 File System (9pfs) security issues, including host memory leakage and denial of service.

CVE-2017-10664

Denial of service in the qemu-nbd (QEMU Disk Network Block Device) Server.

CVE-2018-10839 / CVE-2018-17962 / CVE-2018-17963

Daniel Shapira reported several integer overflows in the packet handling in ethernet controllers emulated by QEMU. These issues could lead to denial of service.

For Debian 8 'Jessie', these problems have been fixed in version 1:2.1+dfsg-12+deb8u8.

We recommend that you upgrade your qemu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled NE2000 device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-10839)

It was discovered that QEMU incorrectly handled the Slirp networking back-end. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-11806)

Fakhri Zulkifli discovered that the QEMU guest agent incorrectly handled certain QMP commands. An attacker could possibly use this issue to crash the QEMU guest agent, resulting in a denial of service.
(CVE-2018-12617)

Li Qiang discovered that QEMU incorrectly handled NVM Express Controller emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-16847)

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled RTL8139 device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-17958)

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled PCNET device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2018-17962)

Daniel Shapira discovered that QEMU incorrectly handled large packet sizes. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-17963)

It was discovered that QEMU incorrectly handled LSI53C895A device emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2018-18849)

Moguofang discovered that QEMU incorrectly handled the IPowerNV LPC controller. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-18954)

Zhibin Hu discovered that QEMU incorrectly handled the Plan 9 File System support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2018-19364).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Integer overflows in the processing of packets in network cards emulated by QEMU, a fast processor emulator, could result in denial of service.

In addition this update backports support to passthrough the new CPU features added in the intel-microcode update shipped in DSA 4273 to x86-based guests.

This update for xen fixes the following issues :

XEN was updated to the Xen 4.9.3 bug fix only release (bsc#1027519)

  - CVE-2018-17963: qemu_deliver_packet_iov accepted packet     sizes greater than INT_MAX, which allows attackers to     cause a denial of service or possibly have unspecified     other impact. (bsc#1111014)

  - CVE-2018-15470: oxenstored might not have enforced the     configured quota-maxentity. This allowed a malicious or     buggy guest to write as many xenstore entries as it     wishes, causing unbounded memory usage in oxenstored.
    This can lead to a system-wide DoS. (XSA-272)     (bsc#1103279)

  - CVE-2018-15469: ARM never properly implemented grant     table v2, either in the hypervisor or in Linux.
    Unfortunately, an ARM guest can still request v2 grant     tables; they will simply not be properly set up,     resulting in subsequent grant-related hypercalls hitting     BUG() checks. An unprivileged guest can cause a BUG()     check in the hypervisor, resulting in a     denial-of-service (crash). (XSA-268) (bsc#1103275) Note     that SUSE does not ship ARM Xen, so we are not affected.

  - CVE-2018-15468: The DEBUGCTL MSR contains several     debugging features, some of which virtualise cleanly,     but some do not. In particular, Branch Trace Store is     not virtualised by the processor, and software has to be     careful to configure it suitably not to lock up the     core. As a result, it must only be available to fully     trusted guests. Unfortunately, in the case that vPMU is     disabled, all value checking was skipped, allowing the     guest to choose any MSR_DEBUGCTL setting it likes. A     malicious or buggy guest administrator (on Intel x86 HVM     or PVH) can lock up the entire host, causing a Denial of     Service. (XSA-269) (bsc#1103276)

  - CVE-2018-3646: Systems with microprocessors utilizing     speculative execution and address translations may have     allowed unauthorized disclosure of information residing     in the L1 data cache to an attacker with local user     access with guest OS privilege via a terminal page fault     and a side-channel analysis. (XSA-273) (bsc#1091107)

Non security issues fixed :

  - The affinity reporting via 'xl vcpu-list' was broken     (bsc#1106263)

  - Kernel oops in fs/dcache.c called by     d_materialise_unique() (bsc#1094508)

This update was imported from the SUSE:SLE-12-SP3:Update update project.

This update for xen fixes the following issues :

XEN was updated to the Xen 4.9.3 bug fix only release (bsc#1027519)

CVE-2018-17963: qemu_deliver_packet_iov accepted packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. (bsc#1111014)

CVE-2018-15470: oxenstored might not have enforced the configured quota-maxentity. This allowed a malicious or buggy guest to write as many xenstore entries as it wishes, causing unbounded memory usage in oxenstored. This can lead to a system-wide DoS. (XSA-272) (bsc#1103279)

CVE-2018-15469: ARM never properly implemented grant table v2, either in the hypervisor or in Linux. Unfortunately, an ARM guest can still request v2 grant tables; they will simply not be properly set up, resulting in subsequent grant-related hypercalls hitting BUG() checks.
An unprivileged guest can cause a BUG() check in the hypervisor, resulting in a denial-of-service (crash). (XSA-268) (bsc#1103275) Note that SUSE does not ship ARM Xen, so we are not affected.

CVE-2018-15468: The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests.
Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) can lock up the entire host, causing a Denial of Service.
(XSA-269) (bsc#1103276)

CVE-2018-3646: Systems with microprocessors utilizing speculative execution and address translations may have allowed unauthorized disclosure of information residing in the L1 data cache to an attacker with local user access with guest OS privilege via a terminal page fault and a side-channel analysis. (XSA-273) (bsc#1091107)

Non security issues fixed: The affinity reporting via 'xl vcpu-list' was broken (bsc#1106263)

Kernel oops in fs/dcache.c called by d_materialise_unique() (bsc#1094508)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for xen fixes the following issues :

CVE-2018-17963: qemu_deliver_packet_iov accepted packet sizes greater than INT_MAX, which allows attackers to cause a denial of service or possibly have unspecified other impact. (bsc#1111014)

CVE-2018-15468: The DEBUGCTL MSR contains several debugging features, some of which virtualise cleanly, but some do not. In particular, Branch Trace Store is not virtualised by the processor, and software has to be careful to configure it suitably not to lock up the core. As a result, it must only be available to fully trusted guests.
Unfortunately, in the case that vPMU is disabled, all value checking was skipped, allowing the guest to choose any MSR_DEBUGCTL setting it likes. A malicious or buggy guest administrator (on Intel x86 HVM or PVH) could have locked up the entire host, causing a Denial of Service. (XSA-269) (bsc#1103276)

Non security issues fixed: Kernel oops in fs/dcache.c called by d_materialise_unique() (bsc#1094508)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
123634	SUSE SLES12 Security Update : xen (SUSE-SU-2019:0827-1)	Nessus	SuSE Local Security Checks	high
123633	SUSE SLES12 Security Update : xen (SUSE-SU-2019:0825-1)	Nessus	SuSE Local Security Checks	high
123389	openSUSE Security Update : qemu (openSUSE-2019-961)	Nessus	SuSE Local Security Checks	high
121004	SUSE SLES11 Security Update : xen (SUSE-SU-2019:13921-1)	Nessus	SuSE Local Security Checks	high
120983	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2019:0003-1)	Nessus	SuSE Local Security Checks	high
120587	Fedora 29 : 2:qemu (2018-87f2ace20d)	Nessus	Fedora Local Security Checks	high
120171	SUSE SLED15 / SLES15 Security Update : qemu (SUSE-SU-2018:3927-1)	Nessus	SuSE Local Security Checks	high
119872	SUSE SLES12 Security Update : qemu (SUSE-SU-2018:4237-1)	Nessus	SuSE Local Security Checks	high
119763	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2018:4185-1)	Nessus	SuSE Local Security Checks	high
119741	SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2018:4129-1)	Nessus	SuSE Local Security Checks	high
119717	openSUSE Security Update : qemu (openSUSE-2018-1563)	Nessus	SuSE Local Security Checks	high
119491	openSUSE Security Update : qemu (openSUSE-2018-1483)	Nessus	SuSE Local Security Checks	high
119456	SUSE SLES11 Security Update : kvm (SUSE-SU-2018:3987-1)	Nessus	SuSE Local Security Checks	high
119454	SUSE SLES11 Security Update : kvm (SUSE-SU-2018:3975-1)	Nessus	SuSE Local Security Checks	high
119453	SUSE SLES12 Security Update : qemu (SUSE-SU-2018:3973-1)	Nessus	SuSE Local Security Checks	high
119310	Debian DLA-1599-1 : qemu security update	Nessus	Debian Local Security Checks	critical
119216	Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS / 18.10 : qemu vulnerabilities (USN-3826-1)	Nessus	Ubuntu Local Security Checks	high
119215	SUSE SLES12 Security Update : qemu (SUSE-SU-2018:3912-1)	Nessus	SuSE Local Security Checks	high
118895	Debian DSA-4338-1 : qemu - security update	Nessus	Debian Local Security Checks	high
118563	openSUSE Security Update : xen (openSUSE-2018-1331) (Foreshadow)	Nessus	SuSE Local Security Checks	high
118491	SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2018:3490-1) (Foreshadow)	Nessus	SuSE Local Security Checks	high
118351	SUSE SLES12 Security Update : xen (SUSE-SU-2018:3332-1)	Nessus	SuSE Local Security Checks	high

CVE-2018-17963

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Tenable Plugins