ID CVE-2014-8106
Summary Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320.
References
Vulnerable Configurations
  • QEMU QEMU 2.1.2
    cpe:2.3:a:qemu:qemu:2.1.2
  • QEMU QEMU 2.1.1
    cpe:2.3:a:qemu:qemu:2.1.1
  • QEMU QEMU 2.1.0 release candidate 5
    cpe:2.3:a:qemu:qemu:2.1.0:rc5
  • QEMU QEMU 2.1.0 release candidate 3
    cpe:2.3:a:qemu:qemu:2.1.0:rc3
  • QEMU QEMU 2.1.0 release candidate 2
    cpe:2.3:a:qemu:qemu:2.1.0:rc2
  • QEMU QEMU 2.1.0 release candidate 1
    cpe:2.3:a:qemu:qemu:2.1.0:rc1
  • QEMU QEMU 2.1.0 release candidate 0
    cpe:2.3:a:qemu:qemu:2.1.0:rc0
  • QEMU QEMU 2.1.0
    cpe:2.3:a:qemu:qemu:2.1.0
CVSS
Base: 4.6 (as of 28-06-2016 - 13:02)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-0867.NASL
    description From Red Hat Security Advisory 2015:0867 : An updated qemu-kvm package that fixes one security issue and one bug is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM- allocated buffer boundaries in the host's QEMU process address space with attacker-provided data. (CVE-2014-8106) This issue was found by Paolo Bonzini of Red Hat. This update also fixes the following bug : * Previously, the effective downtime during the last phase of a live migration would sometimes be much higher than the maximum downtime specified by 'migration_downtime' in vdsm.conf. This problem has been corrected. The value of 'migration_downtime' is now honored and the migration is aborted if the downtime cannot be achieved. (BZ#1142756) All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2017-10-29
    modified 2017-03-03
    plugin id 82982
    published 2015-04-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82982
    title Oracle Linux 6 : qemu-kvm (ELSA-2015-0867)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-0867.NASL
    description An updated qemu-kvm package that fixes one security issue and one bug is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM- allocated buffer boundaries in the host's QEMU process address space with attacker-provided data. (CVE-2014-8106) This issue was found by Paolo Bonzini of Red Hat. This update also fixes the following bug : * Previously, the effective downtime during the last phase of a live migration would sometimes be much higher than the maximum downtime specified by 'migration_downtime' in vdsm.conf. This problem has been corrected. The value of 'migration_downtime' is now honored and the migration is aborted if the downtime cannot be achieved. (BZ#1142756) All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2017-10-29
    modified 2017-03-03
    plugin id 83000
    published 2015-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83000
    title CentOS 6 : qemu-kvm (CESA-2015:0867)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-1886.NASL
    description - Fix qemu_bh_schedule race condition (bz #1165315) - CVE-2014-8106: cirrus: insufficient blit region checks Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-10-19
    plugin id 81393
    published 2015-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81393
    title Fedora 20 : qemu-1.6.2-13.fc20 (2015-1886)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0349.NASL
    description Updated qemu-kvm packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM-allocated buffer boundaries in the host's QEMU process address space with attacker-provided data. (CVE-2014-8106) An uninitialized data structure use flaw was found in the way the set_pixel_format() function sanitized the value of bits_per_pixel. An attacker able to access a guest's VNC console could use this flaw to crash the guest. (CVE-2014-7815) It was found that certain values that were read when loading RAM during migration were not validated. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-7840) A NULL pointer dereference flaw was found in the way QEMU handled UDP packets with a source port and address of 0 when QEMU's user networking was in use. A local guest user could use this flaw to crash the guest. (CVE-2014-3640) Red Hat would like to thank James Spadaro of Cisco for reporting CVE-2014-7815, and Xavier Mehrenberger and Stephane Duverger of Airbus for reporting CVE-2014-3640. The CVE-2014-8106 issue was found by Paolo Bonzini of Red Hat, and the CVE-2014-7840 issue was discovered by Michael S. Tsirkin of Red Hat. Bug fixes : * The KVM utility executed demanding routing update system calls every time it performed an MSI vector mask/unmask operation. Consequently, guests running legacy systems such as Red Hat Enterprise Linux 5 could, under certain circumstances, experience significant slowdown. Now, the routing system calls during mask/unmask operations are skipped, and the performance of legacy guests is now more consistent. (BZ#1098976) * Due to a bug in the Internet Small Computer System Interface (iSCSI) driver, a qemu-kvm process terminated unexpectedly with a segmentation fault when the 'write same' command was executed in guest mode under the iSCSI protocol. This update fixes the bug, and the 'write same' command now functions in guest mode under iSCSI as intended. (BZ#1083413) * The QEMU command interface did not properly handle resizing of cache memory during guest migration, causing QEMU to terminate unexpectedly with a segmentation fault. This update fixes the related code, and QEMU no longer crashes in the described situation. (BZ#1066338) Enhancements : * The maximum number of supported virtual CPUs (vCPUs) in a KVM guest has been increased to 240. This increases the number of virtual processing units that the user can assign to the guest, and therefore improves its performance potential. (BZ#1134408) * Support for the 5th Generation Intel Core processors has been added to the QEMU hypervisor, the KVM kernel code, and the libvirt API. This allows KVM guests to use the following instructions and features: ADCX, ADOX, RDSFEED, PREFETCHW, and supervisor mode access prevention (SMAP). (BZ#1116117) * The 'dump-guest-memory' command now supports crash dump compression. This makes it possible for users who cannot use the 'virsh dump' command to require less hard disk space for guest crash dumps. In addition, saving a compressed guest crash dump frequently takes less time than saving a non-compressed one. (BZ#1157798) * This update introduces support for flight recorder tracing, which uses SystemTap to automatically capture qemu-kvm data while the guest machine is running. For detailed instructions on how to configure and use flight recorder tracing, see the Virtualization Deployment and Administration Guide, linked to in the References section below. (BZ#1088112)
    last seen 2017-10-29
    modified 2017-03-03
    plugin id 81632
    published 2015-03-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81632
    title RHEL 7 : qemu-kvm (RHSA-2015:0349)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0868.NASL
    description Updated qemu-kvm-rhev packages that fix one security issue and one bug are now available for Red Hat Enterprise Virtualization. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager. It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM-allocated buffer boundaries in the host's QEMU process address space with attacker-provided data. (CVE-2014-8106) This issue was discovered by Paolo Bonzini of Red Hat. This update also fixes the following bug : * Previously, the effective downtime during the last phase of a live migration would sometimes be much higher than the maximum downtime specified by 'migration_downtime' in vdsm.conf. This problem has been corrected. The value of 'migration_downtime' is now honored and the migration is aborted if the downtime cannot be achieved. (BZ#1142756) All users of qemu-kvm-rhev are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2017-10-29
    modified 2017-03-03
    plugin id 83048
    published 2015-04-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83048
    title RHEL 6 : qemu-kvm-rhev (RHSA-2015:0868)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0349-1.NASL
    description QEMU was updated to fix various bugs and security issues. Following security issues were fixed: CVE-2014-8106: Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU allowed local guest users to execute arbitrary code via vectors related to blit regions. - CVE-2014-7840: The host_from_stream_offset function in arch_init.c in QEMU, when loading RAM during migration, allowed remote attackers to execute arbitrary code via a crafted (1) offset or (2) length value in savevm data. Also a bug was fixed where qemu-img convert could occasionaly corrupt images. (bsc#908380) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-03-03
    plugin id 83686
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83686
    title SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2015:0349-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-0349.NASL
    description From Red Hat Security Advisory 2015:0349 : Updated qemu-kvm packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM-allocated buffer boundaries in the host's QEMU process address space with attacker-provided data. (CVE-2014-8106) An uninitialized data structure use flaw was found in the way the set_pixel_format() function sanitized the value of bits_per_pixel. An attacker able to access a guest's VNC console could use this flaw to crash the guest. (CVE-2014-7815) It was found that certain values that were read when loading RAM during migration were not validated. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-7840) A NULL pointer dereference flaw was found in the way QEMU handled UDP packets with a source port and address of 0 when QEMU's user networking was in use. A local guest user could use this flaw to crash the guest. (CVE-2014-3640) Red Hat would like to thank James Spadaro of Cisco for reporting CVE-2014-7815, and Xavier Mehrenberger and Stephane Duverger of Airbus for reporting CVE-2014-3640. The CVE-2014-8106 issue was found by Paolo Bonzini of Red Hat, and the CVE-2014-7840 issue was discovered by Michael S. Tsirkin of Red Hat. Bug fixes : * The KVM utility executed demanding routing update system calls every time it performed an MSI vector mask/unmask operation. Consequently, guests running legacy systems such as Red Hat Enterprise Linux 5 could, under certain circumstances, experience significant slowdown. Now, the routing system calls during mask/unmask operations are skipped, and the performance of legacy guests is now more consistent. (BZ#1098976) * Due to a bug in the Internet Small Computer System Interface (iSCSI) driver, a qemu-kvm process terminated unexpectedly with a segmentation fault when the 'write same' command was executed in guest mode under the iSCSI protocol. This update fixes the bug, and the 'write same' command now functions in guest mode under iSCSI as intended. (BZ#1083413) * The QEMU command interface did not properly handle resizing of cache memory during guest migration, causing QEMU to terminate unexpectedly with a segmentation fault. This update fixes the related code, and QEMU no longer crashes in the described situation. (BZ#1066338) Enhancements : * The maximum number of supported virtual CPUs (vCPUs) in a KVM guest has been increased to 240. This increases the number of virtual processing units that the user can assign to the guest, and therefore improves its performance potential. (BZ#1134408) * Support for the 5th Generation Intel Core processors has been added to the QEMU hypervisor, the KVM kernel code, and the libvirt API. This allows KVM guests to use the following instructions and features: ADCX, ADOX, RDSFEED, PREFETCHW, and supervisor mode access prevention (SMAP). (BZ#1116117) * The 'dump-guest-memory' command now supports crash dump compression. This makes it possible for users who cannot use the 'virsh dump' command to require less hard disk space for guest crash dumps. In addition, saving a compressed guest crash dump frequently takes less time than saving a non-compressed one. (BZ#1157798) * This update introduces support for flight recorder tracing, which uses SystemTap to automatically capture qemu-kvm data while the guest machine is running. For detailed instructions on how to configure and use flight recorder tracing, see the Virtualization Deployment and Administration Guide, linked to in the References section below. (BZ#1088112)
    last seen 2017-10-29
    modified 2017-03-03
    plugin id 81803
    published 2015-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81803
    title Oracle Linux 7 : qemu-kvm (ELSA-2015-0349)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0095.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0095 for details.
    last seen 2018-01-31
    modified 2018-01-30
    plugin id 99976
    published 2017-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99976
    title OracleVM 3.3 : xen (OVMSA-2017-0095)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150421_QEMU_KVM_ON_SL6_X.NASL
    description It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM- allocated buffer boundaries in the host's QEMU process address space with attacker-provided data. (CVE-2014-8106) This update also fixes the following bug : - Previously, the effective downtime during the last phase of a live migration would sometimes be much higher than the maximum downtime specified by 'migration_downtime' in vdsm.conf. This problem has been corrected. The value of 'migration_downtime' is now honored and the migration is aborted if the downtime cannot be achieved. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2017-10-29
    modified 2015-04-22
    plugin id 82989
    published 2015-04-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82989
    title Scientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64
  • NASL family Misc.
    NASL id CITRIX_XENSERVER_CTX200892.NASL
    description The version of Citrix XenServer installed on the remote host is affected by multiple vulnerabilities : - A flaw exists in the VGA emulator in QEMU that allows a local guest user to read host memory by setting the display to a high resolution. (CVE-2014-3615) - A flaw exists in the set_pixel_format() function within ui/vnc.c in QEMU that allows a remote attacker, using a small bytes_per_pixel value, to cause a denial of service condition. (CVE-2014-7815) - A heap-based buffer overflow flaw exists in the Cirrus VGA emulator that allows local guest users to execute arbitrary code via vectors related to blit regions. (CVE-2014-8106) Note that environments that contain only PV guests are not vulnerable to these issues.
    last seen 2017-10-29
    modified 2017-02-08
    plugin id 83163
    published 2015-04-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83163
    title Citrix XenServer Multiple Vulnerabilities (CTX200892)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0096.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0096 for details.
    last seen 2018-01-31
    modified 2018-01-30
    plugin id 99977
    published 2017-05-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99977
    title OracleVM 3.2 : xen (OVMSA-2017-0096)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3088.NASL
    description Paolo Bonzini of Red Hat discovered that the blit region checks were insufficient in the Cirrus VGA emulator in qemu-kvm, a full virtualization solution on x86 hardware. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process.
    last seen 2017-10-29
    modified 2017-03-03
    plugin id 79729
    published 2014-12-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79729
    title Debian DSA-3088-1 : qemu-kvm - security update
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2014-249.NASL
    description Updated qemu packages fix security vulnerabilities : During migration, the values read from migration stream during ram load are not validated. Especially offset in host_from_stream_offset() and also the length of the writes in the callers of the said function. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-7840). Paolo Bonzini of Red Hat discovered that the blit region checks were insufficient in the Cirrus VGA emulator in qemu. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process (CVE-2014-8106).
    last seen 2017-10-29
    modified 2014-12-16
    plugin id 79994
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79994
    title Mandriva Linux Security Advisory : qemu (MDVSA-2014:249)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-37.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-37 (QEMU: Multiple Vulnerabilities) Multiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. Impact : A context-dependent attacker may be able to execute arbitrary code, cause a Denial of Service condition, obtain sensitive information, or bypass security restrictions. Workaround : There is no known workaround at this time.
    last seen 2017-10-29
    modified 2015-04-13
    plugin id 80242
    published 2014-12-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80242
    title GLSA-201412-37 : QEMU: Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0867.NASL
    description An updated qemu-kvm package that fixes one security issue and one bug is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM- allocated buffer boundaries in the host's QEMU process address space with attacker-provided data. (CVE-2014-8106) This issue was found by Paolo Bonzini of Red Hat. This update also fixes the following bug : * Previously, the effective downtime during the last phase of a live migration would sometimes be much higher than the maximum downtime specified by 'migration_downtime' in vdsm.conf. This problem has been corrected. The value of 'migration_downtime' is now honored and the migration is aborted if the downtime cannot be achieved. (BZ#1142756) All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2017-10-29
    modified 2017-03-03
    plugin id 82986
    published 2015-04-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82986
    title RHEL 6 : qemu-kvm (RHSA-2015:0867)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-5482.NASL
    description - CVE-2015-1779 vnc: insufficient resource limiting in VNC websockets decoder (bz #1205051, bz #1199572) - Qemu: PRDT overflow from guest to host (bz #1204919, bz #1205322) - CVE-2014-8106: cirrus: insufficient blit region checks (bz #1170612, bz #1169454) - Fix .vdi disk corruption (bz #1199400) - Don't install ksm services as executable (bz #1192720) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-10-18
    plugin id 82751
    published 2015-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82751
    title Fedora 21 : qemu-2.1.3-5.fc21 (2015-5482)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL63519101.NASL
    description CVE-2014-8106 Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320. CVE-2015-3209 Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set. CVE-2015-5165 The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors. CVE-2015-5279 Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets. CVE-2015-7504 Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode. CVE-2015-7512 Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet. Impact An attacker may be able to cause a denial of service (DoS) or execute arbitrary code if using the virtual drivers specified in these CVE descriptions.
    last seen 2018-01-03
    modified 2018-01-02
    plugin id 88770
    published 2016-02-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88770
    title F5 Networks BIG-IP : Multiple QEMU vulnerabilities (K63519101)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2439-1.NASL
    description Michael S. Tsirkin discovered that QEMU incorrectly handled certain parameters during ram load while performing a migration. An attacker able to manipulate savevm data could use this issue to possibly execute arbitrary code on the host. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS, and Ubuntu 14.10. (CVE-2014-7840) Paolo Bonzini discovered that QEMU incorrectly handled memory in the Cirrus VGA device. A malicious guest could possibly use this issue to write into memory of the host, leading to privilege escalation. (CVE-2014-8106). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2017-03-03
    plugin id 80026
    published 2014-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80026
    title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : qemu, qemu-kvm vulnerabilities (USN-2439-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150305_QEMU_KVM_ON_SL7_X.NASL
    description It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM- allocated buffer boundaries in the host's QEMU process address space with attacker-provided data. (CVE-2014-8106) An uninitialized data structure use flaw was found in the way the set_pixel_format() function sanitized the value of bits_per_pixel. An attacker able to access a guest's VNC console could use this flaw to crash the guest. (CVE-2014-7815) It was found that certain values that were read when loading RAM during migration were not validated. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-7840) A NULL pointer dereference flaw was found in the way QEMU handled UDP packets with a source port and address of 0 when QEMU's user networking was in use. A local guest user could use this flaw to crash the guest. (CVE-2014-3640) Bug fixes : - The KVM utility executed demanding routing update system calls every time it performed an MSI vector mask/unmask operation. Consequently, guests running legacy systems such as Scientific Linux 5 could, under certain circumstances, experience significant slowdown. Now, the routing system calls during mask/unmask operations are skipped, and the performance of legacy guests is now more consistent. - Due to a bug in the Internet Small Computer System Interface (iSCSI) driver, a qemu-kvm process terminated unexpectedly with a segmentation fault when the 'write same' command was executed in guest mode under the iSCSI protocol. This update fixes the bug, and the 'write same' command now functions in guest mode under iSCSI as intended. - The QEMU command interface did not properly handle resizing of cache memory during guest migration, causing QEMU to terminate unexpectedly with a segmentation fault. This update fixes the related code, and QEMU no longer crashes in the described situation. Enhancements : - The maximum number of supported virtual CPUs (vCPUs) in a KVM guest has been increased to 240. This increases the number of virtual processing units that the user can assign to the guest, and therefore improves its performance potential. - Support for the 5th Generation Intel Core processors has been added to the QEMU hypervisor, the KVM kernel code, and the libvirt API. This allows KVM guests to use the following instructions and features: ADCX, ADOX, RDSFEED, PREFETCHW, and supervisor mode access prevention (SMAP). - The 'dump-guest-memory' command now supports crash dump compression. This makes it possible for users who cannot use the 'virsh dump' command to require less hard disk space for guest crash dumps. In addition, saving a compressed guest crash dump frequently takes less time than saving a non-compressed one.
    last seen 2017-10-29
    modified 2015-03-26
    plugin id 82260
    published 2015-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82260
    title Scientific Linux Security Update : qemu-kvm on SL7.x x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0582-1.NASL
    description This update for xen fixes several issues. These security issues were fixed : - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025188) - CVE-2016-10155: The virtual hardware watchdog 'wdt_i6300esb' was vulnerable to a memory leakage issue allowing a privileged user to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1024183) - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024834) - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a memory leakage issue allowing a privileged user to leak host memory resulting in DoS (bsc#1024186) - CVE-2017-5898: The CCID Card device emulator support was vulnerable to an integer overflow flaw allowing a privileged user to crash the Qemu process on the host resulting in DoS (bsc#1024307) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2014-8106: A heap-based buffer overflow in the Cirrus VGA emulator allowed local guest users to execute arbitrary code via vectors related to blit regions (bsc#907805). - A malicious guest could have, by frequently rebooting over extended periods of time, run the host system out of memory, resulting in a Denial of Service (DoS) (bsc#1022871) - CVE-2017-5579: The 16550A UART serial device emulation support was vulnerable to a memory leakage issue allowing a privileged user to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1022627) - CVE-2016-9907: The USB redirector usb-guest support was vulnerable to a memory leakage flaw when destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could have used this issue to leak host memory, resulting in DoS for a host (bsc#1014490) - CVE-2016-9911: The USB EHCI Emulation support was vulnerable to a memory leakage issue while processing packet data in 'ehci_init_transfer'. A guest user/process could have used this issue to leak host memory, resulting in DoS for the host (bsc#1014507) - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support was vulnerable to a divide by zero issue while copying VGA data. A privileged user inside guest could have used this flaw to crash the process instance on the host, resulting in DoS (bsc#1015169) - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support was vulnerable to a divide by zero issue while copying VGA data. A privileged user inside guest could have used this flaw to crash the process instance on the host, resulting in DoS (bsc#1015169) - CVE-2016-9101: A memory leak in hw/net/eepro100.c allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by repeatedly unplugging an i8255x (PRO100) NIC device (bsc#1013668) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could have used this issue to crash the Qemu process on the host leading to DoS (bsc#1013657) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-01-02
    modified 2018-01-02
    plugin id 97467
    published 2017-03-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97467
    title SUSE SLES12 Security Update : xen (SUSE-SU-2017:0582-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0647-1.NASL
    description This update for xen fixes several issues. These security issues were fixed : - CVE-2017-5973: A infinite loop while doing control transfer in xhci_kick_epctx allowed privileged user inside the guest to crash the host process resulting in DoS (bsc#1025188) - CVE-2016-10155: The virtual hardware watchdog 'wdt_i6300esb' was vulnerable to a memory leakage issue allowing a privileged user to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1024183) - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024834) - CVE-2017-5856: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a memory leakage issue allowing a privileged user to leak host memory resulting in DoS (bsc#1024186) - CVE-2017-5898: The CCID Card device emulator support was vulnerable to an integer overflow flaw allowing a privileged user to crash the Qemu process on the host resulting in DoS (bsc#1024307) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2014-8106: A heap-based buffer overflow in the Cirrus VGA emulator allowed local guest users to execute arbitrary code via vectors related to blit regions (bsc#907805) - CVE-2017-5579: The 16550A UART serial device emulation support was vulnerable to a memory leakage issue allowing a privileged user to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1022627) - CVE-2016-9907: The USB redirector usb-guest support was vulnerable to a memory leakage flaw when destroying the USB redirector in 'usbredir_handle_destroy'. A guest user/process could have used this issue to leak host memory, resulting in DoS for a host (bsc#1014490) - CVE-2016-9911: The USB EHCI Emulation support was vulnerable to a memory leakage issue while processing packet data in 'ehci_init_transfer'. A guest user/process could have used this issue to leak host memory, resulting in DoS for the host (bsc#1014507) - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support was vulnerable to a divide by zero issue while copying VGA data. A privileged user inside guest could have used this flaw to crash the process instance on the host, resulting in DoS (bsc#1015169) - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support was vulnerable to a divide by zero issue while copying VGA data. A privileged user inside guest could have used this flaw to crash the process instance on the host, resulting in DoS (bsc#1015169) - CVE-2016-9101: A memory leak in hw/net/eepro100.c allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by repeatedly unplugging an i8255x (PRO100) NIC device (bsc#1013668) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could have used this issue to crash the Qemu process on the host leading to DoS (bsc#1013657) - A malicious guest could have, by frequently rebooting over extended periods of time, run the host system out of memory, resulting in a Denial of Service (DoS) (bsc#1022871) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-01-02
    modified 2018-01-02
    plugin id 97657
    published 2017-03-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97657
    title SUSE SLES11 Security Update : xen (SUSE-SU-2017:0647-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KVM-LIBVIRT-201412-150124.NASL
    description This collective update for KVM and libvirt provides fixes for security and non-security issues. kvm : - Fix NULL pointer dereference because of uninitialized UDP socket. (bsc#897654, CVE-2014-3640) - Fix performance degradation after migration. (bsc#878350) - Fix potential image corruption due to missing FIEMAP_FLAG_SYNC flag in FS_IOC_FIEMAP ioctl. (bsc#908381) - Add validate hex properties for qdev. (bsc#852397) - Add boot option to do strict boot (bsc#900084) - Add query-command-line-options QMP command. (bsc#899144) - Fix incorrect return value of migrate_cancel. (bsc#843074) - Fix insufficient parameter validation during ram load. (bsc#905097, CVE-2014-7840) - Fix insufficient blit region checks in qemu/cirrus. (bsc#907805, CVE-2014-8106) libvirt : - Fix security hole with migratable flag in dumpxml. (bsc#904176, CVE-2014-7823) - Fix domain deadlock. (bsc#899484, CVE-2014-3657) - Use correct definition when looking up disk in qemu blkiotune. (bsc#897783, CVE-2014-3633) - Fix undefined symbol when starting virtlockd. (bsc#910145) - Add '-boot strict' to qemu's commandline whenever possible. (bsc#900084) - Add support for 'reboot-timeout' in qemu. (bsc#899144) - Increase QEMU's monitor timeout to 30sec. (bsc#911742) - Allow setting QEMU's migration max downtime any time. (bsc#879665)
    last seen 2017-10-29
    modified 2015-02-24
    plugin id 81481
    published 2015-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81481
    title SuSE 11.3 Security Update : kvm and libvirt (SAT Patch Number 10222)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-061.NASL
    description Updated qemu packages fix multiple security vulnerabilities : Sibiao Luo discovered that QEMU incorrectly handled device hot-unplugging. A local user could possibly use this flaw to cause a denial of service (CVE-2013-4377). Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host (CVE-2013-4544). Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147). A buffer overflow flaw was found in the way the virtio_net_handle_mac() function of QEMU processed guest requests to update the table of MAC addresses. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0150). A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0142). A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0146). It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest (CVE-2014-0148). An out-of-bounds memory access flaw was found in the way QEMU's IDE device driver handled the execution of SMART EXECUTE OFFLINE commands. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-2894). Two integer overflow flaws were found in the QEMU block driver for QCOW version 1 disk images. A user able to alter the QEMU disk image files loaded by a guest could use either of these flaws to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-0222, CVE-2014-0223). Multiple buffer overflow, input validation, and out-of-bounds write flaws were found in the way the virtio, virtio-net, virtio-scsi, and usb drivers of QEMU handled state loading after migration. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2013-4148, CVE-2013-4151, CVE-2013-4535, CVE-2013-4536, CVE-2013-4541, CVE-2013-4542, CVE-2013-6399, CVE-2014-0182, CVE-2014-3461). An information leak flaw was found in the way QEMU's VGA emulator accessed frame buffer memory for high resolution displays. A privileged guest user could use this flaw to leak memory contents of the host to the guest by setting the display to use a high resolution in the guest (CVE-2014-3615). When guest sends udp packet with source port and source addr 0, uninitialized socket is picked up when looking for matching and already created udp sockets, and later passed to sosendto() where NULL pointer dereference is hit during so->slirp->vnetwork_mask.s_addr access Only guests using qemu user networking are affected (CVE-2014-3640). The Advanced Threat Research team at Intel Security reported that guest provided parameter were insufficiently validated in rectangle functions in the vmware-vga driver. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process (CVE-2014-3689). It was discovered that QEMU incorrectly handled USB xHCI controller live migration. An attacker could possibly use this issue to cause a denial of service, or possibly execute arbitrary code (CVE-2014-5263). James Spadaro of Cisco reported insufficiently sanitized bits_per_pixel from the client in the QEMU VNC display driver. An attacker having access to the guest's VNC console could use this flaw to crash the guest (CVE-2014-7815). During migration, the values read from migration stream during ram load are not validated. Especially offset in host_from_stream_offset() and also the length of the writes in the callers of the said function. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process (CVE-2014-7840). Paolo Bonzini of Red Hat discovered that the blit region checks were insufficient in the Cirrus VGA emulator in qemu. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process (CVE-2014-8106). This update also provides usbredirparser 0.6 as a prerequisite of qemu-1.6.2
    last seen 2017-10-29
    modified 2015-03-19
    plugin id 81944
    published 2015-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81944
    title Mandriva Linux Security Advisory : qemu (MDVSA-2015:061)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-0349.NASL
    description Updated qemu-kvm packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide the user-space component for running virtual machines using KVM. It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM-allocated buffer boundaries in the host's QEMU process address space with attacker-provided data. (CVE-2014-8106) An uninitialized data structure use flaw was found in the way the set_pixel_format() function sanitized the value of bits_per_pixel. An attacker able to access a guest's VNC console could use this flaw to crash the guest. (CVE-2014-7815) It was found that certain values that were read when loading RAM during migration were not validated. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-7840) A NULL pointer dereference flaw was found in the way QEMU handled UDP packets with a source port and address of 0 when QEMU's user networking was in use. A local guest user could use this flaw to crash the guest. (CVE-2014-3640) Red Hat would like to thank James Spadaro of Cisco for reporting CVE-2014-7815, and Xavier Mehrenberger and Stephane Duverger of Airbus for reporting CVE-2014-3640. The CVE-2014-8106 issue was found by Paolo Bonzini of Red Hat, and the CVE-2014-7840 issue was discovered by Michael S. Tsirkin of Red Hat. Bug fixes : * The KVM utility executed demanding routing update system calls every time it performed an MSI vector mask/unmask operation. Consequently, guests running legacy systems such as Red Hat Enterprise Linux 5 could, under certain circumstances, experience significant slowdown. Now, the routing system calls during mask/unmask operations are skipped, and the performance of legacy guests is now more consistent. (BZ#1098976) * Due to a bug in the Internet Small Computer System Interface (iSCSI) driver, a qemu-kvm process terminated unexpectedly with a segmentation fault when the 'write same' command was executed in guest mode under the iSCSI protocol. This update fixes the bug, and the 'write same' command now functions in guest mode under iSCSI as intended. (BZ#1083413) * The QEMU command interface did not properly handle resizing of cache memory during guest migration, causing QEMU to terminate unexpectedly with a segmentation fault. This update fixes the related code, and QEMU no longer crashes in the described situation. (BZ#1066338) Enhancements : * The maximum number of supported virtual CPUs (vCPUs) in a KVM guest has been increased to 240. This increases the number of virtual processing units that the user can assign to the guest, and therefore improves its performance potential. (BZ#1134408) * Support for the 5th Generation Intel Core processors has been added to the QEMU hypervisor, the KVM kernel code, and the libvirt API. This allows KVM guests to use the following instructions and features: ADCX, ADOX, RDSFEED, PREFETCHW, and supervisor mode access prevention (SMAP). (BZ#1116117) * The 'dump-guest-memory' command now supports crash dump compression. This makes it possible for users who cannot use the 'virsh dump' command to require less hard disk space for guest crash dumps. In addition, saving a compressed guest crash dump frequently takes less time than saving a non-compressed one. (BZ#1157798) * This update introduces support for flight recorder tracing, which uses SystemTap to automatically capture qemu-kvm data while the guest machine is running. For detailed instructions on how to configure and use flight recorder tracing, see the Virtualization Deployment and Administration Guide, linked to in the References section below. (BZ#1088112)
    last seen 2017-10-29
    modified 2017-03-03
    plugin id 81891
    published 2015-03-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81891
    title CentOS 7 : qemu-kvm (CESA-2015:0349)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0624.NASL
    description Updated qemu-kvm-rhev packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Virtualization Hypervisor 7. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM, in environments managed by Red Hat Enterprise Virtualization Manager. It was found that the Cirrus blit region checks were insufficient. A privileged guest user could use this flaw to write outside of VRAM-allocated buffer boundaries in the host's QEMU process address space with attacker-provided data. (CVE-2014-8106) An uninitialized data structure use flaw was found in the way the set_pixel_format() function sanitized the value of bits_per_pixel. An attacker able to access a guest's VNC console could use this flaw to crash the guest. (CVE-2014-7815) It was found that certain values that were read when loading RAM during migration were not validated. A user able to alter the savevm data (either on the disk or over the wire during migration) could use either of these flaws to corrupt QEMU process memory on the (destination) host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-7840) A NULL pointer dereference flaw was found in the way QEMU handled UDP packets with a source port and address of 0 when QEMU's user networking was in use. A local guest user could use this flaw to crash the guest. (CVE-2014-3640) Red Hat would like to thank James Spadaro of Cisco for reporting CVE-2014-7815, and Xavier Mehrenberger and Stephane Duverger of Airbus for reporting CVE-2014-3640. The CVE-2014-8106 issue was found by Paolo Bonzini of Red Hat, and the CVE-2014-7840 issue was discovered by Michael S. Tsirkin of Red Hat. This update provides the enhanced version of the qemu-kvm-rhev packages for Red Hat Enterprise Virtualization (RHEV) Hypervisor, which also fixes several bugs and adds various enhancements. All Red Hat Enterprise Virtualization users with deployed virtualization hosts are advised to install these updated packages, which add this enhancement. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2017-10-29
    modified 2015-03-06
    plugin id 81661
    published 2015-03-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81661
    title RHEL 7 : qemu-kvm-rhev (RHSA-2015:0624)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3087.NASL
    description Paolo Bonzini of Red Hat discovered that the blit region checks were insufficient in the Cirrus VGA emulator in qemu, a fast processor emulator. A privileged guest user could use this flaw to write into qemu address space on the host, potentially escalating their privileges to those of the qemu host process.
    last seen 2018-05-11
    modified 2018-05-10
    plugin id 79728
    published 2014-12-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79728
    title Debian DSA-3087-1 : qemu - security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-0718-1.NASL
    description This update for xen fixes several issues. These security issues were fixed : - CVE-2016-10155: The virtual hardware watchdog 'wdt_i6300esb' was vulnerable to a memory leakage issue allowing a privileged user to cause a DoS and/or potentially crash the Qemu process on the host (bsc#1024183) - CVE-2017-2620: In CIRRUS_BLTMODE_MEMSYSSRC mode the bitblit copy routine cirrus_bitblt_cputovideo failed to check the memory region, allowing for an out-of-bounds write that allows for privilege escalation (bsc#1024834) - CVE-2017-2615: An error in the bitblt copy operation could have allowed a malicious guest administrator to cause an out of bounds memory access, possibly leading to information disclosure or privilege escalation (bsc#1023004) - CVE-2014-8106: A heap-based buffer overflow in the Cirrus VGA emulator allowed local guest users to execute arbitrary code via vectors related to blit regions (bsc#907805) - CVE-2016-9911: The USB EHCI Emulation support was vulnerable to a memory leakage issue while processing packet data in 'ehci_init_transfer'. A guest user/process could have used this issue to leak host memory, resulting in DoS for the host (bsc#1014507) - CVE-2016-9921: The Cirrus CLGD 54xx VGA Emulator support was vulnerable to a divide by zero issue while copying VGA data. A privileged user inside guest could have used this flaw to crash the process instance on the host, resulting in DoS (bsc#1015169) - CVE-2016-9922: The Cirrus CLGD 54xx VGA Emulator support was vulnerable to a divide by zero issue while copying VGA data. A privileged user inside guest could have used this flaw to crash the process instance on the host, resulting in DoS (bsc#1015169) - CVE-2016-10013: Xen allowed local 64-bit x86 HVM guest OS users to gain privileges by leveraging mishandling of SYSCALL singlestep during emulation (bsc#1016340). - CVE-2016-9932: CMPXCHG8B emulation on x86 systems allowed local HVM guest OS users to obtain sensitive information from host stack memory via a 'supposedly-ignored' operand size prefix (bsc#1012651). - CVE-2016-9101: A memory leak in hw/net/eepro100.c allowed local guest OS administrators to cause a denial of service (memory consumption and QEMU process crash) by repeatedly unplugging an i8255x (PRO100) NIC device (bsc#1013668) - CVE-2016-9776: The ColdFire Fast Ethernet Controller emulator support was vulnerable to an infinite loop issue while receiving packets in 'mcf_fec_receive'. A privileged user/process inside guest could have used this issue to crash the Qemu process on the host leading to DoS (bsc#1013657) - A malicious guest could have, by frequently rebooting over extended periods of time, run the host system out of memory, resulting in a Denial of Service (DoS) (bsc#1022871) - CVE-2016-10024: Xen allowed local x86 PV guest OS kernel administrators to cause a denial of service (host hang or crash) by modifying the instruction stream asynchronously while performing certain kernel operations (bsc#1014298) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-01-02
    modified 2018-01-02
    plugin id 97828
    published 2017-03-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97828
    title SUSE SLES11 Security Update : xen (SUSE-SU-2017:0718-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KVM-LIBVIRT-201412-150123.NASL
    description This collective update for KVM and libvirt provides fixes for security and non-security issues. kvm : - Fix NULL pointer dereference because of uninitialized UDP socket. (bsc#897654, CVE-2014-3640) - Fix performance degradation after migration. (bsc#878350) - Fix potential image corruption due to missing FIEMAP_FLAG_SYNC flag in FS_IOC_FIEMAP ioctl. (bsc#908381) - Add validate hex properties for qdev. (bsc#852397) - Add boot option to do strict boot (bsc#900084) - Add query-command-line-options QMP command. (bsc#899144) - Fix incorrect return value of migrate_cancel. (bsc#843074) - Fix insufficient parameter validation during ram load. (bsc#905097, CVE-2014-7840) - Fix insufficient blit region checks in qemu/cirrus. (bsc#907805, CVE-2014-8106) libvirt : - Fix security hole with migratable flag in dumpxml. (bsc#904176, CVE-2014-7823) - Fix domain deadlock. (bsc#899484, CVE-2014-3657) - Use correct definition when looking up disk in qemu blkiotune. (bsc#897783, CVE-2014-3633) - Fix undefined symbol when starting virtlockd. (bsc#910145) - Add '-boot strict' to qemu's commandline whenever possible. (bsc#900084) - Add support for 'reboot-timeout' in qemu. (bsc#899144) - Increase QEMU's monitor timeout to 30sec. (bsc#911742) - Allow setting QEMU's migration max downtime any time. (bsc#879665)
    last seen 2017-10-29
    modified 2015-02-24
    plugin id 81480
    published 2015-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81480
    title SuSE 11.3 Security Update : kvm and libvirt (SAT Patch Number 10222)
redhat via4
advisories
  • bugzilla
    id 1180942
    title qemu core dumped when unhotplug gpu card assigned to guest
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment libcacard is earlier than 10:1.5.3-86.el7
          oval oval:com.redhat.rhsa:tst:20150349011
        • comment libcacard is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140704008
      • AND
        • comment libcacard-devel is earlier than 10:1.5.3-86.el7
          oval oval:com.redhat.rhsa:tst:20150349007
        • comment libcacard-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140704010
      • AND
        • comment libcacard-tools is earlier than 10:1.5.3-86.el7
          oval oval:com.redhat.rhsa:tst:20150349013
        • comment libcacard-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140704016
      • AND
        • comment qemu-img is earlier than 10:1.5.3-86.el7
          oval oval:com.redhat.rhsa:tst:20150349009
        • comment qemu-img is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345008
      • AND
        • comment qemu-kvm is earlier than 10:1.5.3-86.el7
          oval oval:com.redhat.rhsa:tst:20150349005
        • comment qemu-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345006
      • AND
        • comment qemu-kvm-common is earlier than 10:1.5.3-86.el7
          oval oval:com.redhat.rhsa:tst:20150349017
        • comment qemu-kvm-common is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140704018
      • AND
        • comment qemu-kvm-tools is earlier than 10:1.5.3-86.el7
          oval oval:com.redhat.rhsa:tst:20150349015
        • comment qemu-kvm-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345010
    rhsa
    id RHSA-2015:0349
    released 2014-08-15
    severity Important
    title RHSA-2015:0349: qemu-kvm security, bug fix, and enhancement update (Important)
  • bugzilla
    id 1169454
    title CVE-2014-8106 qemu: cirrus: insufficient blit region checks
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment qemu-guest-agent is earlier than 2:0.12.1.2-2.448.el6_6.2
          oval oval:com.redhat.rhsa:tst:20150867007
        • comment qemu-guest-agent is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20121234008
      • AND
        • comment qemu-img is earlier than 2:0.12.1.2-2.448.el6_6.2
          oval oval:com.redhat.rhsa:tst:20150867009
        • comment qemu-img is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345008
      • AND
        • comment qemu-kvm is earlier than 2:0.12.1.2-2.448.el6_6.2
          oval oval:com.redhat.rhsa:tst:20150867005
        • comment qemu-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345006
      • AND
        • comment qemu-kvm-tools is earlier than 2:0.12.1.2-2.448.el6_6.2
          oval oval:com.redhat.rhsa:tst:20150867011
        • comment qemu-kvm-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345010
    rhsa
    id RHSA-2015:0867
    released 2015-04-21
    severity Important
    title RHSA-2015:0867: qemu-kvm security and bug fix update (Important)
  • rhsa
    id RHSA-2015:0624
  • rhsa
    id RHSA-2015:0643
  • rhsa
    id RHSA-2015:0795
  • rhsa
    id RHSA-2015:0868
  • rhsa
    id RHSA-2015:0891
rpms
  • libcacard-10:1.5.3-86.el7
  • libcacard-devel-10:1.5.3-86.el7
  • libcacard-tools-10:1.5.3-86.el7
  • qemu-img-10:1.5.3-86.el7
  • qemu-kvm-10:1.5.3-86.el7
  • qemu-kvm-common-10:1.5.3-86.el7
  • qemu-kvm-tools-10:1.5.3-86.el7
  • qemu-guest-agent-2:0.12.1.2-2.448.el6_6.2
  • qemu-img-2:0.12.1.2-2.448.el6_6.2
  • qemu-kvm-2:0.12.1.2-2.448.el6_6.2
  • qemu-kvm-tools-2:0.12.1.2-2.448.el6_6.2
refmap via4
bid 71477
confirm
debian
  • DSA-3087
  • DSA-3088
fedora FEDORA-2015-5482
mlist
  • [Qemu-devel] 20141204 [PULL for-2.2 0/2] cirrus: fix blit region check (cve-2014-8106)
  • [oss-security] 20141204 CVE-2014-8106 qemu: cirrus: insufficient blit region checks
secunia 60364
xf qemu-cve20148106-sec-bypass(99126)
Last major update 02-01-2017 - 21:59
Published 08-12-2014 - 11:59
Last modified 07-09-2017 - 21:29
Back to Top