ID CVE-2017-15289
Summary The mode4and5 write functions in hw/display/cirrus_vga.c in Qemu allow local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation.
References
Vulnerable Configurations
  • QEMU
    cpe:2.3:a:qemu:qemu
CVSS
Base: 2.1
Impact:
Exploitability:
CWE CWE-787
CAPEC
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3212-1.NASL
    description This update for xen fixes several issues. These security issues were fixed : - bsc#1068187: Failure to recognize errors in the Populate on Demand (PoD) code allowed for DoS (XSA-246) - bsc#1068191: Missing p2m error checking in PoD code allowed unprivileged guests to retain a writable mapping of freed memory leading to information leaks, privilege escalation or DoS (XSA-247). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063123) - CVE-2017-15597: A grant copy operation being done on a grant of a dying domain allowed a malicious guest administrator to corrupt hypervisor memory, allowing for DoS or potentially privilege escalation and information leaks (bsc#1061075). - CVE-2017-15595: x86 PV guest OS users were able to cause a DoS (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking (bsc#1061081). - CVE-2017-15592: x86 HVM guest OS users were able to cause a DoS (hypervisor crash) or possibly gain privileges because self-linear shadow mappings were mishandled for translated guests (bsc#1061086). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 105033
    published 2017-12-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105033
    title SUSE SLES11 Security Update : xen (SUSE-SU-2017:3212-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1321.NASL
    description This update for xen to version 4.9.1 (bsc#1027519) fixes several issues. This new feature was added : - Support migration of HVM domains larger than 1 TB These security issues were fixed : - bsc#1068187: Failure to recognize errors in the Populate on Demand (PoD) code allowed for DoS (XSA-246) - bsc#1068191: Missing p2m error checking in PoD code allowed unprivileged guests to retain a writable mapping of freed memory leading to information leaks, privilege escalation or DoS (XSA-247). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063123) - CVE-2017-15597: A grant copy operation being done on a grant of a dying domain allowed a malicious guest administrator to corrupt hypervisor memory, allowing for DoS or potentially privilege escalation and information leaks (bsc#1061075). This non-security issue was fixed : - bsc#1055047: Fixed --initrd-inject option in virt-install This update was imported from the SUSE:SLE-12-SP3:Update update project.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 105221
    published 2017-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105221
    title openSUSE Security Update : xen (openSUSE-2017-1321)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-0516.NASL
    description From Red Hat Security Advisory 2018:0516 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * Qemu: cirrus: OOB access issue in mode4and5 write functions (CVE-2017-15289) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-03-14
    plugin id 108321
    published 2018-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108321
    title Oracle Linux 6 : qemu-kvm (ELSA-2018-0516)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2018-0025.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - kvm-cirrus-fix-oob-access-in-mode4and5-write-functions.p atch [bz#1501296] - Resolves: bz#1501296   (CVE-2017-15289 qemu-kvm: Qemu: cirrus: OOB access issue in mode4and5 write functions [rhel-6.9.z])
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 108360
    published 2018-03-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108360
    title OracleVM 3.4 : qemu-kvm (OVMSA-2018-0025)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-3369.NASL
    description An update for qemu-kvm-rhev is now available for Red Hat Enterprise Virtualization (RHEV) 4.X, Red Hat Enterprise Virtualization Hypervisor (RHEV-H) and Agents for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm-rhev packages provide the user-space component for running virtual machines that use KVM in environments managed by Red Hat products. Security Fix(es) : * Quick Emulator (QEMU), compiled with qemu_map_ram_ptr to access guests' RAM block area, is vulnerable to an OOB r/w access issue. The crash can occur if a privileged user inside a guest conducts certain DMA operations, resulting in a DoS. (CVE-2017-11334) * Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host. (CVE-2017-14167) * Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). (CVE-2017-15289) Red Hat would like to thank Alex for reporting CVE-2017-11334; Thomas Garnier (Google.com) for reporting CVE-2017-14167; and Guoxiang Niu (Huawei.com) for reporting CVE-2017-15289. Bug Fix(es) : * Improvements made for qemu 2.9 to the NBD code used during live storage migration were not robust to an abrupt exit of the other end of the connection; the result was that live migration could fail if the source side NBD connection failed. The NBD code has been fixed to be more robust regardless of what the other side of the connection does. (BZ#1495474)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 104987
    published 2017-12-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104987
    title RHEL 7 : qemu-kvm-rhev (RHSA-2017:3369)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-3368.NASL
    description An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host. (CVE-2017-14167) * Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). (CVE-2017-15289) Red Hat would like to thank Thomas Garnier (Google.com) for reporting CVE-2017-14167 and Guoxiang Niu (Huawei.com) for reporting CVE-2017-15289.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 105057
    published 2017-12-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105057
    title CentOS 7 : qemu-kvm (CESA-2017:3368)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3368.NASL
    description From Red Hat Security Advisory 2017:3368 : An update for qemu-kvm is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm package provides the user-space component for running virtual machines that use KVM. Security Fix(es) : * Quick Emulator (QEMU), compiled with the PC System Emulator with multiboot feature support, is vulnerable to an OOB r/w memory access issue. The issue could occur due to an integer overflow while loading a kernel image during a guest boot. A user or process could use this flaw to potentially achieve arbitrary code execution on a host. (CVE-2017-14167) * Quick emulator (QEMU), compiled with the Cirrus CLGD 54xx VGA Emulator support, is vulnerable to an OOB write access issue. The issue could occur while writing to VGA memory via mode4and5 write functions. A privileged user inside guest could use this flaw to crash the QEMU process resulting in Denial of Serivce (DoS). (CVE-2017-15289) Red Hat would like to thank Thomas Garnier (Google.com) for reporting CVE-2017-14167 and Guoxiang Niu (Huawei.com) for reporting CVE-2017-15289.
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 104948
    published 2017-12-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104948
    title Oracle Linux 7 : qemu-kvm (ELSA-2017-3368)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1322.NASL
    description This update for xen to version 4.7.4 (bsc#1027519) fixes several issues. This new feature was added : - Support migration of HVM domains larger than 1 TB These security issues were fixed : - bsc#1068187: Failure to recognize errors in the Populate on Demand (PoD) code allowed for DoS (XSA-246) - bsc#1068191: Missing p2m error checking in PoD code allowed unprivileged guests to retain a writable mapping of freed memory leading to information leaks, privilege escalation or DoS (XSA-247). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063123) - CVE-2017-15597: A grant copy operation being done on a grant of a dying domain allowed a malicious guest administrator to corrupt hypervisor memory, allowing for DoS or potentially privilege escalation and information leaks (bsc#1061075). This non-security issue was fixed : - bsc#1055047: Fixed --initrd-inject option in virt-install This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 105222
    published 2017-12-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105222
    title openSUSE Security Update : xen (openSUSE-2017-1322)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-0516.NASL
    description An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * Qemu: cirrus: OOB access issue in mode4and5 write functions (CVE-2017-15289) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 108343
    published 2018-03-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108343
    title CentOS 6 : qemu-kvm (CESA-2018:0516)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0516.NASL
    description An update for qemu-kvm is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kernel-based Virtual Machine (KVM) is a full virtualization solution for Linux on a variety of architectures. The qemu-kvm packages provide the user-space component for running virtual machines that use KVM. Security Fix(es) : * Qemu: cirrus: OOB access issue in mode4and5 write functions (CVE-2017-15289) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 108331
    published 2018-03-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108331
    title RHEL 6 : qemu-kvm (RHSA-2018:0516)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4213.NASL
    description Several vulnerabilities were discovered in qemu, a fast processor emulator. - CVE-2017-15038 Tuomas Tynkkynen discovered an information leak in 9pfs. - CVE-2017-15119 Eric Blake discovered that the NBD server insufficiently restricts large option requests, resulting in denial of service. - CVE-2017-15124 Daniel Berrange discovered that the integrated VNC server insufficiently restricted memory allocation, which could result in denial of service. - CVE-2017-15268 A memory leak in websockets support may result in denial of service. - CVE-2017-15289 Guoxiang Niu discovered an OOB write in the emulated Cirrus graphics adaptor which could result in denial of service. - CVE-2017-16845 Cyrille Chatras discovered an information leak in PS/2 mouse and keyboard emulation which could be exploited during instance migration. - CVE-2017-17381 Dengzhan Heyuandong Bijunhua and Liweichao discovered that an implementation error in the virtio vring implementation could result in denial of service. - CVE-2017-18043 Eric Blake discovered an integer overflow in an internally used macro which could result in denial of service. - CVE-2018-5683 Jiang Xin and Lin ZheCheng discovered an OOB memory access in the emulated VGA adaptor which could result in denial of service. - CVE-2018-7550 Cyrille Chatras discovered that an OOB memory write when using multiboot could result in the execution of arbitrary code. This update also backports a number of mitigations against the Spectre v2 vulnerability affecting modern CPUs (CVE-2017-5715 ). For additional information please refer to https://www.qemu.org/2018/01/04/spectre/
    last seen 2019-02-21
    modified 2018-11-13
    plugin id 110208
    published 2018-05-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=110208
    title Debian DSA-4213-1 : qemu - security update (Spectre)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-3239-1.NASL
    description This update for xen fixes several issues. These security issues were fixed : - bsc#1068187: Failure to recognize errors in the Populate on Demand (PoD) code allowed for DoS (XSA-246) - bsc#1068191: Missing p2m error checking in PoD code allowed unprivileged guests to retain a writable mapping of freed memory leading to information leaks, privilege escalation or DoS (XSA-247). - CVE-2017-15289: The mode4and5 write functions allowed local OS guest privileged users to cause a denial of service (out-of-bounds write access and Qemu process crash) via vectors related to dst calculation (bsc#1063123) - CVE-2017-15597: A grant copy operation being done on a grant of a dying domain allowed a malicious guest administrator to corrupt hypervisor memory, allowing for DoS or potentially privilege escalation and information leaks (bsc#1061075). - CVE-2017-15595: x86 PV guest OS users were able to cause a DoS (unbounded recursion, stack consumption, and hypervisor crash) or possibly gain privileges via crafted page-table stacking (bsc#1061081). - CVE-2017-15592: x86 HVM guest OS users were able to cause a DoS (hypervisor crash) or possibly gain privileges because self-linear shadow mappings were mishandled for translated guests (bsc#1061086). - CVE-2017-13672: The VGA display emulator support allowed local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors involving display update (bsc#1056336) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 105148
    published 2017-12-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105148
    title SUSE SLES12 Security Update : xen (SUSE-SU-2017:3239-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180313_QEMU_KVM_ON_SL6_X.NASL
    description Security Fix(es) : - Qemu: cirrus: OOB access issue in mode4and5 write functions (CVE-2017-15289)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 108366
    published 2018-03-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108366
    title Scientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2946-1.NASL
    description