Debian DLA-1599-1 : qemu security update

critical Nessus Plugin ID 119310


The remote Debian host is missing a security update.


Several vulnerabilities were found in QEMU, a fast processor emulator :


Zuozhi Fzz discovered that eof_times in USB OHCI emulation support could be used to cause a denial of service, via a NULL pointer dereference.

CVE-2016-2392 / CVE-2016-2538

Qinghao Tang found a NULL pointer dereference and multiple integer overflows in the USB Net device support that could allow local guest OS administrators to cause a denial of service. These issues related to remote NDIS control message handling.


Yang Hongke reported an infinite loop vulnerability in the NE2000 NIC emulation support.


Liu Ling found a flaw in QEMU IP checksum routines. Attackers could take advantage of this issue to cause QEMU to crash.


Arbitrary stack based allocation in the Pseudo Random Number Generator (PRNG) back-end support.

CVE-2016-4001 / CVE-2016-4002

Oleksandr Bazhaniuk reported buffer overflows in the Stellaris and the MIPSnet ethernet controllers emulation. Remote malicious users could use these issues to cause QEMU to crash.


Donghai Zdh reported that QEMU incorrectly handled the access to the Task Priority Register (TPR), allowing local guest OS administrators to obtain sensitive information from host stack memory.


Du Shaobo found an infinite loop vulnerability in the USB EHCI emulation support.

CVE-2016-4439 / CVE-2016-4441 / CVE-2016-5238 / CVE-2016-5338 / CVE-2016-6351

Li Qiang found different issues in the QEMU 53C9X Fast SCSI Controller (FSC) emulation support, that made it possible for local guest OS privileged users to cause denials of service or potentially execute arbitrary code.

CVE-2016-4453 / CVE-2016-4454

Li Qiang reported issues in the QEMU VMWare VGA module handling, that may be used to cause QEMU to crash, or to obtain host sensitive information.

CVE-2016-4952 / CVE-2016-7421 / CVE-2016-7156

Li Qiang reported flaws in the VMware paravirtual SCSI bus emulation support. These issues concern an out-of-bounds access and infinite loops, that allowed local guest OS privileged users to cause a denial of service.

CVE-2016-5105 / CVE-2016-5106 / CVE-2016-5107 / CVE-2016-5337

Li Qiang discovered several issues in the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. These issues include stack information leakage while reading configuration and out-of-bounds write and read.


Li Qiang reported an infinite loop vulnerability during packet fragmentation in the network transport abstraction layer support.
Local guest OS privileged users could made use of this flaw to cause a denial of service.

CVE-2016-6836 / CVE-2016-6888

Li Qiang found issues in the VMWare VMXNET3 network card emulation support, relating to information leak and integer overflow in packet initialisation.


Felix Wilhel discovered a directory traversal flaw in the Plan 9 File System (9pfs), exploitable by local guest OS privileged users.


Tom Victor and Li Qiang reported an out-of-bounds read and an infinite loop in the VMware paravirtual SCSI bus emulation support.


Hu Chaojian reported a heap overflow in the xlnx.xps-ethernetlite emulation support. Privileged users in local guest OS could made use of this to cause QEMU to crash.


Qinghao Tang and Li Qiang reported a flaw in the QEMU VMWare VGA module, that could be used by privileged user in local guest OS to cause QEMU to crash via an out-of-bounds stack memory access.

CVE-2016-7908 / CVE-2016-7909

Li Qiang reported infinite loop vulnerabilities in the ColdFire Fast Ethernet Controller and the AMD PC-Net II (Am79C970A) emulations.
These flaws allowed local guest OS administrators to cause a denial of service.


Huawei PSIRT found an infinite loop vulnerability in the Intel HDA emulation support, relating to DMA buffer stream processing.
Privileged users in local guest OS could made use of this to cause a denial of service.


Andrew Henderson reported an infinite loop in the RTL8139 ethernet controller emulation support. Privileged users inside a local guest OS could made use of this to cause a denial of service.


Li Qiang reported a memory leakage in the i8255x (PRO100) ethernet controller emulation support.

CVE-2016-9102 / CVE-2016-9103 / CVE-2016-9104 / CVE-2016-9105 / CVE-2016-9106 / CVE-2016-8577 / CVE-2016-8578

Li Qiang reported various Plan 9 File System (9pfs) security issues, including host memory leakage and denial of service.


Denial of service in the qemu-nbd (QEMU Disk Network Block Device) Server.

CVE-2018-10839 / CVE-2018-17962 / CVE-2018-17963

Daniel Shapira reported several integer overflows in the packet handling in ethernet controllers emulated by QEMU. These issues could lead to denial of service.

For Debian 8 'Jessie', these problems have been fixed in version 1:2.1+dfsg-12+deb8u8.

We recommend that you upgrade your qemu packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.


Upgrade the affected packages.

See Also

Plugin Details

Severity: Critical

ID: 119310

File Name: debian_DLA-1599.nasl

Version: 1.5

Type: local

Agent: unix

Published: 12/1/2018

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information


Risk Factor: Medium

Score: 6.3


Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C


Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:qemu, p-cpe:/a:debian:debian_linux:qemu-guest-agent, p-cpe:/a:debian:debian_linux:qemu-kvm, p-cpe:/a:debian:debian_linux:qemu-system, p-cpe:/a:debian:debian_linux:qemu-system-arm, p-cpe:/a:debian:debian_linux:qemu-system-common, p-cpe:/a:debian:debian_linux:qemu-system-mips, p-cpe:/a:debian:debian_linux:qemu-system-misc, p-cpe:/a:debian:debian_linux:qemu-system-ppc, p-cpe:/a:debian:debian_linux:qemu-system-sparc, p-cpe:/a:debian:debian_linux:qemu-system-x86, p-cpe:/a:debian:debian_linux:qemu-user, p-cpe:/a:debian:debian_linux:qemu-user-binfmt, p-cpe:/a:debian:debian_linux:qemu-user-static, p-cpe:/a:debian:debian_linux:qemu-utils, cpe:/o:debian:debian_linux:8.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 11/30/2018

Vulnerability Publication Date: 4/7/2016

Reference Information

CVE: CVE-2016-2391, CVE-2016-2392, CVE-2016-2538, CVE-2016-2841, CVE-2016-2857, CVE-2016-2858, CVE-2016-4001, CVE-2016-4002, CVE-2016-4020, CVE-2016-4037, CVE-2016-4439, CVE-2016-4441, CVE-2016-4453, CVE-2016-4454, CVE-2016-4952, CVE-2016-5105, CVE-2016-5106, CVE-2016-5107, CVE-2016-5238, CVE-2016-5337, CVE-2016-5338, CVE-2016-6351, CVE-2016-6834, CVE-2016-6836, CVE-2016-6888, CVE-2016-7116, CVE-2016-7155, CVE-2016-7156, CVE-2016-7161, CVE-2016-7170, CVE-2016-7421, CVE-2016-7908, CVE-2016-7909, CVE-2016-8577, CVE-2016-8578, CVE-2016-8909, CVE-2016-8910, CVE-2016-9101, CVE-2016-9102, CVE-2016-9103, CVE-2016-9104, CVE-2016-9105, CVE-2016-9106, CVE-2017-10664, CVE-2018-10839, CVE-2018-17962, CVE-2018-17963