ID CVE-2015-4105
Summary Xen 3.3.x through 4.5.x enables logging for PCI MSI-X pass-through error messages, which allows local x86 HVM guests to cause a denial of service (host disk consumption) via certain invalid operations.
References
Vulnerable Configurations
  • Xen 3.3.0
    cpe:2.3:o:xen:xen:3.3.0
  • Xen 3.3.1
    cpe:2.3:o:xen:xen:3.3.1
  • Xen 3.3.2
    cpe:2.3:o:xen:xen:3.3.2
  • Xen 3.4.0
    cpe:2.3:o:xen:xen:3.4.0
  • Xen 3.4.1
    cpe:2.3:o:xen:xen:3.4.1
  • Xen 3.4.2
    cpe:2.3:o:xen:xen:3.4.2
  • Xen 3.4.3
    cpe:2.3:o:xen:xen:3.4.3
  • Xen 3.4.4
    cpe:2.3:o:xen:xen:3.4.4
  • Xen 4.0.0
    cpe:2.3:o:xen:xen:4.0.0
  • Xen 4.0.1
    cpe:2.3:o:xen:xen:4.0.1
  • Xen 4.0.2
    cpe:2.3:o:xen:xen:4.0.2
  • Xen 4.0.3
    cpe:2.3:o:xen:xen:4.0.3
  • Xen 4.0.4
    cpe:2.3:o:xen:xen:4.0.4
  • Xen 4.1.0
    cpe:2.3:o:xen:xen:4.1.0
  • Xen 4.1.1
    cpe:2.3:o:xen:xen:4.1.1
  • Xen 4.1.2
    cpe:2.3:o:xen:xen:4.1.2
  • Xen 4.1.3
    cpe:2.3:o:xen:xen:4.1.3
  • Xen 4.1.4
    cpe:2.3:o:xen:xen:4.1.4
  • Xen 4.1.5
    cpe:2.3:o:xen:xen:4.1.5
  • Xen 4.1.6.1
    cpe:2.3:o:xen:xen:4.1.6.1
  • Xen 4.2.0
    cpe:2.3:o:xen:xen:4.2.0
  • Xen 4.2.1
    cpe:2.3:o:xen:xen:4.2.1
  • Xen 4.2.2
    cpe:2.3:o:xen:xen:4.2.2
  • cpe:2.3:o:xen:xen:4.2.2:-:-:-:-:-:x86
    cpe:2.3:o:xen:xen:4.2.2:-:-:-:-:-:x86
  • Xen Xen 4.3.0
    cpe:2.3:o:xen:xen:4.3.0
  • Xen 4.3.1
    cpe:2.3:o:xen:xen:4.3.1
  • Xen Xen 4.3.2
    cpe:2.3:o:xen:xen:4.3.2
  • Xen 4.3.4
    cpe:2.3:o:xen:xen:4.3.4
  • Xen 4.4.0
    cpe:2.3:o:xen:xen:4.4.0
  • Xen Xen 4.4.1
    cpe:2.3:o:xen:xen:4.4.1
  • Xen Xen 4.5.0
    cpe:2.3:o:xen:xen:4.5.0
CVSS
Base: 4.9 (as of 30-12-2016 - 14:29)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201604-03.NASL
    description The remote host is affected by the vulnerability described in GLSA-201604-03 (Xen: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. Impact : A local attacker could possibly cause a Denial of Service condition or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 90380
    published 2016-04-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90380
    title GLSA-201604-03 : Xen: Multiple vulnerabilities (Venom)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_CBE1A0F927E911E5A4A5002590263BF5.NASL
    description The Xen Project reports : Device model code dealing with guest PCI MSI-X interrupt management activities logs messages on certain (supposedly) invalid guest operations. A buggy or malicious guest repeatedly invoking such operations may result in the host disk to fill up, possibly leading to a Denial of Service.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84713
    published 2015-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84713
    title FreeBSD : xen-tools -- Guest triggerable qemu MSI-X pass-through error messages (cbe1a0f9-27e9-11e5-a4a5-002590263bf5)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-9965.NASL
    description Heap overflow in QEMU PCNET controller, allowing guest->host escape [XSA-135, CVE-2015-3209] (#1230537) GNTTABOP_swap_grant_ref operation misbehavior [XSA-134, CVE-2015-4163] vulnerability in the iret hypercall handler [XSA-136, CVE-2015-4164] Potential unintended writes to host MSI message data field via qemu [XSA-128, CVE-2015-4103], PCI MSI mask bits inadvertently exposed to guests [XSA-129, CVE-2015-4104], Guest triggerable qemu MSI-X pass-through error messages [XSA-130, CVE-2015-4105], Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-01-03
    plugin id 84378
    published 2015-06-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84378
    title Fedora 20 : xen-4.3.4-6.fc20 (2015-9965)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0012.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - XSA-125: Limit XEN_DOMCTL_memory_mapping hypercall to only process up to 64 GFNs (or less) (Jan Beulich) [20732412] (CVE-2015-2752) - XSA-126: xen: limit guest control of PCI command register (Jan Beulich) [20739399] (CVE-2015-2756) - XSA-128: xen: properly gate host writes of modified PCI CFG contents (Jan Beulich) [21157440] (CVE-2015-4103) - XSA-129: xen: don't allow guest to control MSI mask register (Jan Beulich) [21158692] (CVE-2015-4104) - XSA-130: xen/MSI-X: disable logging by default (Jan Beulich) [21159408] (CVE-2015-4105) - XSA-131: [PATCH 1/8] xen/MSI: don't open-code pass-through of enable bit modifications (Jan Beulich) [21164529] (CVE-2015-4106) - XSA-131: [PATCH 2/8] xen/pt: consolidate PM capability emu_mask [21164529] (CVE-2015-4106) - XSA-131: [PATCH 3/8] xen/pt: correctly handle PM status bit [21164529] (CVE-2015-4106) - XSA-131: [PATCH 4/8] xen/pt: split out calculation of throughable mask in PCI config space handling [21164529] (CVE-2015-4106) - XSA-131: [PATCH 5/8] xen/pt: mark all PCIe capability bits read-only [21164529] (CVE-2015-4106) - XSA-131: [PATCH 6/8] xen/pt: mark reserved bits in PCI config space fields [21164529] (CVE-2015-4106) - XSA-131: [PATCH 7/8] xen/pt: add a few PCI config space field descriptions [21164529] (CVE-2015-4106) - XSA-131: [PATCH 8/8] xen/pt: unknown PCI config space fields should be read-only [21164529] (CVE-2015-4106)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 88737
    published 2016-02-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88737
    title OracleVM 2.2 : xen (OVMSA-2016-0012)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-9466.NASL
    description Potential unintended writes to host MSI message data field via qemu [XSA-128, CVE-2015-4103], PCI MSI mask bits inadvertently exposed to guests [XSA-129, CVE-2015-4104], Guest triggerable qemu MSI-X pass-through error messages [XSA-130, CVE-2015-4105], Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-01-03
    plugin id 84178
    published 2015-06-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84178
    title Fedora 21 : xen-4.4.2-5.fc21 (2015-9466)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0064.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2015-0064 for details.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 83967
    published 2015-06-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83967
    title OracleVM 3.3 : xen (OVMSA-2015-0064)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-434.NASL
    description Xen was updated to 4.4.2 to fix multiple vulnerabilities and non-security bugs. The following vulnerabilities were fixed : - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (boo#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (boo#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (boo#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (boo#931628) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (boo#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (boo#932770) - CVE-2015-3456: Fixed a buffer overflow in the floppy drive emulation, which could be used to denial of service attacks or potential code execution against the host. () - CVE-2015-3340: Xen did not initialize certain fields, which allowed certain remote service domains to obtain sensitive information from memory via a (1) XEN_DOMCTL_gettscinfo or (2) XEN_SYSCTL_getdomaininfolist request. () - CVE-2015-2752: Long latency MMIO mapping operations are not preemptible (XSA-125 boo#922705) - CVE-2015-2756: Unmediated PCI command register access in qemu (XSA-126 boo#922706) - CVE-2015-2751: Certain domctl operations may be abused to lock up the host (XSA-127 boo#922709) - CVE-2015-2151: Hypervisor memory corruption due to x86 emulator flaw (boo#919464 XSA-123) - CVE-2015-2045: Information leak through version information hypercall (boo#918998 XSA-122) - CVE-2015-2044: Information leak via internal x86 system device emulation (boo#918995 (XSA-121) - CVE-2015-2152: HVM qemu unexpectedly enabling emulated VGA graphics backends (boo#919663 XSA-119) - CVE-2014-3615: information leakage when guest sets high resolution (boo#895528) The following non-security bugs were fixed : - xentop: Fix memory leak on read failure - boo#923758: xen dmesg contains bogus output in early boot - boo#921842: Xentop doesn't display disk statistics for VMs using qdisks - boo#919098: L3: XEN blktap device intermittently fails to connect - boo#882089: Windows 2012 R2 fails to boot up with greater than 60 vcpus - boo#903680: Problems with detecting free loop devices on Xen guest startup - boo#861318: xentop reports 'Found interface vif101.0 but domain 101 does not exist.' - boo#901488: Intel ixgbe driver assigns rx/tx queues per core resulting in irq problems on servers with a large amount of CPU cores - boo#910254: SLES11 SP3 Xen VT-d igb NIC doesn't work - boo#912011: high ping latency after upgrade to latest SLES11SP3 on xen Dom0 - boo#906689: let systemd schedule xencommons after network-online.target and remote-fs.target so that xendomains has access to remote shares The following functionality was enabled or enhanced : - Enable spice support in qemu for x86_64 - Add Qxl vga support - Enhancement to virsh/libvirtd 'send-key' command (FATE#317240) - Add domain_migrate_constraints_set API to Xend's http interface (FATE#317239)
    last seen 2019-02-21
    modified 2015-10-22
    plugin id 84333
    published 2015-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84333
    title openSUSE Security Update : xen (openSUSE-2015-434) (Venom)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-9456.NASL
    description replace deprecated gnutls use in qemu-xen-traditional based on qemu-xen patches, work around a gcc 5 bug, Potential unintended writes to host MSI message data field via qemu [XSA-128, CVE-2015-4103], PCI MSI mask bits inadvertently exposed to guests [XSA-129, CVE-2015-4104], Guest triggerable qemu MSI-X pass-through error messages [XSA-130, CVE-2015-4105], Unmediated PCI register access in qemu [XSA-131, CVE-2015-4106] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-01-03
    plugin id 84177
    published 2015-06-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84177
    title Fedora 22 : xen-4.5.0-10.fc22 (2015-9456)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1156-1.NASL
    description Xen was updated to fix six security issues : CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bsc#931625) CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests. (XSA-129, bsc#931626) CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bsc#931627) CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bsc#931628) CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bsc#932770) CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bsc#932996) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 84468
    published 2015-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84468
    title SUSE SLES11 Security Update : Xen (SUSE-SU-2015:1156-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0063.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - xen/pt: unknown PCI config space fields should be read-only ... by default. Add a per-device 'permissive' mode similar to pciback's to allow restoring previous behavior (and hence break security again, i.e. should be used only for trusted guests). This is part of XSA-131. (CVE-2015-4106) - xen/pt: add a few PCI config space field descriptions Since the next patch will turn all not explicitly described fields read-only by default, those fields that have guest writable bits need to be given explicit descriptors. This is a preparatory patch for XSA-131. (CVE-2015-4106) - xen/pt: mark reserved bits in PCI config space fields The adjustments are solely to make the subsequent patches work right (and hence make the patch set consistent), namely if permissive mode (introduced by the last patch) gets used (as both reserved registers and reserved fields must be similarly protected from guest access in default mode, but the guest should be allowed access to them in permissive mode). This is a preparatory patch for XSA-131. (CVE-2015-4106) - xen/pt: mark all PCIe capability bits read-only xen_pt_emu_reg_pcie[]'s PCI_EXP_DEVCAP needs to cover all bits as read- only to avoid unintended write-back (just a precaution, the field ought to be read-only in hardware). This is a preparatory patch for XSA-131. (CVE-2015-4106) - xen/pt: split out calculation of throughable mask in PCI config space handling This is just to avoid having to adjust that calculation later in multiple places. Note that including ->ro_mask in get_throughable_mask's calculation is only an apparent (i.e. benign) behavioral change: For r/o fields it doesn't matter > whether they get passed through - either the same flag is also set in emu_mask (then there's no change at all) or the field is r/o in hardware (and hence a write won't change it anyway). This is a preparatory patch for XSA-131. (CVE-2015-4106) - xen/pt: correctly handle PM status bit xen_pt_pmcsr_reg_write needs an adjustment to deal with the RW1C nature of the not passed through bit 15 (PCI_PM_CTRL_PME_STATUS). This is a preparatory patch for XSA-131. (CVE-2015-4106) - xen/pt: consolidate PM capability emu_mask There's no point in xen_pt_pmcsr_reg_[read,write] each ORing PCI_PM_CTRL_STATE_MASK and PCI_PM_CTRL_NO_SOFT_RESET into a local emu_mask variable - we can have the same effect by setting the field descriptor's emu_mask member suitably right away. Note that xen_pt_pmcsr_reg_write is being retained in order to allow later patches to be less intrusive. This is a preparatory patch for XSA-131. (CVE-2015-4106) - xen/MSI: don't open-code pass-through of enable bit modifications Without this the actual XSA-131 fix would cause the enable bit to not get set anymore (due to the write back getting suppressed there based on the OR of emu_mask, ro_mask, and res_mask). Note that the fiddling with the enable bit shouldn't really be done by qemu, but making this work right (via libxc and the hypervisor) will require more extensive changes, which can be postponed until after the security issue got addressed. This is a preparatory patch for XSA-131. (CVE-2015-4106) - xen/MSI-X: disable logging by default ... to avoid allowing the guest to cause the control domain's disk to fill. This is XSA-130. (CVE-2015-4105) - xen: don't allow guest to control MSI mask register It's being used by the hypervisor. For now simply mimic a device not capable of masking, and fully emulate any accesses a guest may issue nevertheless as simple reads/writes without side effects. This is XSA-129. (CVE-2015-4104) - xen: properly gate host writes of modified PCI CFG contents The old logic didn't work as intended when an access spanned multiple fields (for example a 32-bit access to the location of the MSI Message Data field with the high 16 bits not being covered by any known field). Remove it and derive which fields not to write to from the accessed fields' emulation masks: When they're all ones, there's no point in doing any host write. This fixes a secondary issue at once: We obviously shouldn't make any host write attempt when already the host read failed. This is XSA-128. Conflicts: tools/ioemu-remote/hw/pass-through.c (CVE-2015-4103)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 83966
    published 2015-06-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83966
    title OracleVM 3.2 : xen (OVMSA-2015-0063)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1157-1.NASL
    description Xen was updated to fix six security issues : CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bsc#931625) CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests. (XSA-129, bsc#931626) CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bsc#931627) CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bsc#931628) CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bsc#932770) CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bsc#932996) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 84469
    published 2015-06-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84469
    title SUSE SLES11 Security Update : Xen (SUSE-SU-2015:1157-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2630-1.NASL
    description Matt Tait discovered that QEMU incorrectly handled the virtual PCNET driver. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3209) Kurt Seifried discovered that QEMU incorrectly handled certain temporary files. A local attacker could use this issue to cause a denial of service. (CVE-2015-4037) Jan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the host MSI message data field. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4103) Jan Beulich discovered that the QEMU Xen code incorrectly restricted access to the PCI MSI mask bits. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4104) Jan Beulich discovered that the QEMU Xen code incorrectly handled MSI-X error messages. A malicious guest could use this issue to cause a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4105) Jan Beulich discovered that the QEMU Xen code incorrectly restricted write access to the PCI config space. A malicious guest could use this issue to cause a denial of service, obtain sensitive information, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 14.10 and Ubuntu 15.04. (CVE-2015-4106). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 84118
    published 2015-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84118
    title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 / 15.04 : qemu, qemu-kvm vulnerabilities (USN-2630-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-435.NASL
    description Xen was updated to fix eight vulnerabilities. The following vulnerabilities were fixed : - CVE-2015-2751: Certain domctl operations may be abused to lock up the host (XSA-127 boo#922709) - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (boo#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (boo#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (boo#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (boo#931628) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (boo#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (boo#932770) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (boo#932996)
    last seen 2019-02-21
    modified 2015-06-23
    plugin id 84334
    published 2015-06-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84334
    title openSUSE Security Update : xen (openSUSE-2015-435)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1045-1.NASL
    description Xen was updated to fix seven security vulnerabilities : CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu. (XSA-128, bnc#931625) CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests. (XSA-129, bnc#931626) CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages. (XSA-130, bnc#931627) CVE-2015-4106: Unmediated PCI register access in qemu. (XSA-131, bnc#931628) CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior. (XSA-134, bnc#932790) CVE-2015-3209: Heap overflow in qemu pcnet controller allowing guest to host escape. (XSA-135, bnc#932770) CVE-2015-4164: DoS through iret hypercall handler. (XSA-136, bnc#932996) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 84190
    published 2015-06-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84190
    title SUSE SLED11 / SLES11 Security Update : Xen (SUSE-SU-2015:1045-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1042-1.NASL
    description Xen was updated to fix seven security issues and one non-security bug. The following vulnerabilities were fixed : - CVE-2015-4103: Potential unintended writes to host MSI message data field via qemu (XSA-128) (bnc#931625) - CVE-2015-4104: PCI MSI mask bits inadvertently exposed to guests (XSA-129) (bnc#931626) - CVE-2015-4105: Guest triggerable qemu MSI-X pass-through error messages (XSA-130) (bnc#931627) - CVE-2015-4106: Unmediated PCI register access in qemu (XSA-131) (bnc#931628) - CVE-2015-4163: GNTTABOP_swap_grant_ref operation misbehavior (XSA-134) (bnc#932790) - CVE-2015-3209: heap overflow in qemu pcnet controller allowing guest to host escape (XSA-135) (bnc#932770) - CVE-2015-4164: DoS through iret hypercall handler (XSA-136) (bnc#932996) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 84146
    published 2015-06-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84146
    title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:1042-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3286.NASL
    description Multiple security issues have been found in the Xen virtualisation solution : - CVE-2015-3209 Matt Tait discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. - CVE-2015-4103 Jan Beulich discovered that the QEMU Xen code does not properly restrict write access to the host MSI message data field, allowing a malicious guest to cause a denial of service. - CVE-2015-4104 Jan Beulich discovered that the QEMU Xen code does not properly restrict access to PCI MSI mask bits, allowing a malicious guest to cause a denial of service. - CVE-2015-4105 Jan Beulich reported that the QEMU Xen code enables logging for PCI MSI-X pass-through error messages, allowing a malicious guest to cause a denial of service. - CVE-2015-4106 Jan Beulich discovered that the QEMU Xen code does not properly restrict write access to the PCI config space for certain PCI pass-through devices, allowing a malicious guest to cause a denial of service, obtain sensitive information or potentially execute arbitrary code. - CVE-2015-4163 Jan Beulich discovered that a missing version check in the GNTTABOP_swap_grant_ref hypercall handler may result in denial of service. This only applies to Debian stable/jessie. - CVE-2015-4164 Andrew Cooper discovered a vulnerability in the iret hypercall handler, which may result in denial of service.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84169
    published 2015-06-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84169
    title Debian DSA-3286-1 : xen - security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3284.NASL
    description Several vulnerabilities were discovered in qemu, a fast processor emulator. - CVE-2015-3209 Matt Tait of Google's Project Zero security team discovered a flaw in the way QEMU's AMD PCnet Ethernet emulation handles multi-TMD packets with a length above 4096 bytes. A privileged guest user in a guest with an AMD PCNet ethernet card enabled can potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. - CVE-2015-4037 Kurt Seifried of Red Hat Product Security discovered that QEMU's user mode networking stack uses predictable temporary file names when the -smb option is used. An unprivileged user can use this flaw to cause a denial of service. - CVE-2015-4103 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict write access to the host MSI message data field, allowing a malicious guest to cause a denial of service. - CVE-2015-4104 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict access to PCI MSI mask bits, allowing a malicious guest to cause a denial of service. - CVE-2015-4105 Jan Beulich of SUSE reported that the QEMU Xen code enables logging for PCI MSI-X pass-through error messages, allowing a malicious guest to cause a denial of service. - CVE-2015-4106 Jan Beulich of SUSE discovered that the QEMU Xen code does not properly restrict write access to the PCI config space for certain PCI pass-through devices, allowing a malicious guest to cause a denial of service, obtain sensitive information or potentially execute arbitrary code.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 84167
    published 2015-06-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84167
    title Debian DSA-3284-1 : qemu - security update
refmap via4
bid 74948
confirm
debian
  • DSA-3284
  • DSA-3286
fedora
  • FEDORA-2015-9456
  • FEDORA-2015-9466
  • FEDORA-2015-9965
gentoo GLSA-201604-03
sectrack 1032465
suse
  • SUSE-SU-2015:1042
  • SUSE-SU-2015:1045
  • SUSE-SU-2015:1156
  • SUSE-SU-2015:1157
ubuntu USN-2630-1
Last major update 30-12-2016 - 21:59
Published 03-06-2015 - 16:59
Last modified 14-11-2017 - 21:29
Back to Top