FreeBSD : xen-tools -- QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks (e6ce6f50-4212-11e6-942d-bc5ff45d0f28)

high Nessus Plugin ID 91938
New! Plugin Severity Now Using CVSS v3

The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.


The remote FreeBSD host is missing a security-related update.


The Xen Project reports :

Qemu VGA module allows banked access to video memory using the window at 0xa00000 and it supports different access modes with different address calculations.

Qemu VGA module allows guest to edit certain registers in 'vbe' and 'vga' modes.

A privileged guest user could use CVE-2016-3710 to exceed the bank address window and write beyond the said memory area, potentially leading to arbitrary code execution with privileges of the Qemu process. If the system is not using stubdomains, this will be in domain 0.

A privileged guest user could use CVE-2016-3712 to cause potential integer overflow or OOB read access issues in Qemu, resulting in a DoS of the guest itself. More dangerous effect, such as data leakage or code execution, are not known but cannot be ruled out.


Update the affected package.

See Also

Plugin Details

Severity: High

ID: 91938

File Name: freebsd_pkg_e6ce6f50421211e6942dbc5ff45d0f28.nasl

Version: 2.5

Type: local

Published: 7/5/2016

Updated: 1/4/2021

Dependencies: ssh_get_info.nasl

Risk Information


Risk Factor: Medium

Score: 6.5


Risk Factor: High

Base Score: 7.2

Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C


Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:xen-tools, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 7/4/2016

Vulnerability Publication Date: 5/9/2016

Reference Information

CVE: CVE-2016-3710, CVE-2016-3712