ID CVE-2015-3209
Summary Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.
References
Vulnerable Configurations
  • QEMU
    cpe:2.3:a:qemu:qemu
  • cpe:2.3:a:juniper:junos_space:15.1
    cpe:2.3:a:juniper:junos_space:15.1
  • Xen Xen 4.5.0
    cpe:2.3:o:xen:xen:4.5.0
CVSS
Base: 7.5 (as of 28-06-2016 - 11:34)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201510-02.NASL
    description The remote host is affected by the vulnerability described in GLSA-201510-02 (QEMU: Arbitrary code execution) Heap-based buffer overflow has been found in QEMU’s PCNET controller. Impact : A remote attacker could execute arbitrary code via a specially crafted packets. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2016-10-10
    plugin id 86687
    published 2015-11-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86687
    title GLSA-201510-02 : QEMU: Arbitrary code execution
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0067.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - x86/traps: loop in the correct direction in compat_iret This is XSA-136. (CVE-2015-4164) - pcnet: force the buffer access to be in bounds during tx 4096 is the maximum length per TMD and it is also currently the size of the relay buffer pcnet driver uses for sending the packet data to QEMU for further processing. With packet spanning multiple TMDs it can happen that the overall packet size will be bigger than sizeof(buffer), which results in memory corruption. Fix this by only allowing to queue maximum sizeof(buffer) bytes. This is CVE-2015-3209. (CVE-2015-3209) - pcnet: fix Negative array index read From: Gonglei s->xmit_pos maybe assigned to a negative value (-1), but in this branch variable s->xmit_pos as an index to array s->buffer. Let's add a check for s->xmit_pos. upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b (CVE-2015-3209) - pcnet: force the buffer access to be in bounds during tx 4096 is the maximum length per TMD and it is also currently the size of the relay buffer pcnet driver uses for sending the packet data to QEMU for further processing. With packet spanning multiple TMDs it can happen that the overall packet size will be bigger than sizeof(buffer), which results in memory corruption. Fix this by only allowing to queue maximum sizeof(buffer) bytes. This is CVE-2015-3209. (CVE-2015-3209) - pcnet: fix Negative array index read From: Gonglei s->xmit_pos maybe assigned to a negative value (-1), but in this branch variable s->xmit_pos as an index to array s->buffer. Let's add a check for s->xmit_pos. upstream-commit-id: 7b50d00911ddd6d56a766ac5671e47304c20a21b (CVE-2015-3209) - gnttab: add missing version check to GNTTABOP_swap_grant_ref handling ... avoiding NULL derefs when the version to use wasn't set yet (via GNTTABOP_setup_table or GNTTABOP_set_version). This is XSA-134. (CVE-2015-4163)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 84139
    published 2015-06-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84139
    title OracleVM 3.3 : xen (OVMSA-2015-0067)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201604-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly cause a Denial of Service condition or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 90380
    published 2016-04-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90380
    title GLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-10001.NASL
    description stubs-32.h is back, so revert to previous behaviour. Heap overflow in QEMU PCNET controller, allowing guest->host escape [XSA-135, CVE-2015-3209]. GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163]. vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164]. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 84374
    published 2015-06-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84374
    title Fedora 22 : xen-4.5.0-11.fc22 (2015-10001)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-1189.NASL
    description From Red Hat Security Advisory 2015:1189 : Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (CVE-2015-3209) Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting this issue. All kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Note: The procedure in the Solution section must be performed before this update will take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 84418
    published 2015-06-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84418
    title Oracle Linux 5 : kvm (ELSA-2015-1189)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1206-1.NASL
    description Xen was updated to fix two security issues : CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bsc#932770) CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bsc#932996) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 84634
    published 2015-07-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84634
    title SUSE SLES10 Security Update : Xen (SUSE-SU-2015:1206-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1643-1.NASL
    description Xen was updated to fix the following security issues : CVE-2015-5154: Host code execution via IDE subsystem CD-ROM. (bsc#938344) CVE-2015-3209: Heap overflow in QEMU's pcnet controller allowing guest to host escape. (bsc#932770) CVE-2015-4164: DoS through iret hypercall handler. (bsc#932996) CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model. (XSA-140, bsc#939712) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 86203
    published 2015-09-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86203
    title SUSE SLES10 Security Update : Xen (SUSE-SU-2015:1643-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-9965.NASL
    description Heap overflow in QEMU PCNET controller, allowing guest->host escape [XSA-135, CVE-2015-3209] (#1230537) GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163] vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164] Potential unintended writes to host MSI message data field via qemu [XSA-128, CVE-2015-4103], PCI MSI mask bits inadvertently exposed to guests [XSA-129, CVE-2015-4104], Guest triggerable qemu MSI-X pass-through error messages [XSA-130, CVE-2015-4105], Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-01-03
    plugin id 84378
    published 2015-06-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84378
    title Fedora 20 : xen-4.3.4-6.fc20 (2015-9965)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-434.NASL
    description Xen was updated to 4.4.2 to fix multiple vulnerabilities and non-security bugs. The following vulnerabilities were fixed : - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (boo#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (boo#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (boo#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (boo#931628) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (boo#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (boo#932770) - CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. () - CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. () - CVE-2015-2752: Long latency MMIO mapping operations are not preemptible (XSA-125 boo#922705) - CVE-2015-2756: Unmediated PCI command register access in qemu (XSA-126 boo#922706) - CVE-2015-2751: Certain domctl operations may be abused to lock up the host (XSA-127 boo#922709) - CVE-2015-2151: Hypervisor memory corruption due to x86 emulator flaw (boo#919464 XSA-123) - CVE-2015-2045: Information leak through version information hypercall (boo#918998 XSA-122) - CVE-2015-2044: Information leak via internal x86 system device emulation (boo#918995 (XSA-121) - CVE-2015-2152: HVM qemu unexpectedly enabling emulated VGA graphics backends (boo#919663 XSA-119) - CVE-2014-3615: information leakage when guest sets high resolution (boo#895528) The following non-security bugs were fixed : - xentop: Fix memory leak on read failure - boo#923758: xen dmesg contains bogus output in early boot - boo#921842: Xentop doesn't display disk statistics for VMs using qdisks - boo#919098: L3: XEN blktap device intermittently fails to connect - boo#882089: Windows 2012 R2 fails to boot up with greater than 60 vcpus - boo#903680: Problems with detecting free loop devices on Xen guest startup - boo#861318: xentop reports 'Found interface vif101.0 but domain 101 does not exist.' - boo#901488: Intel ixgbe driver assigns rx/tx queues per core resulting in irq problems on servers with a large amount of CPU cores - boo#910254: SLES11 SP3 Xen VT-d igb NIC doesn't work - boo#912011: high ping latency after upgrade to latest SLES11SP3 on xen Dom0 - boo#906689: let systemd schedule xencommons after network-online.target and remote-fs.target so that xendomains has access to remote shares The following functionality was enabled or enhanced : - Enable spice support in qemu for x86_64 - Add Qxl vga support - Enhancement to virsh/libvirtd 'send-key' command (FATE#317240) - Add domain_migrate_constraints_set API to Xend's http interface (FATE#317239)
    last seen 2019-02-21
    modified 2015-10-22
    plugin id 84333
    published 2015-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84333
    title openSUSE Security Update : xen (openSUSE-2015-434) (Venom)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1156-1.NASL
    description Xen was updated to fix six security issues : CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bsc#931625) CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests. (XSA-129, bsc#931626) CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bsc#931627) CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bsc#931628) CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bsc#932770) CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bsc#932996) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 84468
    published 2015-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84468
    title SUSE SLES11 Security Update : Xen (SUSE-SU-2015:1156-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-13402.NASL
    description - Rebased to version 2.3.1 - Fix crash in qemu_spice_create_display (bz #1163047) - Fix qemu-img map crash for unaligned image (bz #1229394) - CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz #1230536) - CVE-2015-3214: i8254: out-of-bounds memory access (bz #1243728) - CVE-2015-5158: scsi stack-based buffer overflow (bz #1246025) - CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory access (bz #1247141) - CVE-2015-5166: BlockBackend object use after free issue (bz #1249758) - CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160) - CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest (bz #1249755) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 85480
    published 2015-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85480
    title Fedora 22 : qemu-2.3.1-1.fc22 (2015-13402)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-13358.NASL
    description - Rebased to version 2.4.0 * Support for virtio-gpu, 2D only * Support for virtio-based keyboard/mouse/tablet emulation * x86 support for memory hot-unplug - ACPI v5.1 table support for 'virt' board * CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz #1230536) * CVE-2015-3214: i8254: out-of- bounds memory access (bz #1243728) * CVE-2015-5158: scsi stack-based buffer overflow (bz #1246025) * CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory access (bz #1247141) * CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest (bz #1249755) * CVE-2015-5166: BlockBackend object use after free issue (bz #1249758) * CVE-2015-5745: buffer overflow in virtio- serial (bz #1251160) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 85592
    published 2015-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85592
    title Fedora 23 : qemu-2.4.0-1.fc23 (2015-13358)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1157-1.NASL
    description Xen was updated to fix six security issues : CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bsc#931625) CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests. (XSA-129, bsc#931626) CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bsc#931627) CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bsc#931628) CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bsc#932770) CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bsc#932996) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 84469
    published 2015-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84469
    title SUSE SLES11 Security Update : Xen (SUSE-SU-2015:1157-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1189.NASL
    description Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (CVE-2015-3209) Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting this issue. All kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Note: The procedure in the Solution section must be performed before this update will take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84421
    published 2015-06-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84421
    title RHEL 5 : kvm (RHSA-2015:1189)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-13404.NASL
    description - Fix crash in qemu_spice_create_display (bz #1163047) * CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz #1230536) * CVE-2015-3214: i8254: out-of-bounds memory access (bz #1243728) * CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory access (bz #1247141) * CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160) * CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest (bz #1249755) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 85727
    published 2015-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85727
    title Fedora 21 : qemu-2.1.3-9.fc21 (2015-13404)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1088.NASL
    description Updated qemu-kvm-rhev packages that fix one security issue are now available for Red Hat Enterprise Virtualization 3.5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (CVE-2015-3209) Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting this issue. All qemu-kvm-rhev users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84188
    published 2015-06-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84188
    title RHEL 6 : qemu-kvm-rhev (RHSA-2015:1088)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1519-1.NASL
    description qemu was updated to fix two security issues and augments one non-security bug fix. The following vulnerabilities were fixed : - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (bsc#932770) - CVE-2015-4037: Avoid predictable directory name for smb config (bsc#932267) The fix for the following non-security bug was improved : - bsc#893892: Use improved upstream patch for display issue affecting installs of SLES 11 VMs on SLES 12 Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 85902
    published 2015-09-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85902
    title SUSE SLED12 / SLES12 Security Update : qemu (SUSE-SU-2015:1519-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2630-1.NASL
    description Matt Tait discovered that QEMU incorrectly handled the virtual PCNET driver. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3209) Kurt Seifried discovered that QEMU incorrectly handled certain temporary files. A local attacker could use this issue to cause a denial of service. (CVE-2015-4037) Jan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the host MSI message data field. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4103) Jan Beulich discovered that the QEMU Xen code incorrectly restricted access to the PCI MSI mask bits. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4104) Jan Beulich discovered that the QEMU Xen code incorrectly handled MSI-X error messages. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4105) Jan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the PCI config space. A malicious guest could use this issue to cause a denial of service, obtain sensitive information, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4106). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 84118
    published 2015-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84118
    title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : qemu, qemu-kvm vulnerabilities (USN-2630-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-1087.NASL
    description From Red Hat Security Advisory 2015:1087 : Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (CVE-2015-3209) Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting this issue. All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 84107
    published 2015-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84107
    title Oracle Linux 6 : qemu-kvm (ELSA-2015-1087)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150625_KVM_ON_SL5_X.NASL
    description A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (CVE-2015-3209) KVM must be 'restarted' before this update will take effect. Shutdown all KVM virtual machines. Either reboot or unload and reload the following kernel modules : kvm, ksm, kvm-intel or kvm-amd. Start the KVM virtual machines.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 84538
    published 2015-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84538
    title Scientific Linux Security Update : kvm on SL5.x x86_64
  • NASL family Junos Local Security Checks
    NASL id JUNIPER_SPACE_JSA10698.NASL
    description According to its self-reported version number, the version of Junos Space running on the remote device is prior to 15.1R1. It is, therefore, affected by multiple vulnerabilities : - An error exists within the Apache 'mod_session_dbd' module, related to save operations for a session, due to a failure to consider the dirty flag and to require a new session ID. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2013-2249) - An unspecified flaw exists in the MySQL Server component related to error handling that allows a remote attacker to cause a denial of service condition. (CVE-2013-5908) - A flaw exists within the Apache 'mod_dav' module that is caused when tracking the length of CDATA that has leading white space. An unauthenticated, remote attacker can exploit this, via a specially crafted DAV WRITE request, to cause the service to stop responding. (CVE-2013-6438) - A flaw exists within the Apache 'mod_log_config' module that is caused when logging a cookie that has an unassigned value. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause the service to crash. (CVE-2014-0098) - A flaw exists, related to pixel manipulation, in the 2D component in the Oracle Java runtime that allows an unauthenticated, remote attacker to impact availability, confidentiality, and integrity. (CVE-2014-0429) - A flaw exists, related to PKCS#1 unpadding, in the Security component in the Oracle Java runtime that allows an unauthenticated, remote attacker to gain knowledge of timing information, which is intended to be protected by encryption. (CVE-2014-0453) - A race condition exists, related to array copying, in the Hotspot component in the Oracle Java runtime that allows an unauthenticated, remote attacker to execute arbitrary code. (CVE-2014-0456) - A flaw exists in the JNDI component in the Oracle Java runtime due to missing randomization of query IDs. An unauthenticated, remote attacker can exploit this to conduct spoofing attacks. (CVE-2014-0460) - A flaw exists in the Mozilla Network Security Services (NSS) library, which is due to lenient parsing of ASN.1 values involved in a signature and can lead to the forgery of RSA signatures, such as SSL certificates. (CVE-2014-1568) - An unspecified flaw exists in the MySQL Server component related to the CLIENT:SSL:yaSSL subcomponent that allows a remote attacker to impact integrity. (CVE-2014-6478) - Multiple unspecified flaws exist in the MySQL Server component related to the SERVER:SSL:yaSSL subcomponent that allow a remote attacker to impact confidentiality, integrity, and availability. (CVE-2014-6491, CVE-2014-6500) - Multiple unspecified flaws exist in the MySQL Server component related to the CLIENT:SSL:yaSSL subcomponent that allow a remote attacker to cause a denial of service condition. (CVE-2014-6494, CVE-2014-6495, CVE-2014-6496) - An unspecified flaw exists in the MySQL Server component related to the C API SSL Certificate Handling subcomponent that allows a remote attacker to disclose potentially sensitive information. (CVE-2014-6559) - An unspecified flaw exists in the MySQL Server component related to the Server:Compiling subcomponent that allows an authenticated, remote attacker to cause a denial of service condition. (CVE-2015-0501) - An XML external entity (XXE) injection vulnerability exists in OpenNMS due to the Castor component accepting XML external entities from exception messages. An unauthenticated, remote attacker can exploit this, via specially crafted XML data in a RTC post, to access local files. (CVE-2015-0975) - An unspecified flaw exists in the MySQL Server component related to the Server:Security:Privileges subcomponent that allows a remote attacker to disclose potentially sensitive information. (CVE-2015-2620) - A heap buffer overflow condition exists in QEMU in the pcnet_transmit() function within file hw/net/pcnet.c due to improper validation of user-supplied input when handling multi-TMD packets with a length above 4096 bytes. An unauthenticated, remote attacker can exploit this, via specially crafted packets, to gain elevated privileges from guest to host. (CVE-2015-3209) - Multiple cross-site scripting (XSS), SQL injection, and command injection vulnerabilities exist in Junos Space that allow an unauthenticated, remote attacker to execute arbitrary code. (CVE-2015-7753)
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 91778
    published 2016-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91778
    title Juniper Junos Space < 15.1R1 Multiple Vulnerabilities (JSA10698)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0068.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0068 for details.
    last seen 2019-02-21
    modified 2018-09-05
    plugin id 84140
    published 2015-06-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84140
    title OracleVM 3.2 : xen (OVMSA-2015-0068) (POODLE) (Venom)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-9978.NASL
    description Heap overflow in QEMU PCNET controller, allowing guest->host escape [XSA-135, CVE-2015-3209]. GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163]. vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164]. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 84379
    published 2015-06-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84379
    title Fedora 21 : xen-4.4.2-6.fc21 (2015-9978)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL63519101.NASL
    description CVE-2014-8106 Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320. CVE-2015-3209 Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set. CVE-2015-5165 The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors. CVE-2015-5279 Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets. CVE-2015-7504 Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode. CVE-2015-7512 Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet. Impact An attacker may be able to cause a denial of service (DoS) or execute arbitrary code if using the virtual drivers specified in these CVE descriptions.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 88770
    published 2016-02-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88770
    title F5 Networks BIG-IP : Multiple QEMU vulnerabilities (K63519101)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-435.NASL
    description Xen was updated to fix eight vulnerabilities. The following vulnerabilities were fixed : - CVE-2015-2751: Certain domctl operations may be abused to lock up the host (XSA-127 boo#922709) - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (boo#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (boo#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (boo#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (boo#931628) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (boo#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (boo#932770) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996)
    last seen 2019-02-21
    modified 2015-06-23
    plugin id 84334
    published 2015-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84334
    title openSUSE Security Update : xen (openSUSE-2015-435)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1045-1.NASL
    description Xen was updated to fix seven security vulnerabilities : CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bnc#931625) CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests. (XSA-129, bnc#931626) CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bnc#931627) CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bnc#931628) CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior. (XSA-134, bnc#932790) CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bnc#932770) CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bnc#932996) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 84190
    published 2015-06-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84190
    title SUSE SLED11 / SLES11 Security Update : Xen (SUSE-SU-2015:1045-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1087.NASL
    description Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (CVE-2015-3209) Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting this issue. All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84112
    published 2015-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84112
    title RHEL 6 : qemu-kvm (RHSA-2015:1087)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1042-1.NASL
    description Xen was updated to fix seven security issues and one non-security bug. The following vulnerabilities were fixed : - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (bnc#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (bnc#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (bnc#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (bnc#931628) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (bnc#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (bnc#932770) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (bnc#932996) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 84146
    published 2015-06-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84146
    title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:1042-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-1189.NASL
    description Updated kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (CVE-2015-3209) Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting this issue. All kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Note: The procedure in the Solution section must be performed before this update will take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84406
    published 2015-06-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84406
    title CentOS 5 : kvm (CESA-2015:1189)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1426-1.NASL
    description kvm was updated to fix two security issues. The following vulnerabilities were fixed : - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344). - CVE-2015-3209: Fix buffer overflow in pcnet emulation (bsc#932770). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 85625
    published 2015-08-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85625
    title SUSE SLES11 Security Update : kvm (SUSE-SU-2015:1426-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3285.NASL
    description Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware. - CVE-2015-3209 Matt Tait of Google's Project Zero security team discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. - CVE-2015-4037 Kurt Seifried of Red Hat Product Security discovered that QEMU's user mode networking stack uses predictable temporary file names when the -smb option is used. An unprivileged user can use this flaw to cause a denial of service.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84168
    published 2015-06-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84168
    title Debian DSA-3285-1 : qemu-kvm - security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3286.NASL
    description Multiple security issues have been found in the Xen virtualisation solution : - CVE-2015-3209 Matt Tait discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. - CVE-2015-4103 Jan Beulich discovered that the QEMU Xen code does not properly restrict write access to the host MSI message data field, allowing a malicious guest to cause a denial of service. - CVE-2015-4104 Jan Beulich discovered that the QEMU Xen code does not properly restrict access to PCI MSI mask bits, allowing a malicious guest to cause a denial of service. - CVE-2015-4105 Jan Beulich reported that the QEMU Xen code enables logging for PCI MSI-X pass-through error messages, allowing a malicious guest to cause a denial of service. - CVE-2015-4106 Jan Beulich discovered that the QEMU Xen code does not properly restrict write access to the PCI config space for certain PCI pass-through devices, allowing a malicious guest to cause a denial of service, obtain sensitive information or potentially execute arbitrary code. - CVE-2015-4163 Jan Beulich discovered that a missing version check in the GNTTABOP_swap_grant_ref hypercall handler may result in denial of service. This only applies to Debian stable/jessie. - CVE-2015-4164 Andrew Cooper discovered a vulnerability in the iret hypercall handler, which may result in denial of service.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84169
    published 2015-06-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84169
    title Debian DSA-3286-1 : xen - security update
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-1087.NASL
    description Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (CVE-2015-3209) Red Hat would like to thank Matt Tait of Google's Project Zero security team for reporting this issue. All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84092
    published 2015-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84092
    title CentOS 6 : qemu-kvm (CESA-2015:1087)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1152-1.NASL
    description KVM was updated to fix two security issues : CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (bsc#932770) CVE-2015-4037: Predictable directory names for smb configuration. (bsc#932267) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 84443
    published 2015-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84443
    title SUSE SLED11 / SLES11 Security Update : KVM (SUSE-SU-2015:1152-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3284.NASL
    description Several vulnerabilities were discovered in qemu, a fast processor emulator. - CVE-2015-3209 Matt Tait of Google's Project Zero security team discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. - CVE-2015-4037 Kurt Seifried of Red Hat Product Security discovered that QEMU's user mode networking stack uses predictable temporary file names when the -smb option is used. An unprivileged user can use this flaw to cause a denial of service. - CVE-2015-4103 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict write access to the host MSI message data field, allowing a malicious guest to cause a denial of service. - CVE-2015-4104 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict access to PCI MSI mask bits, allowing a malicious guest to cause a denial of service. - CVE-2015-4105 Jan Beulich of SUSE reported that the QEMU Xen code enables logging for PCI MSI-X pass-through error messages, allowing a malicious guest to cause a denial of service. - CVE-2015-4106 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict write access to the PCI config space for certain PCI pass-through devices, allowing a malicious guest to cause a denial of service, obtain sensitive information or potentially execute arbitrary code.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84167
    published 2015-06-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84167
    title Debian DSA-3284-1 : qemu - security update
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150610_QEMU_KVM_ON_SL6_X.NASL
    description A flaw was found in the way QEMU's AMD PCnet Ethernet emulation handled multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. (CVE-2015-3209) After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 84114
    published 2015-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84114
    title Scientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_ACD5D0371C3311E5BE9C6805CA1D3BB1.NASL
    description The QEMU security team reports : A guest which has access to an emulated PCNET network device (e.g. with 'model=pcnet' in their VIF configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84438
    published 2015-06-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84438
    title FreeBSD : qemu -- Heap overflow in QEMU PCNET controller, allowing guest to host escape (CVE-2015-3209) (acd5d037-1c33-11e5-be9c-6805ca1d3bb1)
redhat via4
advisories
  • bugzilla
    id 1225882
    title CVE-2015-3209 qemu: pcnet: multi-tmd buffer overflow in the tx path
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment qemu-guest-agent is earlier than 2:0.12.1.2-2.448.el6_6.4
          oval oval:com.redhat.rhsa:tst:20151087005
        • comment qemu-guest-agent is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20121234008
      • AND
        • comment qemu-img is earlier than 2:0.12.1.2-2.448.el6_6.4
          oval oval:com.redhat.rhsa:tst:20151087011
        • comment qemu-img is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345008
      • AND
        • comment qemu-kvm is earlier than 2:0.12.1.2-2.448.el6_6.4
          oval oval:com.redhat.rhsa:tst:20151087009
        • comment qemu-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345006
      • AND
        • comment qemu-kvm-tools is earlier than 2:0.12.1.2-2.448.el6_6.4
          oval oval:com.redhat.rhsa:tst:20151087007
        • comment qemu-kvm-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345010
    rhsa
    id RHSA-2015:1087
    released 2015-06-10
    severity Important
    title RHSA-2015:1087: qemu-kvm security update (Important)
  • bugzilla
    id 1225882
    title CVE-2015-3209 qemu: pcnet: multi-tmd buffer overflow in the tx path
    oval
    AND
    • comment Red Hat Enterprise Linux 5 is installed
      oval oval:com.redhat.rhsa:tst:20070055001
    • OR
      • AND
        • comment kmod-kvm is earlier than 0:83-273.el5_11
          oval oval:com.redhat.rhsa:tst:20151189006
        • comment kmod-kvm is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091465005
      • AND
        • comment kmod-kvm-debug is earlier than 0:83-273.el5_11
          oval oval:com.redhat.rhsa:tst:20151189010
        • comment kmod-kvm-debug is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20110028007
      • AND
        • comment kvm is earlier than 0:83-273.el5_11
          oval oval:com.redhat.rhsa:tst:20151189008
        • comment kvm is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091465003
      • AND
        • comment kvm-qemu-img is earlier than 0:83-273.el5_11
          oval oval:com.redhat.rhsa:tst:20151189002
        • comment kvm-qemu-img is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091465007
      • AND
        • comment kvm-tools is earlier than 0:83-273.el5_11
          oval oval:com.redhat.rhsa:tst:20151189004
        • comment kvm-tools is signed with Red Hat redhatrelease key
          oval oval:com.redhat.rhsa:tst:20091465009
    rhsa
    id RHSA-2015:1189
    released 2015-06-25
    severity Important
    title RHSA-2015:1189: kvm security update (Important)
  • rhsa
    id RHSA-2015:1088
  • rhsa
    id RHSA-2015:1089
rpms
  • qemu-guest-agent-2:0.12.1.2-2.448.el6_6.4
  • qemu-img-2:0.12.1.2-2.448.el6_6.4
  • qemu-kvm-2:0.12.1.2-2.448.el6_6.4
  • qemu-kvm-tools-2:0.12.1.2-2.448.el6_6.4
  • kmod-kvm-0:83-273.el5_11
  • kmod-kvm-debug-0:83-273.el5_11
  • kvm-0:83-273.el5_11
  • kvm-qemu-img-0:83-273.el5_11
  • kvm-tools-0:83-273.el5_11
refmap via4
bid 75123
confirm
debian
  • DSA-3284
  • DSA-3285
  • DSA-3286
fedora
  • FEDORA-2015-10001
  • FEDORA-2015-9965
  • FEDORA-2015-9978
gentoo
  • GLSA-201510-02
  • GLSA-201604-03
sectrack 1032545
suse
  • SUSE-SU-2015:1042
  • SUSE-SU-2015:1045
  • SUSE-SU-2015:1152
  • SUSE-SU-2015:1156
  • SUSE-SU-2015:1157
  • SUSE-SU-2015:1206
  • SUSE-SU-2015:1426
  • SUSE-SU-2015:1519
  • SUSE-SU-2015:1643
ubuntu USN-2630-1
Last major update 30-12-2016 - 21:59
Published 15-06-2015 - 11:59
Last modified 04-01-2018 - 21:30
Back to Top