ID CVE-2015-5165
Summary The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors.
References
Vulnerable Configurations
  • Xen Xen 4.5.0
    cpe:2.3:o:xen:xen:4.5.0
  • Xen Xen 4.5.1
    cpe:2.3:o:xen:xen:4.5.1
  • Fedora 21
    cpe:2.3:o:fedoraproject:fedora:21
  • Fedora 22
    cpe:2.3:o:fedoraproject:fedora:22
CVSS
Base: 5.0 (as of 30-03-2016 - 16:31)
Impact:
Exploitability:
CWE CWE-200
CAPEC
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
  • Using Slashes in Alternate Encoding
    This attack targets the encoding of the Slash characters. An attacker would try to exploit common filtering problems related to the use of the slashes characters to gain access to resources on the target host. Directory-driven systems, such as file systems and databases, typically use the slash character to indicate traversal between directories or other container components. For murky historical reasons, PCs (and, as a result, Microsoft OSs) choose to use a backslash, whereas the UNIX world typically makes use of the forward slash. The schizophrenic result is that many MS-based systems are required to understand both forms of the slash. This gives the attacker many opportunities to discover and abuse a number of common filtering problems. The goal of this pattern is to discover server software that only applies filters to one version, but not the other.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0112.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates in xen.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 85237
    published 2015-08-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85237
    title OracleVM 3.2 : xen (OVMSA-2015-0112)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1643-1.NASL
    description Xen was updated to fix the following security issues : CVE-2015-5154: Host code execution via IDE subsystem CD-ROM. (bsc#938344) CVE-2015-3209: Heap overflow in QEMU's pcnet controller allowing guest to host escape. (bsc#932770) CVE-2015-4164: DoS through iret hypercall handler. (bsc#932996) CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model. (XSA-140, bsc#939712) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 86203
    published 2015-09-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86203
    title SUSE SLES10 Security Update : Xen (SUSE-SU-2015:1643-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-729.NASL
    description xen was updated to fix 13 security issues. These security issues were fixed : - CVE-2015-7972: Populate-on-demand balloon size inaccuracy can crash guests (bsc#951845). - CVE-2015-7969: Leak of main per-domain vcpu pointer array (DoS) (bsc#950703). - CVE-2015-7969: Leak of per-domain profiling-related vcpu pointer array (DoS) (bsc#950705). - CVE-2015-7971: Some pmu and profiling hypercalls log without rate limiting (bsc#950706). - CVE-2015-4037: Insecure temporary file use in /net/slirp.c (bsc#932267). - CVE-2014-0222: Validate L2 table size to avoid integer overflows (bsc#877642). - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests (bsc#950367). - CVE-2015-7311: libxl fails to honour readonly flag on disks with qemu-xen (bsc#947165). - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model (bsc#939712). - CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol (bsc#939709). - CVE-2015-5239: Integer overflow in vnc_client_read() and protocol_client_msg() (bsc#944463). - CVE-2015-6815: e1000: infinite loop issue (bsc#944697). - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344). This non-security issues was fixed : - bsc#941074: VmError: Device 51728 (vbd) could not be connected. Hotplug scripts not working.
    last seen 2019-02-21
    modified 2015-11-13
    plugin id 86863
    published 2015-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86863
    title openSUSE Security Update : xen (openSUSE-2015-729)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-13402.NASL
    description - Rebased to version 2.3.1 - Fix crash in qemu_spice_create_display (bz #1163047) - Fix qemu-img map crash for unaligned image (bz #1229394) - CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz #1230536) - CVE-2015-3214: i8254: out-of-bounds memory access (bz #1243728) - CVE-2015-5158: scsi stack-based buffer overflow (bz #1246025) - CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory access (bz #1247141) - CVE-2015-5166: BlockBackend object use after free issue (bz #1249758) - CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160) - CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest (bz #1249755) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 85480
    published 2015-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85480
    title Fedora 22 : qemu-2.3.1-1.fc22 (2015-13402)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-13358.NASL
    description - Rebased to version 2.4.0 * Support for virtio-gpu, 2D only * Support for virtio-based keyboard/mouse/tablet emulation * x86 support for memory hot-unplug - ACPI v5.1 table support for 'virt' board * CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz #1230536) * CVE-2015-3214: i8254: out-of- bounds memory access (bz #1243728) * CVE-2015-5158: scsi stack-based buffer overflow (bz #1246025) * CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory access (bz #1247141) * CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest (bz #1249755) * CVE-2015-5166: BlockBackend object use after free issue (bz #1249758) * CVE-2015-5745: buffer overflow in virtio- serial (bz #1251160) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 85592
    published 2015-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85592
    title Fedora 23 : qemu-2.4.0-1.fc23 (2015-13358)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-479.NASL
    description This security update fixes a number of security issues in Xen in wheezy. For Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.1-1+deb7u1. We recommend that you upgrade your libidn packages. CVE-2015-2752 The XEN_DOMCTL_memory_mapping hypercall in Xen 3.2.x through 4.5.x, when using a PCI passthrough device, is not preemptable, which allows local x86 HVM domain users to cause a denial of service (host CPU consumption) via a crafted request to the device model (qemu-dm). CVE-2015-2756 QEMU, as used in Xen 3.3.x through 4.5.x, does not properly restrict access to PCI command registers, which might allow local HVM guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response. CVE-2015-5165 The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors. CVE-2015-5307 The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #AC (aka Alignment Check) exceptions, related to svm.c and vmx.c. CVE-2015-7969 Multiple memory leaks in Xen 4.0 through 4.6.x allow local guest administrators or domains with certain permission to cause a denial of service (memory consumption) via a large number of 'teardowns' of domains with the vcpu pointer array allocated using the (1) XEN_DOMCTL_max_vcpus hypercall or the xenoprofile state vcpu pointer array allocated using the (2) XENOPROF_get_buffer or (3) XENOPROF_set_passive hypercall. CVE-2015-7970 The p2m_pod_emergency_sweep function in arch/x86/mm/p2m-pod.c in Xen 3.4.x, 3.5.x, and 3.6.x is not preemptible, which allows local x86 HVM guest administrators to cause a denial of service (CPU consumption and possibly reboot) via crafted memory contents that triggers a 'time-consuming linear scan,' related to Populate-on-Demand. CVE-2015-7971 Xen 3.2.x through 4.6.x does not limit the number of printk console messages when logging certain pmu and profiling hypercalls, which allows local guests to cause a denial of service via a sequence of crafted (1) HYPERCALL_xenoprof_op hypercalls, which are not properly handled in the do_xenoprof_op function in common/xenoprof.c, or (2) HYPERVISOR_xenpmu_op hypercalls, which are not properly handled in the do_xenpmu_op function in arch/x86/cpu/vpmu.c. CVE-2015-7972 The (1) libxl_set_memory_target function in tools/libxl/libxl.c and (2) libxl__build_post function in tools/libxl/libxl_dom.c in Xen 3.4.x through 4.6.x do not properly calculate the balloon size when using the populate-on-demand (PoD) system, which allows local HVM guest users to cause a denial of service (guest crash) via unspecified vectors related to 'heavy memory pressure.' CVE-2015-8104 The KVM subsystem in the Linux kernel through 4.2.6, and Xen 4.3.x through 4.6.x, allows guest OS users to cause a denial of service (host OS panic or hang) by triggering many #DB (aka Debug) exceptions, related to svm.c. CVE-2015-8339 The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly hand back pages to a domain, which might allow guest OS administrators to cause a denial of service (host crash) via unspecified vectors related to domain teardown. CVE-2015-8340 The memory_exchange function in common/memory.c in Xen 3.2.x through 4.6.x does not properly release locks, which might allow guest OS administrators to cause a denial of service (deadlock or host crash) via unspecified vectors, related to XENMEM_exchange error handling. CVE-2015-8550 Xen, when used on a system providing PV backends, allows local guest OS administrators to cause a denial of service (host OS crash) or gain privileges by writing to memory shared between the frontend and backend, aka a double fetch vulnerability. CVE-2015-8554 Buffer overflow in hw/pt-msi.c in Xen 4.6.x and earlier, when using the qemu-xen-traditional (aka qemu-dm) device model, allows local x86 HVM guest administrators to gain privileges by leveraging a system with access to a passed-through MSI-X capable physical PCI device and MSI-X table entries, related to a 'write path.' CVE-2015-8555 Xen 4.6.x, 4.5.x, 4.4.x, 4.3.x, and earlier do not initialize x86 FPU stack and XMM registers when XSAVE/XRSTOR are not used to manage guest extended register state, which allows local guest domains to obtain sensitive information from other domains via unspecified vectors. CVE-2015-8615 The hvm_set_callback_via function in arch/x86/hvm/irq.c in Xen 4.6 does not limit the number of printk console messages when logging the new callback method, which allows local HVM guest OS users to cause a denial of service via a large number of changes to the callback method (HVM_PARAM_CALLBACK_IRQ). CVE-2016-1570 The PV superpage functionality in arch/x86/mm.c in Xen 3.4.0, 3.4.1, and 4.1.x through 4.6.x allows local PV guests to obtain sensitive information, cause a denial of service, gain privileges, or have unspecified other impact via a crafted page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2) MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3) unknown vectors related to page table updates. CVE-2016-1571 The paging_invlpg function in include/asm-x86/paging.h in Xen 3.3.x through 4.6.x, when using shadow mode paging or nested virtualization is enabled, allows local HVM guest users to cause a denial of service (host crash) via a non-canonical guest address in an INVVPID instruction, which triggers a hypervisor bug check. CVE-2016-2270 Xen 4.6.x and earlier allows local guest administrators to cause a denial of service (host reboot) via vectors related to multiple mappings of MMIO pages with different cachability settings. CVE-2016-2271 VMX in Xen 4.6.x and earlier, when using an Intel or Cyrix CPU, allows local HVM guest users to cause a denial of service (guest crash) via vectors related to a non-canonical RIP. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 91198
    published 2016-05-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91198
    title Debian DLA-479-1 : xen security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-13404.NASL
    description - Fix crash in qemu_spice_create_display (bz #1163047) * CVE-2015-3209: pcnet: multi-tmd buffer overflow in the tx path (bz #1230536) * CVE-2015-3214: i8254: out-of-bounds memory access (bz #1243728) * CVE-2015-5154: ide: atapi: heap overflow during I/O buffer memory access (bz #1247141) * CVE-2015-5745: buffer overflow in virtio-serial (bz #1251160) * CVE-2015-5165: rtl8139 uninitialized heap memory information leakage to guest (bz #1249755) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 85727
    published 2015-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85727
    title Fedora 21 : qemu-2.1.3-9.fc21 (2015-13404)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1404-1.NASL
    description This security update of Xen fixes the following issues : - bsc#939712 (XSA-140): QEMU leak of uninitialized heap memory in rtl8139 device model (CVE-2015-5165) - bsc#939709 (XSA-139): Use after free in QEMU/Xen block unplug protocol (CVE-2015-5166) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 85532
    published 2015-08-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85532
    title SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2015:1404-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1384-1.NASL
    description This security update of Xen fixes the following issues : - bsc#939712 (XSA-140): QEMU leak of uninitialized heap memory in rtl8139 device model (CVE-2015-5165) - bsc#939709 (XSA-139): Use after free in QEMU/Xen block unplug protocol (CVE-2015-5166) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 85505
    published 2015-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85505
    title SUSE SLED12 / SLES12 Security Update : xen (SUSE-SU-2015:1384-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3348.NASL
    description Several vulnerabilities were discovered in qemu, a fast processor emulator. - CVE-2015-3214 Matt Tait of Google's Project Zero security team discovered a flaw in the QEMU i8254 PIT emulation. A privileged guest user in a guest with QEMU PIT emulation enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. - CVE-2015-5154 Kevin Wolf of Red Hat discovered a heap buffer overflow flaw in the IDE subsystem in QEMU while processing certain ATAPI commands. A privileged guest user in a guest with the CDROM drive enabled could potentially use this flaw to execute arbitrary code on the host with the privileges of the hosting QEMU process. - CVE-2015-5165 Donghai Zhu discovered that the QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation, allowing a malicious guest to read uninitialized memory from the QEMU process's heap. - CVE-2015-5225 Mr Qinghao Tang from QIHU 360 Inc. and Mr Zuozhi from Alibaba Inc discovered a buffer overflow flaw in the VNC display driver leading to heap memory corruption. A privileged guest user could use this flaw to mount a denial of service (QEMU process crash), or potentially to execute arbitrary code on the host with the privileges of the hosting QEMU process. - CVE-2015-5745 A buffer overflow vulnerability was discovered in the way QEMU handles the virtio-serial device. A malicious guest could use this flaw to mount a denial of service (QEMU process crash).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 85754
    published 2015-09-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85754
    title Debian DSA-3348-1 : qemu - security update
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150915_QEMU_KVM_ON_SL7_X.NASL
    description An information leak flaw was found in the way QEMU's RTL8139 emulation implementation processed network packets under RTL8139 controller's C+ mode of operation. An unprivileged guest user could use this flaw to read up to 65 KB of uninitialized QEMU heap memory. (CVE-2015-5165) After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 85961
    published 2015-09-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85961
    title Scientific Linux Security Update : qemu-kvm on SL7.x x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-14361.NASL
    description Use after free in QEMU/Xen block unplug protocol [XSA-139, CVE-2015-5166] QEMU leak of uninitialized heap memory in rtl8139 device model [XSA-140, CVE-2015-5165] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 85728
    published 2015-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85728
    title Fedora 23 : xen-4.5.1-6.fc23 (2015-14361)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-1833.NASL
    description Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An information leak flaw was found in the way QEMU's RTL8139 emulation implementation processed network packets under RTL8139 controller's C+ mode of operation. An unprivileged guest user could use this flaw to read up to 65 KB of uninitialized QEMU heap memory. (CVE-2015-5165) Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Donghai Zhu of Alibaba as the original reporter. All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86513
    published 2015-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86513
    title CentOS 6 : qemu-kvm (CESA-2015:1833)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL63519101.NASL
    description CVE-2014-8106 Heap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions. NOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320. CVE-2015-3209 Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set. CVE-2015-5165 The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors. CVE-2015-5279 Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets. CVE-2015-7504 Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode. CVE-2015-7512 Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet. Impact An attacker may be able to cause a denial of service (DoS) or execute arbitrary code if using the virtual drivers specified in these CVE descriptions.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 88770
    published 2016-02-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88770
    title F5 Networks BIG-IP : Multiple QEMU vulnerabilities (K63519101)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-15946.NASL
    description libxl fails to honour readonly flag on disks with qemu-xen [XSA-142 (possible fix)] ---- update to xen-4.4.3, including Use after free in QEMU/Xen block unplug protocol [XSA-139, CVE-2015-5166], QEMU leak of uninitialized heap memory in rtl8139 device model [XSA-140, CVE-2015-5165] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 86163
    published 2015-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86163
    title Fedora 21 : xen-4.4.3-3.fc21 (2015-15946)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0111.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates in xen
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 85236
    published 2015-08-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85236
    title OracleVM 3.3 : xen (OVMSA-2015-0111)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1421-1.NASL
    description Xen was updated to fix the following security issues : - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344) - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model (XSA-140, bsc#939712) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 85598
    published 2015-08-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85598
    title SUSE SLES11 Security Update : xen (SUSE-SU-2015:1421-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-1833.NASL
    description From Red Hat Security Advisory 2015:1833 : Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An information leak flaw was found in the way QEMU's RTL8139 emulation implementation processed network packets under RTL8139 controller's C+ mode of operation. An unprivileged guest user could use this flaw to read up to 65 KB of uninitialized QEMU heap memory. (CVE-2015-5165) Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Donghai Zhu of Alibaba as the original reporter. All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 86095
    published 2015-09-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86095
    title Oracle Linux 6 : qemu-kvm (ELSA-2015-1833)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1408-1.NASL
    description This security update of Xen fixes the following issues : - bsc#939712 (XSA-140): QEMU leak of uninitialized heap memory in rtl8139 device model (CVE-2015-5165) - bsc#938344: qemu,kvm,xen: host code execution via IDE subsystem CD-ROM (CVE-2015-5154) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 85575
    published 2015-08-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85575
    title SUSE SLES11 Security Update : xen (SUSE-SU-2015:1408-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3349.NASL
    description Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution on x86 hardware. - CVE-2015-5165 Donghai Zhu discovered that the QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation, allowing a malicious guest to read uninitialized memory from the QEMU process's heap. - CVE-2015-5745 A buffer overflow vulnerability was discovered in the way QEMU handles the virtio-serial device. A malicious guest could use this flaw to mount a denial of service (QEMU process crash).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 85755
    published 2015-09-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85755
    title Debian DSA-3349-1 : qemu-kvm - security update
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1739.NASL
    description Updated qemu-kvm-rhev packages that fix one security issue are now available for Red Hat Enterprise Virtualization Hypervisor 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM. An information leak flaw was found in the way QEMU's RTL8139 emulation implementation processed network packets under RTL8139 controller's C+ mode of operation. An unprivileged guest user could use this flaw to read up to 65 KB of uninitialized QEMU heap memory. (CVE-2015-5165) Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Donghai Zhu of Alibaba as the original reporter. All qemu-kvm-rhev users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 117307
    published 2018-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117307
    title RHEL 7 : qemu-kvm-rhev (RHSA-2015:1739)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1479-2.NASL
    description xen was updated to fix the following security issues : - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model (bsc#939712, XSA-140) - CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol (bsc#939709, XSA-139) - CVE-2015-2751: Certain domctl operations could have be used to lock up the host (bsc#922709, XSA-127) - CVE-2015-3259: xl command line config handling stack overflow (bsc#935634, XSA-137) - CVE-2015-4164: DoS through iret hypercall handler (bsc#932996, XSA-136) - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 85792
    published 2015-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85792
    title SUSE SLED11 Security Update : xen (SUSE-SU-2015:1479-2)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-750.NASL
    description xen was updated to fix 12 security issues. These security issues were fixed : - CVE-2015-7972: Populate-on-demand balloon size inaccuracy can crash guests (bsc#951845). - CVE-2015-7969: Leak of main per-domain vcpu pointer array (DoS) (bsc#950703). - CVE-2015-7969: Leak of per-domain profiling-related vcpu pointer array (DoS) (bsc#950705). - CVE-2015-7971: Some pmu and profiling hypercalls log without rate limiting (bsc#950706). - CVE-2015-4037: Insecure temporary file use in /net/slirp.c (bsc#932267). - CVE-2014-0222: Validate L2 table size to avoid integer overflows (bsc#877642). - CVE-2015-7835: Uncontrolled creation of large page mappings by PV guests (bsc#950367). - CVE-2015-7311: libxl fails to honour readonly flag on disks with qemu-xen (bsc#947165). - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model (bsc#939712). - CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol (bsc#939709). - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344). - CVE-2015-3259: xl command line config handling stack overflow (bsc#935634). These non-security issues were fixed : - bsc#907514: Bus fatal error and sles12 sudden reboot has been observed - bsc#910258: SLES12 Xen host crashes with FATAL NMI after shutdown of guest with VT-d NIC - bsc#918984: Bus fatal error and sles11-SP4 sudden reboot has been observed - bsc#923967: Partner-L3: Bus fatal error and sles11-SP3 sudden reboot has been observed - bsc#901488: Intel ixgbe driver assigns rx/tx queues per core resulting in irq problems on servers with a large amount of CPU cores - bsc#945167: Running command xl pci-assignable-add 03:10.1 secondly show errors - bsc#949138: Setting vcpu affinity under Xen causes libvirtd abort - bsc#944463: VUL-0: CVE-2015-5239: qemu-kvm: Integer overflow in vnc_client_read() and protocol_client_msg() - bsc#944697: VUL-1: CVE-2015-6815: qemu: net: e1000: infinite loop issue - bsc#925466: Kdump does not work in a XEN environment
    last seen 2019-02-21
    modified 2015-11-18
    plugin id 86909
    published 2015-11-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86909
    title openSUSE Security Update : xen (openSUSE-2015-750)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2724-1.NASL
    description It was discovered that QEMU incorrectly handled a PRDT with zero complete sectors in the IDE functionality. A malicious guest could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-9718) Donghai Zhu discovered that QEMU incorrectly handled the RTL8139 driver. A malicious guest could possibly use this issue to read sensitive information from arbitrary host memory. (CVE-2015-5165) Donghai Zhu discovered that QEMU incorrectly handled unplugging emulated block devices. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 15.04. (CVE-2015-5166) Qinghao Tang and Mr. Zuozhi discovered that QEMU incorrectly handled memory in the VNC display driver. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 15.04. (CVE-2015-5225) It was discovered that QEMU incorrectly handled the virtio-serial device. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-5745). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 85683
    published 2015-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85683
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 : qemu, qemu-kvm vulnerabilities (USN-2724-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1479-1.NASL
    description xen was updated to fix the following security issues : - CVE-2015-5165: QEMU leak of uninitialized heap memory in rtl8139 device model (bsc#939712, XSA-140) - CVE-2015-5166: Use after free in QEMU/Xen block unplug protocol (bsc#939709, XSA-139) - CVE-2015-2751: Certain domctl operations could have be used to lock up the host (bsc#922709, XSA-127) - CVE-2015-3259: xl command line config handling stack overflow (bsc#935634, XSA-137) - CVE-2015-4164: DoS through iret hypercall handler (bsc#932996, XSA-136) - CVE-2015-5154: Host code execution via IDE subsystem CD-ROM (bsc#938344) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 85791
    published 2015-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85791
    title SUSE SLED11 / SLES11 Security Update : xen (SUSE-SU-2015:1479-1)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-1793.NASL
    description From Red Hat Security Advisory 2015:1793 : Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An information leak flaw was found in the way QEMU's RTL8139 emulation implementation processed network packets under RTL8139 controller's C+ mode of operation. An unprivileged guest user could use this flaw to read up to 65 KB of uninitialized QEMU heap memory. (CVE-2015-5165) Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Donghai Zhu of Alibaba as the original reporter. All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 85959
    published 2015-09-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85959
    title Oracle Linux 7 : qemu-kvm (ELSA-2015-1793)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150922_QEMU_KVM_ON_SL6_X.NASL
    description An information leak flaw was found in the way QEMU's RTL8139 emulation implementation processed network packets under RTL8139 controller's C+ mode of operation. An unprivileged guest user could use this flaw to read up to 65 KB of uninitialized QEMU heap memory. (CVE-2015-5165) After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 86101
    published 2015-09-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86101
    title Scientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2015-15944.NASL
    description libxl fails to honour readonly flag on disks with qemu-xen [XSA-142 (possible fix)] ---- Use after free in QEMU/Xen block unplug protocol [XSA-139, CVE-2015-5166] QEMU leak of uninitialized heap memory in rtl8139 device model [XSA-140, CVE-2015-5165] Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-10-19
    plugin id 86162
    published 2015-09-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86162
    title Fedora 22 : xen-4.5.1-8.fc22 (2015-15944)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1793.NASL
    description Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An information leak flaw was found in the way QEMU's RTL8139 emulation implementation processed network packets under RTL8139 controller's C+ mode of operation. An unprivileged guest user could use this flaw to read up to 65 KB of uninitialized QEMU heap memory. (CVE-2015-5165) Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Donghai Zhu of Alibaba as the original reporter. All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 85981
    published 2015-09-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85981
    title RHEL 7 : qemu-kvm (RHSA-2015:1793)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0051.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - kvm-Add-vga.h-unmodified-from-Linux.patch [bz#1331407] - kvm-vga.h-remove-unused-stuff-and-reformat.patch [bz#1331407] - kvm-vga-use-constants-from-vga.h.patch [bz#1331407] - kvm-vga-Remove-some-should-be-done-in-BIOS-comments.patc h [bz#1331407] - kvm-vga-fix-banked-access-bounds-checking-CVE-2016-3710. patch [bz#1331407] - kvm-vga-add-vbe_enabled-helper.patch [bz#1331407] - kvm-vga-factor-out-vga-register-setup.patch [bz#1331407] - kvm-vga-update-vga-register-setup-on-vbe-changes.patch [bz#1331407] - kvm-vga-make-sure-vga-register-setup-for-vbe-stays-intac .patch - Resolves: bz#1331407 (EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-6.8.z]) - Revert 'warning when CPU threads>1 for non-Intel CPUs' fix - kvm-qemu-ga-implement-win32-guest-set-user-password.patc h [bz#1174181] - kvm-util-add-base64-decoding-function.patch [bz#1174181] - kvm-qga-convert-to-use-error-checked-base64-decode.patch [bz#1174181] - kvm-qga-use-more-idiomatic-qemu-style-eol-operators.patc h [bz#1174181] - kvm-qga-use-size_t-for-wcslen-return-value.patch [bz#1174181] - kvm-qga-use-wide-chars-constants-for-wchar_t-comparisons .patch - kvm-qga-fix-off-by-one-length-check.patch [bz#1174181] - kvm-qga-check-utf8-to-utf16-conversion.patch [bz#1174181] - Resolves: bz#1174181 (RFE: provide QEMU guest agent command for setting root account password (Linux guest)) - kvm-hw-qxl-qxl_send_events-nop-if-stopped.patch [bz#1290743] - kvm-block-mirror-fix-full-sync-mode-when-target-does-not .patch [bz#971312] - Resolves: bz#1290743 (qemu-kvm core dumped when repeat system_reset 20 times during guest boot) - Resolves: bz#971312 (block: Mirroring to raw block device doesn't zero out unused blocks) - Mon Feb 08 2016 Miroslav Rezanina < - 0.12.1.2-2.488.el6 - Fixed qemu-ga path configuration [bz#1213233] - Resolves: bz#1213233 ([virtagent] The default path '/etc/qemu/fsfreeze-hook' for 'fsfreeze-hook' script doesn't exist) - kvm-virtio-scsi-use-virtqueue_map_sg-when-loading-reques .patch - kvm-scsi-disk-fix-cmd.mode-field-typo.patch [bz#1249740] - Resolves: bz#1249740 (Segfault occurred at Dst VM while completed migration upon ENOSPC) - kvm-blockdev-Error-out-on-negative-throttling-option-val .patch - kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE .patch - Resolves: bz#1294619 (Guest should failed to boot if set iops,bps to negative number) - Resolves: bz#1298046 (CVE-2016-1714 qemu-kvm: Qemu: nvram: OOB r/w access in processing firmware configurations [rhel-6.8]) - kvm-Change-fsfreeze-hook-default-location.patch [bz#1213233] - kvm-qxl-replace-pipe-signaling-with-bottom-half.patch [bz#1290743] - Resolves: bz#1213233 ([virtagent] The default path '/etc/qemu/fsfreeze-hook' for 'fsfreeze-hook' script doesn't exist) - Resolves: bz#1290743 (qemu-kvm core dumped when repeat system_reset 20 times during guest boot) - kvm-qga-flush-explicitly-when-needed.patch [bz#1210246] - kvm-qga-add-guest-set-user-password-command.patch [bz#1174181] - kvm-qcow2-Zero-initialise-first-cluster-for-new-images.p atch [bz#1223216] - kvm-Documentation-Warn-against-qemu-img-on-active-image. patch [bz#1297424] - kvm-target-i386-warns-users-when-CPU-threads-1-for-non-I .patch - kvm-qemu-options-Fix-texinfo-markup.patch [bz#1250442] - kvm-qga-Fix-memory-allocation-pasto.patch [] - kvm-block-raw-posix-Open-file-descriptor-O_RDWR-to-work- .patch - Resolves: bz#1174181 (RFE: provide QEMU guest agent command for setting root/administrator account password) - Resolves: bz#1210246 ([virtagent]The 'write' content is lost if 'read' it before flush through guest agent) - Resolves: bz#1223216 (qemu-img can not create qcow2 image when backend is block device) - Resolves: bz#1250442 (qemu-doc.html bad markup in section 3.3 Invocation) - Resolves: bz#1268347 (posix_fallocate emulation on NFS fails with Bad file descriptor if fd is opened O_WRONLY) - Resolves: bz#1292678 (Qemu should report error when cmdline set threads=2 in amd host) - Resolves: bz#1297424 (Add warning about running qemu-img on active VMs to its manpage) - kvm-rtl8139-Fix-receive-buffer-overflow-check.patch [bz#1262866] - kvm-rtl8139-Do-not-consume-the-packet-during-overflow-in .patch - Resolves: bz#1262866 ([RHEL6] Package is 100% lost when ping from host to Win2012r2 guest with 64000 size) - kvm-qemu-kvm-get-put-MSR_TSC_AUX-across-reset-and-migrat .patch - kvm-qcow2-Discard-VM-state-in-active-L1-after-creating-s .patch - kvm-net-pcnet-add-check-to-validate-receive-data-size-CV .patch - kvm-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch [bz#1286567] - Resolves: bz#1219908 (Writing snapshots with 'virsh snapshot-create-as' command slows as more snapshots are created) - Resolves: bz#1265428 (contents of MSR_TSC_AUX are not migrated) - Resolves: bz#1286567 (CVE-2015-7512 qemu-kvm: Qemu: net: pcnet: buffer overflow in non-loopback mode [rhel-6.8]) - kvm-net-add-checks-to-validate-ring-buffer-pointers-CVE- .patch - Resolves: bz#1263275 (CVE-2015-5279 qemu-kvm: qemu: Heap overflow vulnerability in ne2000_receive function [rhel-6.8]) - kvm-virtio-rng-fix-segfault-when-adding-a-virtio-pci-rng .patch - kvm-qga-commands-posix-Fix-bug-in-guest-fstrim.patch [bz#1213236] - kvm-rtl8139-avoid-nested-ifs-in-IP-header-parsing-CVE-20 .patch - kvm-rtl8139-drop-tautologous-if-ip-.-statement-CVE-2015- .patch - kvm-rtl8139-skip-offload-on-short-Ethernet-IP-header-CVE .patch - kvm-rtl8139-check-IP-Header-Length-field-CVE-2015-5165.p atch [bz#1248763] - kvm-rtl8139-check-IP-Total-Length-field-CVE-2015-5165.pa tch [bz#1248763] - kvm-rtl8139-skip-offload-on-short-TCP-header-CVE-2015-51 .patch - kvm-rtl8139-check-TCP-Data-Offset-field-CVE-2015-5165.pa tch [bz#1248763] - Resolves: bz#1213236 ([virtagent] 'guest-fstrim' failed for guest with os on spapr-vscsi disk) - Resolves: bz#1230068 (Segmentation fault when re-adding virtio-rng-pci device) - Resolves: bz#1248763 (CVE-2015-5165 qemu-kvm: Qemu: rtl8139 uninitialized heap memory information leakage to guest [rhel-6.8])
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 91316
    published 2016-05-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91316
    title OracleVM 3.4 : qemu-kvm (OVMSA-2016-0051)
  • NASL family Misc.
    NASL id CITRIX_XENSERVER_CTX201717.NASL
    description The version of Citrix XenServer running on the remote host is affected by an information disclosure vulnerability due to improper validation of user-supplied input in the C+ mode offload emulation of the RTL8139 network card device model in QEMU. A remote attacker can exploit this to read process heap memory, resulting in the disclosure of sensitive information.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 85661
    published 2015-08-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85661
    title Citrix XenServer QEMU RTL8139 Guest Network Device Information Disclosure (CTX201717)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1740.NASL
    description Updated qemu-kvm-rhev packages that fix one security issue and one bug are now available for Red Hat Enterprise Virtualization. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM in environments managed by Red Hat Enterprise Virtualization Manager. An information leak flaw was found in the way QEMU's RTL8139 emulation implementation processed network packets under RTL8139 controller's C+ mode of operation. An unprivileged guest user could use this flaw to read up to 65 KB of uninitialized QEMU heap memory. (CVE-2015-5165) Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Donghai Zhu of Alibaba as the original reporter. All users of qemu-kvm-rhev are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86000
    published 2015-09-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86000
    title RHEL 6 : qemu-kvm-rhev (RHSA-2015:1740)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-1833.NASL
    description Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An information leak flaw was found in the way QEMU's RTL8139 emulation implementation processed network packets under RTL8139 controller's C+ mode of operation. An unprivileged guest user could use this flaw to read up to 65 KB of uninitialized QEMU heap memory. (CVE-2015-5165) Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Donghai Zhu of Alibaba as the original reporter. All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86098
    published 2015-09-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86098
    title RHEL 6 : qemu-kvm (RHSA-2015:1833)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-1793.NASL
    description Updated qemu-kvm packages that fix one security issue are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. An information leak flaw was found in the way QEMU's RTL8139 emulation implementation processed network packets under RTL8139 controller's C+ mode of operation. An unprivileged guest user could use this flaw to read up to 65 KB of uninitialized QEMU heap memory. (CVE-2015-5165) Red Hat would like to thank the Xen project for reporting this issue. Upstream acknowledges Donghai Zhu of Alibaba as the original reporter. All qemu-kvm users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86512
    published 2015-10-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86512
    title CentOS 7 : qemu-kvm (CESA-2015:1793)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_F06F20DC434711E593AD002590263BF5.NASL
    description The Xen Project reports : The QEMU model of the RTL8139 network card did not sufficiently validate inputs in the C+ mode offload emulation. This results in uninitialized memory from the QEMU process's heap being leaked to the domain as well as to the network. A guest may be able to read sensitive host-level data relating to itself which resides in the QEMU process. Such information may include things such as information relating to real devices backing emulated devices or passwords which the host administrator does not intend to share with the guest admin.
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 85486
    published 2015-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=85486
    title FreeBSD : qemu, xen-tools -- QEMU leak of uninitialized heap memory in rtl8139 device model (f06f20dc-4347-11e5-93ad-002590263bf5)
redhat via4
advisories
  • bugzilla
    id 1248760
    title CVE-2015-5165 Qemu: rtl8139 uninitialized heap memory information leakage to guest (XSA-140)
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment libcacard is earlier than 10:1.5.3-86.el7_1.6
          oval oval:com.redhat.rhsa:tst:20151793011
        • comment libcacard is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140704008
      • AND
        • comment libcacard-devel is earlier than 10:1.5.3-86.el7_1.6
          oval oval:com.redhat.rhsa:tst:20151793009
        • comment libcacard-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140704010
      • AND
        • comment libcacard-tools is earlier than 10:1.5.3-86.el7_1.6
          oval oval:com.redhat.rhsa:tst:20151793005
        • comment libcacard-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140704016
      • AND
        • comment qemu-img is earlier than 10:1.5.3-86.el7_1.6
          oval oval:com.redhat.rhsa:tst:20151793007
        • comment qemu-img is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345008
      • AND
        • comment qemu-kvm is earlier than 10:1.5.3-86.el7_1.6
          oval oval:com.redhat.rhsa:tst:20151793013
        • comment qemu-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345006
      • AND
        • comment qemu-kvm-common is earlier than 10:1.5.3-86.el7_1.6
          oval oval:com.redhat.rhsa:tst:20151793017
        • comment qemu-kvm-common is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20140704018
      • AND
        • comment qemu-kvm-tools is earlier than 10:1.5.3-86.el7_1.6
          oval oval:com.redhat.rhsa:tst:20151793015
        • comment qemu-kvm-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345010
    rhsa
    id RHSA-2015:1793
    released 2015-09-15
    severity Moderate
    title RHSA-2015:1793: qemu-kvm security fix update (Moderate)
  • bugzilla
    id 1248760
    title CVE-2015-5165 Qemu: rtl8139 uninitialized heap memory information leakage to guest (XSA-140)
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 6 Client is installed
        oval oval:com.redhat.rhsa:tst:20100842001
      • comment Red Hat Enterprise Linux 6 Server is installed
        oval oval:com.redhat.rhsa:tst:20100842002
      • comment Red Hat Enterprise Linux 6 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20100842003
      • comment Red Hat Enterprise Linux 6 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20100842004
    • OR
      • AND
        • comment qemu-guest-agent is earlier than 2:0.12.1.2-2.479.el6_7.1
          oval oval:com.redhat.rhsa:tst:20151833005
        • comment qemu-guest-agent is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20121234008
      • AND
        • comment qemu-img is earlier than 2:0.12.1.2-2.479.el6_7.1
          oval oval:com.redhat.rhsa:tst:20151833009
        • comment qemu-img is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345008
      • AND
        • comment qemu-kvm is earlier than 2:0.12.1.2-2.479.el6_7.1
          oval oval:com.redhat.rhsa:tst:20151833007
        • comment qemu-kvm is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345006
      • AND
        • comment qemu-kvm-tools is earlier than 2:0.12.1.2-2.479.el6_7.1
          oval oval:com.redhat.rhsa:tst:20151833011
        • comment qemu-kvm-tools is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20110345010
    rhsa
    id RHSA-2015:1833
    released 2015-09-22
    severity Moderate
    title RHSA-2015:1833: qemu-kvm security update (Moderate)
  • rhsa
    id RHSA-2015:1674
  • rhsa
    id RHSA-2015:1683
  • rhsa
    id RHSA-2015:1739
  • rhsa
    id RHSA-2015:1740
rpms
  • libcacard-10:1.5.3-86.el7_1.6
  • libcacard-devel-10:1.5.3-86.el7_1.6
  • libcacard-tools-10:1.5.3-86.el7_1.6
  • qemu-img-10:1.5.3-86.el7_1.6
  • qemu-kvm-10:1.5.3-86.el7_1.6
  • qemu-kvm-common-10:1.5.3-86.el7_1.6
  • qemu-kvm-tools-10:1.5.3-86.el7_1.6
  • qemu-guest-agent-2:0.12.1.2-2.479.el6_7.1
  • qemu-img-2:0.12.1.2-2.479.el6_7.1
  • qemu-kvm-2:0.12.1.2-2.479.el6_7.1
  • qemu-kvm-tools-2:0.12.1.2-2.479.el6_7.1
refmap via4
bid 76153
confirm
debian
  • DSA-3348
  • DSA-3349
fedora
  • FEDORA-2015-14361
  • FEDORA-2015-15944
  • FEDORA-2015-15946
sectrack 1033176
suse
  • SUSE-SU-2015:1421
  • SUSE-SU-2015:1643
Last major update 23-12-2016 - 21:59
Published 12-08-2015 - 10:59
Last modified 30-10-2018 - 12:26
Back to Top