SUSE SLES11 Security Update : kvm (SUSE-SU-2016:1785-1)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

kvm was updated to fix 33 security issues.

These security issues were fixed :

- CVE-2016-4439: Avoid OOB access in 53C9X emulation
(bsc#980711)

- CVE-2016-4441: Avoid OOB access in 53C9X emulation
(bsc#980723)

- CVE-2016-3710: Fixed VGA emulation based OOB access with
potential for guest escape (bsc#978158)

- CVE-2016-3712: Fixed VGa emulation based DOS and OOB
read access exploit (bsc#978160)

- CVE-2016-4037: Fixed USB ehci based DOS (bsc#976109)

- CVE-2016-2538: Fixed potential OOB access in USB net
device emulation (bsc#967969)

- CVE-2016-2841: Fixed OOB access / hang in ne2000
emulation (bsc#969350)

- CVE-2016-2858: Avoid potential DOS when using QEMU
pseudo random number generator (bsc#970036)

- CVE-2016-2857: Fixed OOB access when processing IP
checksums (bsc#970037)

- CVE-2016-4001: Fixed OOB access in Stellaris enet
emulated nic (bsc#975128)

- CVE-2016-4002: Fixed OOB access in MIPSnet emulated
controller (bsc#975136)

- CVE-2016-4020: Fixed possible host data leakage to guest
from TPR access (bsc#975700)

- CVE-2015-3214: Fixed OOB read in i8254 PIC (bsc#934069)

- CVE-2014-9718: Fixed the handling of malformed or short
ide PRDTs to avoid any opportunity for guest to cause
DoS by abusing that interface (bsc#928393)

- CVE-2014-3689: Fixed insufficient parameter validation
in rectangle functions (bsc#901508)

- CVE-2014-3615: The VGA emulator in QEMU allowed local
guest users to read host memory by setting the display
to a high resolution (bsc#895528).

- CVE-2015-5239: Integer overflow in vnc_client_read() and
protocol_client_msg() (bsc#944463).

- CVE-2015-5278: Infinite loop in ne2000_receive()
function (bsc#945989).

- CVE-2015-5279: Heap-based buffer overflow in the
ne2000_receive function in hw/net/ne2000.c in QEMU
allowed guest OS users to cause a denial of service
(instance crash) or possibly execute arbitrary code via
vectors related to receiving packets (bsc#945987).

- CVE-2015-5745: Buffer overflow in virtio-serial
(bsc#940929).

- CVE-2015-6855: hw/ide/core.c in QEMU did not properly
restrict the commands accepted by an ATAPI device, which
allowed guest users to cause a denial of service or
possibly have unspecified other impact via certain IDE
commands, as demonstrated by a WIN_READ_NATIVE_MAX
command to an empty drive, which triggers a
divide-by-zero error and instance crash (bsc#945404).

- CVE-2015-7295: hw/virtio/virtio.c in the Virtual Network
Device (virtio-net) support in QEMU, when big or
mergeable receive buffers are not supported, allowed
remote attackers to cause a denial of service (guest
network consumption) via a flood of jumbo frames on the
(1) tuntap or (2) macvtap interface (bsc#947159).

- CVE-2015-7549: PCI NULL pointer dereferences
(bsc#958917).

- CVE-2015-8504: VNC floating point exception
(bsc#958491).

- CVE-2015-8558: Infinite loop in ehci_advance_state
resulting in DoS (bsc#959005).

- CVE-2015-8613: Wrong sized memset in megasas command
handler (bsc#961358).

- CVE-2015-8619: Potential DoS for long HMP sendkey
command argument (bsc#960334).

- CVE-2015-8743: OOB memory access in ne2000 ioport r/w
functions (bsc#960725).

- CVE-2016-1568: AHCI use-after-free in aio port commands
(bsc#961332).

- CVE-2016-1714: Potential OOB memory access in processing
firmware configuration (bsc#961691).

- CVE-2016-1922: NULL pointer dereference when processing
hmp i/o command (bsc#962320).

- CVE-2016-1981: Potential DoS (infinite loop) in e1000
device emulation by malicious privileged user within
guest (bsc#963782).

- CVE-2016-2198: Malicious privileged guest user were able
to cause DoS by writing to read-only EHCI capabilities
registers (bsc#964413).

This non-security issue was fixed :

- Fix case of IDE interface needing busy status set before
flush (bsc#936132)

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/895528
https://bugzilla.suse.com/901508
https://bugzilla.suse.com/928393
https://bugzilla.suse.com/934069
https://bugzilla.suse.com/936132
https://bugzilla.suse.com/940929
https://bugzilla.suse.com/944463
https://bugzilla.suse.com/945404
https://bugzilla.suse.com/945987
https://bugzilla.suse.com/945989
https://bugzilla.suse.com/947159
https://bugzilla.suse.com/958491
https://bugzilla.suse.com/958917
https://bugzilla.suse.com/959005
https://bugzilla.suse.com/960334
https://bugzilla.suse.com/960725
https://bugzilla.suse.com/961332
https://bugzilla.suse.com/961333
https://bugzilla.suse.com/961358
https://bugzilla.suse.com/961556
https://bugzilla.suse.com/961691
https://bugzilla.suse.com/962320
https://bugzilla.suse.com/963782
https://bugzilla.suse.com/964413
https://bugzilla.suse.com/967969
https://bugzilla.suse.com/969350
https://bugzilla.suse.com/970036
https://bugzilla.suse.com/970037
https://bugzilla.suse.com/975128
https://bugzilla.suse.com/975136
https://bugzilla.suse.com/975700
https://bugzilla.suse.com/976109
https://bugzilla.suse.com/978158
https://bugzilla.suse.com/978160
https://bugzilla.suse.com/980711
https://bugzilla.suse.com/980723
https://www.suse.com/security/cve/CVE-2014-3615.html
https://www.suse.com/security/cve/CVE-2014-3689.html
https://www.suse.com/security/cve/CVE-2014-9718.html
https://www.suse.com/security/cve/CVE-2015-3214.html
https://www.suse.com/security/cve/CVE-2015-5239.html
https://www.suse.com/security/cve/CVE-2015-5278.html
https://www.suse.com/security/cve/CVE-2015-5279.html
https://www.suse.com/security/cve/CVE-2015-5745.html
https://www.suse.com/security/cve/CVE-2015-6855.html
https://www.suse.com/security/cve/CVE-2015-7295.html
https://www.suse.com/security/cve/CVE-2015-7549.html
https://www.suse.com/security/cve/CVE-2015-8504.html
https://www.suse.com/security/cve/CVE-2015-8558.html
https://www.suse.com/security/cve/CVE-2015-8613.html
https://www.suse.com/security/cve/CVE-2015-8619.html
https://www.suse.com/security/cve/CVE-2015-8743.html
https://www.suse.com/security/cve/CVE-2016-1568.html
https://www.suse.com/security/cve/CVE-2016-1714.html
https://www.suse.com/security/cve/CVE-2016-1922.html
https://www.suse.com/security/cve/CVE-2016-1981.html
https://www.suse.com/security/cve/CVE-2016-2198.html
https://www.suse.com/security/cve/CVE-2016-2538.html
https://www.suse.com/security/cve/CVE-2016-2841.html
https://www.suse.com/security/cve/CVE-2016-2857.html
https://www.suse.com/security/cve/CVE-2016-2858.html
https://www.suse.com/security/cve/CVE-2016-3710.html
https://www.suse.com/security/cve/CVE-2016-3712.html
https://www.suse.com/security/cve/CVE-2016-4001.html
https://www.suse.com/security/cve/CVE-2016-4002.html
https://www.suse.com/security/cve/CVE-2016-4020.html
https://www.suse.com/security/cve/CVE-2016-4037.html
https://www.suse.com/security/cve/CVE-2016-4439.html
https://www.suse.com/security/cve/CVE-2016-4441.html
http://www.nessus.org/u?3d049621

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 11-SP4 :

zypper in -t patch slessp4-kvm-12645=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false