Security Bulletin: Vulnerabilities in Qemu-kvm affect IBM SmartCloud Entry

Summary

IBM SmartCloud Entry is vulnerable to Qemu-kvm vulnerabilities. Attackers could overflow a buffer and execute arbitrary code on the system or cause the application to crash, or could exploit these vulnerabilities to gain elevated privileges on the host system or cause a denial of service, modify access modes and execute arbitrary code on the system with the privileges of the Qemu process, or cause a denial of service.

CVE-2015-7512 CVE-2015-7504 CVE-2016-1714 CVE-2016-3710 CVE-2016-5403

Vulnerability Details

CVEID: CVE-2015-7504**
DESCRIPTION:** Xen is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the QEMU PCNET controller. By sending a specially crafted packet while in the loopback mode, a local attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108358 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-7512**
DESCRIPTION:** Qemu is vulnerable to a buffer overflow, caused by improper bounds checking by the AMD PC-Net II emulator. By sending specially crafted packets, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108362 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-1714**
DESCRIPTION:** QEMU could allow a local attacker to gain elevated privileges on the system, caused by an out-of-bounds read/write access error when processing firmware configurations. An attacker with CAP_SYS_RAWIO capabilities could exploit this vulnerability to gain elevated privileges on the host system or cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110305 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-3710**
DESCRIPTION:** Xen could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict banked access to video memory by the Qemu VGA module. By setting the bank register, an attacker could exploit this vulnerability to modify access modes and execute arbitrary code on the system with the privileges of the Qemu process.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113038 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-5403**
DESCRIPTION:** Xen is vulnerable to a denial of service, caused by an unbounded memory allocation in QEMU. By sending a specially crafted virtio request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115591 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM SmartCloud Entry 3.1.0 through 3.1.0.4 Appliance fix pack 22
IBM SmartCloud Entry 3.2.0 through 3.2.0.4 Appliance fix pack 22

Remediation/Fixes

http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=3.1.0.4-IBM-SCE_APPL-FP23&source=SAR
IBM SmartCloud Entry| 3.2| None| IBM SmartCloud Entry 3.2.0 Appliance Fixpack 23:

http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=3.2.0.4-IBM-SCE_APPL-FP23&source=SAR

Workarounds and Mitigations

None