ID CVE-2013-4530
Summary Buffer overflow in hw/ssi/pl022.c in QEMU before 1.7.2 allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image.
References
Vulnerable Configurations
  • QEMU 1.7.1
    cpe:2.3:a:qemu:qemu:1.7.1
  • QEMU 1.6.2
    cpe:2.3:a:qemu:qemu:1.6.2
  • QEMU 1.6.1
    cpe:2.3:a:qemu:qemu:1.6.1
  • QEMU 1.6.0 release candidate 3
    cpe:2.3:a:qemu:qemu:1.6.0:rc3
  • QEMU 1.6.0 release candidate 2
    cpe:2.3:a:qemu:qemu:1.6.0:rc2
  • QEMU 1.6.0 release candidate 1
    cpe:2.3:a:qemu:qemu:1.6.0:rc1
  • QEMU 1.6.0
    cpe:2.3:a:qemu:qemu:1.6.0
  • QEMU 1.5.3
    cpe:2.3:a:qemu:qemu:1.5.3
  • QEMU 1.5.2
    cpe:2.3:a:qemu:qemu:1.5.2
  • QEMU 1.5.1
    cpe:2.3:a:qemu:qemu:1.5.1
  • QEMU 1.5.0 release candidate 3
    cpe:2.3:a:qemu:qemu:1.5.0:rc3
  • QEMU 1.5.0 release candidate 2
    cpe:2.3:a:qemu:qemu:1.5.0:rc2
  • QEMU 1.5.0 release candidate 1
    cpe:2.3:a:qemu:qemu:1.5.0:rc1
  • QEMU 1.5.0
    cpe:2.3:a:qemu:qemu:1.5.0
  • QEMU 1.4.2
    cpe:2.3:a:qemu:qemu:1.4.2
  • QEMU 1.4.1
    cpe:2.3:a:qemu:qemu:1.4.1
  • QEMU 1.1 release candidate 4
    cpe:2.3:a:qemu:qemu:1.1:rc4
  • QEMU 1.1 release candidate 3
    cpe:2.3:a:qemu:qemu:1.1:rc3
  • QEMU 1.1 release candidate 2
    cpe:2.3:a:qemu:qemu:1.1:rc2
  • QEMU 1.1 release candidate 1
    cpe:2.3:a:qemu:qemu:1.1:rc1
  • QEMU 1.1
    cpe:2.3:a:qemu:qemu:1.1
  • QEMU 1.0.1
    cpe:2.3:a:qemu:qemu:1.0.1
  • QEMU 1.0 release candidate 4
    cpe:2.3:a:qemu:qemu:1.0:rc4
  • QEMU 1.0 release candidate 3
    cpe:2.3:a:qemu:qemu:1.0:rc3
  • QEMU 1.0 release candidate 2
    cpe:2.3:a:qemu:qemu:1.0:rc2
  • QEMU 1.0 release candidate 1
    cpe:2.3:a:qemu:qemu:1.0:rc1
  • QEMU 1.0
    cpe:2.3:a:qemu:qemu:1.0
  • QEMU 0.1
    cpe:2.3:a:qemu:qemu:0.1
  • QEMU 0.1.1
    cpe:2.3:a:qemu:qemu:0.1.1
  • QEMU 0.1.2
    cpe:2.3:a:qemu:qemu:0.1.2
  • QEMU 0.1.3
    cpe:2.3:a:qemu:qemu:0.1.3
  • QEMU 0.1.4
    cpe:2.3:a:qemu:qemu:0.1.4
  • QEMU 0.1.5
    cpe:2.3:a:qemu:qemu:0.1.5
  • QEMU 0.1.6
    cpe:2.3:a:qemu:qemu:0.1.6
  • QEMU 0.10.0
    cpe:2.3:a:qemu:qemu:0.10.0
  • QEMU 0.10.1
    cpe:2.3:a:qemu:qemu:0.10.1
  • QEMU 0.10.2
    cpe:2.3:a:qemu:qemu:0.10.2
  • QEMU 0.10.3
    cpe:2.3:a:qemu:qemu:0.10.3
  • QEMU 0.10.4
    cpe:2.3:a:qemu:qemu:0.10.4
  • QEMU 0.10.5
    cpe:2.3:a:qemu:qemu:0.10.5
  • QEMU 0.10.6
    cpe:2.3:a:qemu:qemu:0.10.6
  • QEMU 0.11.0
    cpe:2.3:a:qemu:qemu:0.11.0
  • QEMU 0.11.0-rc0
    cpe:2.3:a:qemu:qemu:0.11.0:rc0
  • QEMU 0.11.0 release candidate 1
    cpe:2.3:a:qemu:qemu:0.11.0:rc1
  • QEMU 0.11.0 release candidate 2
    cpe:2.3:a:qemu:qemu:0.11.0:rc2
  • QEMU 0.11.0-rc0
    cpe:2.3:a:qemu:qemu:0.11.0-rc0
  • QEMU 0.11.0-rc1
    cpe:2.3:a:qemu:qemu:0.11.0-rc1
  • QEMU 0.11.0-rc2
    cpe:2.3:a:qemu:qemu:0.11.0-rc2
  • QEMU 0.11.1
    cpe:2.3:a:qemu:qemu:0.11.1
  • QEMU 0.12.0
    cpe:2.3:a:qemu:qemu:0.12.0
  • QEMU 0.12.0 release candidate 1
    cpe:2.3:a:qemu:qemu:0.12.0:rc1
  • QEMU 0.12.0 release candidate 2
    cpe:2.3:a:qemu:qemu:0.12.0:rc2
  • QEMU 0.12.1
    cpe:2.3:a:qemu:qemu:0.12.1
  • QEMU 0.12.2
    cpe:2.3:a:qemu:qemu:0.12.2
  • QEMU 0.12.3
    cpe:2.3:a:qemu:qemu:0.12.3
  • QEMU 0.12.4
    cpe:2.3:a:qemu:qemu:0.12.4
  • QEMU 0.12.5
    cpe:2.3:a:qemu:qemu:0.12.5
  • QEMU 0.13.0
    cpe:2.3:a:qemu:qemu:0.13.0
  • QEMU 0.13.0 release candidate 0
    cpe:2.3:a:qemu:qemu:0.13.0:rc0
  • QEMU 0.13.0 release candidate 1
    cpe:2.3:a:qemu:qemu:0.13.0:rc1
  • QEMU 0.14.0
    cpe:2.3:a:qemu:qemu:0.14.0
  • QEMU 0.14.0 release candidate 0
    cpe:2.3:a:qemu:qemu:0.14.0:rc0
  • QEMU 0.14.0 release candidate 1
    cpe:2.3:a:qemu:qemu:0.14.0:rc1
  • QEMU 0.14.0 release candidate 2
    cpe:2.3:a:qemu:qemu:0.14.0:rc2
  • QEMU 0.14.1
    cpe:2.3:a:qemu:qemu:0.14.1
  • QEMU 0.15.0 release candidate 1
    cpe:2.3:a:qemu:qemu:0.15.0:rc1
  • QEMU 0.15.0 release candidate 2
    cpe:2.3:a:qemu:qemu:0.15.0:rc2
  • QEMU 0.15.1
    cpe:2.3:a:qemu:qemu:0.15.1
  • QEMU 0.15.2
    cpe:2.3:a:qemu:qemu:0.15.2
  • QEMU 0.2
    cpe:2.3:a:qemu:qemu:0.2
  • QEMU 0.3
    cpe:2.3:a:qemu:qemu:0.3
  • QEMU 0.4
    cpe:2.3:a:qemu:qemu:0.4
  • QEMU 0.4.1
    cpe:2.3:a:qemu:qemu:0.4.1
  • QEMU 0.4.2
    cpe:2.3:a:qemu:qemu:0.4.2
  • QEMU 0.4.3
    cpe:2.3:a:qemu:qemu:0.4.3
  • QEMU 0.5.0
    cpe:2.3:a:qemu:qemu:0.5.0
  • QEMU 0.5.1
    cpe:2.3:a:qemu:qemu:0.5.1
  • QEMU 0.5.2
    cpe:2.3:a:qemu:qemu:0.5.2
  • QEMU 0.5.3
    cpe:2.3:a:qemu:qemu:0.5.3
  • QEMU 0.5.4
    cpe:2.3:a:qemu:qemu:0.5.4
  • QEMU 0.5.5
    cpe:2.3:a:qemu:qemu:0.5.5
  • QEMU 0.6.0
    cpe:2.3:a:qemu:qemu:0.6.0
  • QEMU 0.6.1
    cpe:2.3:a:qemu:qemu:0.6.1
  • QEMU 0.7.0
    cpe:2.3:a:qemu:qemu:0.7.0
  • QEMU 0.7.1
    cpe:2.3:a:qemu:qemu:0.7.1
  • QEMU 0.7.2
    cpe:2.3:a:qemu:qemu:0.7.2
  • QEMU 0.8.0
    cpe:2.3:a:qemu:qemu:0.8.0
  • QEMU 0.8.1
    cpe:2.3:a:qemu:qemu:0.8.1
  • QEMU 0.8.2
    cpe:2.3:a:qemu:qemu:0.8.2
  • QEMU 0.9.0
    cpe:2.3:a:qemu:qemu:0.9.0
  • QEMU 0.9.1
    cpe:2.3:a:qemu:qemu:0.9.1
  • QEMU 0.9.1-5
    cpe:2.3:a:qemu:qemu:0.9.1-5
CVSS
Base: 7.5 (as of 05-11-2014 - 10:03)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-220.NASL
    description Updated qemu packages fix security vulnerabilities : Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host (CVE-2013-4544). Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147). A buffer overflow flaw was found in the way the virtio_net_handle_mac() function of QEMU processed guest requests to update the table of MAC addresses. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0150). A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0142). A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0146). It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0148). An out-of-bounds memory access flaw was found in the way QEMU's IDE device driver handled the execution of SMART EXECUTE OFFLINE commands. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-2894). Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0222, CVE-2014-0223). Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461). An information leak flaw was found in the way QEMU's VGA emulator accessed frame buffer memory for high resolution displays. A privileged guest user could use this flaw to leak memory contents of the host to the guest by setting the display to use a high resolution in the guest (CVE-2014-3615). When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access Only guests using qemu user networking are affected (CVE-2014-3640). The Advanced Threat Research team at Intel Security reported that guest provided parameter were insufficiently validated in rectangle functions in the vmware-vga driver. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process (CVE-2014-3689). It was discovered that QEMU incorrectly handled USB xHCI controller live migration. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code (CVE-2014-5263). James Spadaro of Cisco reported insufficiently sanitized bits_per_pixel from the client in the QEMU VNC display driver. An attacker having access to the guest's VNC console could use this flaw to crash the guest (CVE-2014-7815). Additionally qemu-1.6+ requires usbredir-0.6+ for USB redirection support which is also being provided with this advisory.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 79407
    published 2014-11-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79407
    title Mandriva Linux Security Advisory : qemu (MDVSA-2014:220)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2342-1.NASL
    description Michael S. Tsirkin, Anthony Liguori, and Michael Roth discovered multiple issues with QEMU state loading after migration. An attacker able to modify the state data could use these issues to cause a denial of service, or possibly execute arbitrary code. (CVE-2013-4148, CVE-2013-4149, CVE-2013-4150, CVE-2013-4151, CVE-2013-4526, CVE-2013-4527, CVE-2013-4529, CVE-2013-4530, CVE-2013-4531, CVE-2013-4532, CVE-2013-4533, CVE-2013-4534, CVE-2013-4535, CVE-2013-4536, CVE-2013-4537, CVE-2013-4538, CVE-2013-4539, CVE-2013-4540, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461) Kevin Wolf, Stefan Hajnoczi, Fam Zheng, Jeff Cody, Stefan Hajnoczi, and others discovered multiple issues in the QEMU block drivers. An attacker able to modify disk images could use these issues to cause a denial of service, or possibly execute arbitrary code. (CVE-2014-0142, CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0146, CVE-2014-0147, CVE-2014-0222, CVE-2014-0223) It was discovered that QEMU incorrectly handled certain PCIe bus hotplug operations. A malicious guest could use this issue to crash the QEMU host, resulting in a denial of service. (CVE-2014-3471). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 77570
    published 2014-09-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77570
    title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : qemu, qemu-kvm vulnerabilities (USN-2342-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KVM-140528.NASL
    description Several security issues in KVM have been fixed. Some issues could have resulted in arbitrary code execution or crash of the kvm host. - virtio-net: buffer overflow in virtio_net_handle_mac() function. (CVE-2014-0150) - Fixed out of bounds buffer accesses, guest triggerable via IDE SMART. (CVE-2014-2894) - Fixed various virtio-net buffer overflows. (CVE-2013-4148 / CVE-2013-4149 / CVE-2013-4150 / CVE-2013-4151) - Fixed ahci buffer overrun. (CVE-2013-4526) - Fixed hpet buffer overrun. (CVE-2013-4527) - Fixed a PCIE-AER buffer overrun. (CVE-2013-4529) - Fixed a buffer overrun in pl022. (CVE-2013-4530) - Fixed a vmstate buffer overflow. (CVE-2013-4531) - Fixed a pxa2xx buffer overrun. (CVE-2013-4533) - Fixed a openpic buffer overrun. (CVE-2013-4534) - Validate virtio num_sg mapping. (CVE-2013-4535 / CVE-2013-4536) - Fixed ssi-sd buffer overrun. (CVE-2013-4537) - Fixed ssd0323 buffer overrun. (CVE-2013-4538) - Fixed tsc210x buffer overrun. (CVE-2013-4539) - Fixed Zaurus buffer overrun. (CVE-2013-4540) - Some USB sanity checking added. (CVE-2013-4541) - Fixed virtio scsi buffer overrun. (CVE-2013-4542) - Fixed another virtio buffer overrun. (CVE-2013-6399) - Validate config_len on load in virtio (CVE-2014-0182)
    last seen 2019-02-21
    modified 2014-11-06
    plugin id 76138
    published 2014-06-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=76138
    title SuSE 11.3 Security Update : KVM (SAT Patch Number 9302)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1745-1.NASL
    description xen was updated to fix 36 security issues. These security issues were fixed : - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might have allowed remote attackers to execute arbitrary code via vectors related to the number of timers (bnc#864673). - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c allowed remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image (bnc#864678). - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image (bnc#864682). - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image (bsc#864655). - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements (bsc#864811). - CVE-2013-4537: The ssi_sd_transfer function in hw/sd/ssi-sd.c allowed remote attackers to execute arbitrary code via a crafted arglen value in a savevm image (bsc#864391). - CVE-2013-4538: Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c allowed remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image (bsc#864769). - CVE-2013-4539: Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c might have allowed remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image (bsc#864805). - CVE-2014-0222: Integer overflow in the qcow_open function in block/qcow.c allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image (bsc#877642). - CVE-2014-3640: The sosendto function in slirp/udp.c allowed local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized socket (bsc#897654). - CVE-2014-3689: The vmware-vga driver (hw/display/vmware_vga.c) allowed local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling (bsc#901508). - CVE-2014-7815: The set_pixel_format function in ui/vnc.c allowed remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value (bsc#902737). - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality had multiple interpretations of a function's return value, which allowed guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions (bsc#928393). - CVE-2015-5278: Infinite loop in ne2000_receive() function (bsc#945989). - CVE-2015-6855: hw/ide/core.c did not properly restrict the commands accepted by an ATAPI device, which allowed guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash (bsc#945404). - CVE-2015-7512: Buffer overflow in the pcnet_receive function in hw/net/pcnet.c, when a guest NIC has a larger MTU, allowed remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet (bsc#957162). - CVE-2015-8345: eepro100: infinite loop in processing command block list (bsc#956829). - CVE-2015-8504: VNC: floating point exception (bsc#958491). - CVE-2015-8550: Paravirtualized drivers were incautious about shared memory contents (XSA-155) (bsc#957988). - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling (XSA-164) (bsc#958007). - CVE-2015-8555: Information leak in legacy x86 FPU/XMM initialization (XSA-165) (bsc#958009). - CVE-2015-8558: Infinite loop in ehci_advance_state resulted in DoS (bsc#959005). - CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bsc#960725). - CVE-2015-8745: Reading IMR registers lead to a crash via assert(2) call (bsc#960707). - CVE-2016-1568: AHCI use-after-free vulnerability in aio port commands (bsc#961332). - CVE-2016-1570: The PV superpage functionality in arch/x86/mm.c allowed local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates (bsc#960861). - CVE-2016-1571: VMX: intercept issue with INVLPG on non-canonical address (XSA-168) (bsc#960862). - CVE-2016-1714: nvram: OOB r/w access in processing firmware configurations (bsc#961691). - CVE-2016-1981: e1000 infinite loop in start_xmit and e1000_receive_iov routines (bsc#963782). - CVE-2016-2270: Xen allowed local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings (bsc#965315). - CVE-2016-2271: VMX when using an Intel or Cyrix CPU, allowed local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP (bsc#965317). - CVE-2016-2391: usb: multiple eof_timers in ohci module lead to NULL pointer dereference (bsc#967013). - CVE-2016-2392: NULL pointer dereference in remote NDIS control message handling (bsc#967012). - CVE-2016-2538: Integer overflow in remote NDIS control message handling (bsc#967969). - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive (bsc#969350). - XSA-166: ioreq handling possibly susceptible to multiple read issue (bsc#958523). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93177
    published 2016-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93177
    title SUSE SLES11 Security Update : xen (SUSE-SU-2016:1745-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-0955-1.NASL
    description xen was updated to fix 47 security issues. These security issues were fixed : - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might have allowed remote attackers to execute arbitrary code via vectors related to the number of timers (bnc#864673). - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c allowed remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image (bnc#864678). - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image (bnc#864682). - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image (bsc#864655). - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements (bsc#864811). - CVE-2013-4537: The ssi_sd_transfer function in hw/sd/ssi-sd.c allowed remote attackers to execute arbitrary code via a crafted arglen value in a savevm image (bsc#864391). - CVE-2013-4538: Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c allowed remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image (bsc#864769). - CVE-2013-4539: Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c might have allowed remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image (bsc#864805). - CVE-2014-0222: Integer overflow in the qcow_open function in block/qcow.c allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image (bsc#877642). - CVE-2014-3640: The sosendto function in slirp/udp.c allowed local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized socket (bsc#897654). - CVE-2014-3689: The vmware-vga driver (hw/display/vmware_vga.c) allowed local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling (bsc#901508). - CVE-2014-7815: The set_pixel_format function in ui/vnc.c allowed remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value (bsc#902737). - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality had multiple interpretations of a function's return value, which allowed guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions (bsc#928393). - CVE-2015-1779: The VNC websocket frame decoder allowed remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section (bsc#924018). - CVE-2015-5278: Infinite loop in ne2000_receive() function (bsc#945989). - CVE-2015-6855: hw/ide/core.c did not properly restrict the commands accepted by an ATAPI device, which allowed guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash (bsc#945404). - CVE-2015-7512: Buffer overflow in the pcnet_receive function in hw/net/pcnet.c, when a guest NIC has a larger MTU, allowed remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet (bsc#957162). - CVE-2015-7549: pci: NULL pointer dereference issue (bsc#958917). - CVE-2015-8345: eepro100: infinite loop in processing command block list (bsc#956829). - CVE-2015-8504: VNC: floating point exception (bsc#958491). - CVE-2015-8550: Paravirtualized drivers were incautious about shared memory contents (XSA-155) (bsc#957988). - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling (XSA-164) (bsc#958007). - CVE-2015-8555: Information leak in legacy x86 FPU/XMM initialization (XSA-165) (bsc#958009). - CVE-2015-8558: Infinite loop in ehci_advance_state resulted in DoS (bsc#959005). - CVE-2015-8567: vmxnet3: host memory leakage (bsc#959387). - CVE-2015-8568: vmxnet3: host memory leakage (bsc#959387). - CVE-2015-8613: SCSI: stack-based buffer overflow in megasas_ctrl_get_info (bsc#961358). - CVE-2015-8619: Stack based OOB write in hmp_sendkey routine (bsc#960334). - CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bsc#960725). - CVE-2015-8744: vmxnet3: Incorrect l2 header validation lead to a crash via assert(2) call (bsc#960835). - CVE-2015-8745: Reading IMR registers lead to a crash via assert(2) call (bsc#960707). - CVE-2015-8817: OOB access in address_space_rw lead to segmentation fault (I) (bsc#969121). - CVE-2015-8818: OOB access in address_space_rw lead to segmentation fault (II) (bsc#969122). - CVE-2016-1568: AHCI use-after-free vulnerability in aio port commands (bsc#961332). - CVE-2016-1570: The PV superpage functionality in arch/x86/mm.c allowed local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates (bsc#960861). - CVE-2016-1571: VMX: intercept issue with INVLPG on non-canonical address (XSA-168) (bsc#960862). - CVE-2016-1714: nvram: OOB r/w access in processing firmware configurations (bsc#961691). - CVE-2016-1922: NULL pointer dereference in vapic_write() (bsc#962320). - CVE-2016-1981: e1000 infinite loop in start_xmit and e1000_receive_iov routines (bsc#963782). - CVE-2016-2198: EHCI NULL pointer dereference in ehci_caps_write (bsc#964413). - CVE-2016-2270: Xen allowed local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings (bsc#965315). - CVE-2016-2271: VMX when using an Intel or Cyrix CPU, allowed local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP (bsc#965317). - CVE-2016-2391: usb: multiple eof_timers in ohci module lead to NULL pointer dereference (bsc#967013). - CVE-2016-2392: NULL pointer dereference in remote NDIS control message handling (bsc#967012). - CVE-2016-2538: Integer overflow in remote NDIS control message handling (bsc#967969). - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive (bsc#969350). - XSA-166: ioreq handling possibly susceptible to multiple read issue (bsc#958523). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 90396
    published 2016-04-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90396
    title SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2016:0955-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-6288.NASL
    description - Migration CVEs: CVE-2014-0182 etc. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 74047
    published 2014-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74047
    title Fedora 20 : qemu-1.6.2-5.fc20 (2014-6288)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1318-1.NASL
    description xen was updated to fix 46 security issues. These security issues were fixed : - CVE-2013-4527: Buffer overflow in hw/timer/hpet.c might have allowed remote attackers to execute arbitrary code via vectors related to the number of timers (bsc#964746). - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c allowed remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image (bsc#964929). - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image (bsc#964950). - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image (bsc#964644). - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements (bsc#964452). - CVE-2013-4537: The ssi_sd_transfer function in hw/sd/ssi-sd.c allowed remote attackers to execute arbitrary code via a crafted arglen value in a savevm image (bsc#962642). - CVE-2013-4538: Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c allowed remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image (bsc#962335). - CVE-2013-4539: Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c might have allowed remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image (bsc#962758). - CVE-2014-0222: Integer overflow in the qcow_open function in block/qcow.c allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image (bsc#964925). - CVE-2014-3640: The sosendto function in slirp/udp.c allowed local users to cause a denial of service (NULL pointer dereference) by sending a udp packet with a value of 0 in the source port and address, which triggers access of an uninitialized socket (bsc#965112). - CVE-2014-3689: The vmware-vga driver (hw/display/vmware_vga.c) allowed local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling (bsc#962611). - CVE-2014-7815: The set_pixel_format function in ui/vnc.c allowed remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value (bsc#962627). - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality had multiple interpretations of a function's return value, which allowed guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions (bsc#964431). - CVE-2015-1779: The VNC websocket frame decoder allowed remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section (bsc#962632). - CVE-2015-5278: Infinite loop in ne2000_receive() function (bsc#964947). - CVE-2015-6855: hw/ide/core.c did not properly restrict the commands accepted by an ATAPI device, which allowed guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash (bsc#965156). - CVE-2015-7512: Buffer overflow in the pcnet_receive function in hw/net/pcnet.c, when a guest NIC has a larger MTU, allowed remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet (bsc#962360). - CVE-2015-7549: pci: NULL pointer dereference issue (bsc#958918). - CVE-2015-8345: eepro100: infinite loop in processing command block list (bsc#956832). - CVE-2015-8504: VNC: floating point exception (bsc#958493). - CVE-2015-8550: Paravirtualized drivers were incautious about shared memory contents (XSA-155) (bsc#957988). - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling (XSA-164) (bsc#958007). - CVE-2015-8555: Information leak in legacy x86 FPU/XMM initialization (XSA-165) (bsc#958009). - CVE-2015-8558: Infinite loop in ehci_advance_state resulted in DoS (bsc#959006). - CVE-2015-8567: vmxnet3: host memory leakage (bsc#959387). - CVE-2015-8568: vmxnet3: host memory leakage (bsc#959387). - CVE-2015-8613: SCSI: stack-based buffer overflow in megasas_ctrl_get_info (bsc#961358). - CVE-2015-8619: Stack based OOB write in hmp_sendkey routine (bsc#965269). - CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bsc#960726). - CVE-2015-8744: vmxnet3: Incorrect l2 header validation lead to a crash via assert(2) call (bsc#960836). - CVE-2015-8745: Reading IMR registers lead to a crash via assert(2) call (bsc#960707). - CVE-2015-8817: OOB access in address_space_rw lead to segmentation fault (I) (bsc#969125). - CVE-2015-8818: OOB access in address_space_rw lead to segmentation fault (II) (bsc#969126). - CVE-2016-1568: AHCI use-after-free vulnerability in aio port commands (bsc#961332). - CVE-2016-1570: The PV superpage functionality in arch/x86/mm.c allowed local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates (bsc#960861). - CVE-2016-1571: VMX: intercept issue with INVLPG on non-canonical address (XSA-168) (bsc#960862). - CVE-2016-1714: nvram: OOB r/w access in processing firmware configurations (bsc#961692). - CVE-2016-1922: NULL pointer dereference in vapic_write() (bsc#962321). - CVE-2016-1981: e1000 infinite loop in start_xmit and e1000_receive_iov routines (bsc#963783). - CVE-2016-2198: EHCI NULL pointer dereference in ehci_caps_write (bsc#964415). - CVE-2016-2270: Xen allowed local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings (bsc#965315). - CVE-2016-2271: VMX when using an Intel or Cyrix CPU, allowed local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP (bsc#965317). - CVE-2016-2391: usb: multiple eof_timers in ohci module lead to NULL pointer dereference (bsc#967101). - CVE-2016-2392: NULL pointer dereference in remote NDIS control message handling (bsc#967090). - CVE-2016-2538: Integer overflow in remote NDIS control message handling (bsc#968004). - XSA-166: ioreq handling possibly susceptible to multiple read issue (bsc#958523). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 91249
    published 2016-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91249
    title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2016:1318-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-061.NASL
    description Updated qemu packages fix multiple security vulnerabilities : Sibiao Luo discovered that QEMU incorrectly handled device hot-unplugging. A local user could possibly use this flaw to cause a denial of service (CVE-2013-4377). Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host (CVE-2013-4544). Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147). A buffer overflow flaw was found in the way the virtio_net_handle_mac() function of QEMU processed guest requests to update the table of MAC addresses. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0150). A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0142). A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0146). It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0148). An out-of-bounds memory access flaw was found in the way QEMU's IDE device driver handled the execution of SMART EXECUTE OFFLINE commands. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-2894). Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0222, CVE-2014-0223). Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461). An information leak flaw was found in the way QEMU's VGA emulator accessed frame buffer memory for high resolution displays. A privileged guest user could use this flaw to leak memory contents of the host to the guest by setting the display to use a high resolution in the guest (CVE-2014-3615). When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access Only guests using qemu user networking are affected (CVE-2014-3640). The Advanced Threat Research team at Intel Security reported that guest provided parameter were insufficiently validated in rectangle functions in the vmware-vga driver. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process (CVE-2014-3689). It was discovered that QEMU incorrectly handled USB xHCI controller live migration. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code (CVE-2014-5263). James Spadaro of Cisco reported insufficiently sanitized bits_per_pixel from the client in the QEMU VNC display driver. An attacker having access to the guest's VNC console could use this flaw to crash the guest (CVE-2014-7815). During migration, the values read from migration stream during ram load are not validated. Especially offset in host_from_stream_offset() and also the length of the writes in the callers of the said function. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-7840). Paolo Bonzini of Red Hat discovered that the blit region checks were insufficient in the Cirrus VGA emulator in qemu. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process (CVE-2014-8106). This update also provides usbredirparser 0.6 as a prerequisite of qemu-1.6.2
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 81944
    published 2015-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81944
    title Mandriva Linux Security Advisory : qemu (MDVSA-2015:061)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-439.NASL
    description xen was updated to version 4.4.4 to fix 33 security issues. These security issues were fixed : - CVE-2016-2392: NULL pointer dereference in remote NDIS control message handling (bsc#967012). - CVE-2015-5239: Integer overflow in vnc_client_read() and protocol_client_msg() (bsc#944463). - CVE-2016-2270: Xen allowed local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings (boo#965315). - CVE-2016-2538: Integer overflow in remote NDIS control message handling (bsc#967969). - CVE-2015-7512: Buffer overflow in the pcnet_receive function in hw/net/pcnet.c, when a guest NIC has a larger MTU, allowed remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet (boo#962360). - CVE-2014-3689: The vmware-vga driver (hw/display/vmware_vga.c) allowed local guest users to write to qemu memory locations and gain privileges via unspecified parameters related to rectangle handling (boo#962611). - CVE-2015-5278: Infinite loop in ne2000_receive() function (bsc#945989). - CVE-2016-1568: AHCI use-after-free vulnerability in aio port commands (bsc#961332). - CVE-2016-1981: e1000 infinite loop in start_xmit and e1000_receive_iov routines (bsc#963782). - CVE-2016-2198: EHCI NULL pointer dereference in ehci_caps_write (bsc#964413). - CVE-2015-6815: e1000: infinite loop issue (bsc#944697). - CVE-2014-0222: Integer overflow in the qcow_open function in block/qcow.c allowed remote attackers to cause a denial of service (crash) via a large L2 table in a QCOW version 1 image (boo#964925). - CVE-2015-6855: hw/ide/core.c did not properly restrict the commands accepted by an ATAPI device, which allowed guest users to cause a denial of service or possibly have unspecified other impact via certain IDE commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty drive, which triggers a divide-by-zero error and instance crash (boo#965156). - CVE-2016-2271: VMX in using an Intel or Cyrix CPU, allowed local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP (boo#965317). - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via vectors related to IRQDest elements (boo#964452). - CVE-2013-4537: The ssi_sd_transfer function in hw/sd/ssi-sd.c allowed remote attackers to execute arbitrary code via a crafted arglen value in a savevm image (boo#962642). - CVE-2015-1779: The VNC websocket frame decoder allowed remote attackers to cause a denial of service (memory and CPU consumption) via a large (1) websocket payload or (2) HTTP headers section (boo#962632). - CVE-2013-4530: Buffer overflow in hw/ssi/pl022.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via crafted tx_fifo_head and rx_fifo_head values in a savevm image (boo#964950). - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load function in hw/arm/pxa2xx.c allowed remote attackers to cause a denial of service or possibly execute arbitrary code via a crafted s->rx_level value in a savevm image (boo#964644). - CVE-2013-4539: Multiple buffer overflows in the tsc210x_load function in hw/input/tsc210x.c allowed remote attackers to execute arbitrary code via a crafted (1) precision, (2) nextprecision, (3) function, or (4) nextfunction value in a savevm image (boo#962758). - CVE-2013-4538: Multiple buffer overflows in the ssd0323_load function in hw/display/ssd0323.c allowed remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and row_end values; or (5) col_star and col_end values in a savevm image (boo#962335). - CVE-2015-8345: eepro100: infinite loop in processing command block list (bsc#956829). - CVE-2015-8613: scsi: stack based buffer overflow in megasas_ctrl_get_info (bsc#961358). - CVE-2015-8619: Stack based OOB write in hmp_sendkey routine (bsc#960334). - CVE-2016-1571: The paging_invlpg function in include/asm-x86/paging.h, when using shadow mode paging or nested virtualization is enabled, allowed local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check (boo#960862). - CVE-2016-1570: The PV superpage functionality in arch/x86/mm.c allowed local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates (boo#960861). - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces in the IDE functionality had multiple interpretations of a function's return value, which allowed guest OS users to cause a host OS denial of service (memory consumption or infinite loop, and system crash) via a PRDT with zero complete sectors, related to the bmdma_prepare_buf and ahci_dma_prepare_buf functions (boo#964431). - CVE-2016-1714: nvram: OOB r/w access in processing firmware configurations (bsc#961691). - CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions (bsc#960725). - CVE-2015-8744: vmxnet3: incorrect l2 header validation leads to a crash via assert(2) call (bsc#960835). - CVE-2015-8745: Reading IMR registers could have lead to a crash via assert(2) call (bsc#960707). - CVE-2014-7815: The set_pixel_format function in ui/vnc.c allowed remote attackers to cause a denial of service (crash) via a small bytes_per_pixel value (boo#962627). - CVE-2013-4529: Buffer overflow in hw/pci/pcie_aer.c allowed remote attackers to cause a denial of service and possibly execute arbitrary code via a large log_num value in a savevm image (boo#964929).
    last seen 2019-02-21
    modified 2016-10-13
    plugin id 90478
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90478
    title openSUSE Security Update : xen (openSUSE-2016-439)
refmap via4
confirm http://git.qemu.org/?p=qemu.git;a=commitdiff;h=d8d0a0bc7e194300e53a346d25fe5724fd588387
fedora FEDORA-2014-6288
mlist
  • [Qemu-devel] 20131213 [PATCH 00/23] qemu state loading issues
  • [Qemu-stable] 20140723 [ANNOUNCE] QEMU 1.7.2 Stable released
Last major update 05-11-2014 - 10:03
Published 04-11-2014 - 16:55
Back to Top