Security Bulletin: Multiple vulnerabilities in qemu affect PowerKVM

Summary

PowerKVM is affected by several vulnerabilities in qemu. These vulnerabilities have been addressed by IBM.

Vulnerability Details

CVEID: CVE-2016-5338**
DESCRIPTION:** Qemu, built with the ESP/NCR53C9x controller emulation support, is vulnerable to a denial of service, caused by an out of bounds read or write error in esp_reg_read() or esp_reg_write() routine. By reading or writing from information transfer buffer, an authenticated attacker could exploit this vulnerability to cause the Qemu process to crash or possibly execute arbitrary code with elevated privileges on the system.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113965 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-5238**
DESCRIPTION:** Qemu, built with the ESP/NCR53C9x controller emulation support, is vulnerable to a denial of service, caused by an out of bounds write error in get_cmd() routine. By reading from information transfer buffer via non-DMA mode, an authenticated attacker could exploit this vulnerability to cause the Qemu process to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113745 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-5337**
DESCRIPTION:** Qemu, built with the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support, is vulnerable to a denial of service, caused by a information leakage in megasas_ctrl_get_info. By processing MegaRAID Firmware Interface(MFI) command to read device control information, a remote authenticated attacker could exploit this vulnerability to leak host memory bytes.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113966 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-5126**
DESCRIPTION:** Qemu, built with the Block driver for iSCSI images support(virtio-blk) is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when processing iSCSI asynchronous I/O ioctl(2) calls. By sending an ioctl call, a remote attacker from within the local network could overflow a buffer and execute arbitrary code on the system or cause the Qemu process to crash.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113598 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-4441**
DESCRIPTION:** Qemu, built with the ESP/NCR53C9x controller emulation support, is vulnerable to a denial of service, caused by an out of bounds write error while writing to s-cmdbuf in get_cmd(). A local authenticated attacker could exploit this vulnerability to cause the Qemu process to crash.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113426 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-4439**
DESCRIPTION:** Qemu, built with the ESP/NCR53C9x controller emulation support, is vulnerable to a denial of service, caused by an out of bounds write error while writing to the command buffer in esp_reg_write(). A local authenticated attacker could exploit this vulnerability to cause the Qemu process to crash or execute arbitrary code on the QEMU host.
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113428 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-4037**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by an error ehci_advance_state function in hw/usb/hcd-ehci.c. By using a circular split isochronous transfer descriptor (siTD) list, a local authenticated attacker could exploit this vulnerability to consume CPU resources and cause the application to enter into an infinite loop.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113582 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-4020**
DESCRIPTION:** Qemu, built with the Task Priority Register(TPR) optimizations for 32-bit Windows guests, is vulnerable to a denial of service, caused by a information leakage error. By accessing Task Priority Register(TPR), a remote attacker could exploit this vulnerability to leak host memory bytes.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112267 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-4002**
DESCRIPTION:** Qemu, built with the MIPSnet controller emulator, is vulnerable to a buffer overflow, caused by improper bounds checking in the mipsnet_receive() when receiving network packets. A remote attacker could overflow a buffer and execute arbitrary code on the system or cause the Qemu process to crash.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112135 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-4001**
DESCRIPTION:** Qemu, built with the Luminary Micro Stellaris Ethernet Controller, is vulnerable to a buffer overflow, caused by improper bounds checking in the stellaris_enet_receive() when receiving network packets. A remote attacker could overflow a buffer and execute arbitrary code on the system or cause the Qemu process to crash.
CVSS Base Score: 5.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112134 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-3710**
DESCRIPTION:** Xen could allow a local attacker to gain elevated privileges on the system, caused by the failure to restrict banked access to video memory by the Qemu VGA module. By setting the bank register, an attacker could exploit this vulnerability to modify access modes and execute arbitrary code on the system with the privileges of the Qemu process.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113038 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-2858**
DESCRIPTION:** Qemu, built with the Pseudo Random Number Generator(PRNG) back-end support, is vulnerable to a denial of service, caused by an error in rng-random implementation. By sending a specially-crafted request to rng-random implementation, an attacker could exploit this vulnerability to cause the Qemu process to crash.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111402 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-2857**
DESCRIPTION:** Qemu, built with the IP checksum routines, is vulnerable to a denial of service, caused by an out of bounds read error in the net_checksum_calculate() function. By sending TCP/UDP packets, a remote attacker could exploit this vulnerability to cause the Qemu process to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111313 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-2841**
DESCRIPTION:** Qemu, emulator built with the NE2000 NIC emulation support, is vulnerable to a denial of service, caused by an error when receiving packets over the network. An authenticated attacker could exploit this vulnerability to cause the Qemu to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111283 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-2538**
DESCRIPTION:** Qemu, emulator built with the USB Net device emulation support, is vulnerable to a denial of service, caused by an integer overflow when processing remote NDIS control message packets. An attacker could exploit this vulnerability to cause the Qemu process to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110926 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-2392**
DESCRIPTION:** Qemu, built with the USB Net device emulation support, is vulnerable to a denial of service, caused by a NULL pointer dereference when handling the remote NDIS control message. By sending NDIS control message packets, a remote authenticated attacker could exploit this vulnerability to cause the Qemu process to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110684 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-2391**
DESCRIPTION:** Qemu, built with the USB OHCI emulation support, is vulnerable to a denial of service, caused by a NULL pointer dereference when OHCI transitions to a OHCI_USB_OPERATIONAL state. A remote authenticated attacker could exploit this vulnerability to create multiple eof timers and cause the Qemu process to crash.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110685 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-1714**
DESCRIPTION:** QEMU could allow a local attacker to gain elevated privileges on the system, caused by an out-of-bounds read/write access error when processing firmware configurations. An attacker with CAP_SYS_RAWIO capabilities could exploit this vulnerability to gain elevated privileges on the host system or cause a denial of service.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110305 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-1568**
DESCRIPTION:** QEMU could allow a local attacker to gain elevated privileges on the system, caused by a use-after-free when processing malicious commands. By sending a specially crafted AHCI Native Command Queuing AIO command, an attacker could exploit this vulnerability to execute arbitrary code with elevated privileges or cause the QEMU process to crash.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110304 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L)

CVEID: CVE-2015-8558**
DESCRIPTION:** Qemu, built with the USB EHCI emulation support, is vulnerable to a denial of service, caused by an error during communication between host controller interface(EHCI) and a respective device driver. A remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/109153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7512**
DESCRIPTION:** Qemu is vulnerable to a buffer overflow, caused by improper bounds checking by the AMD PC-Net II emulator. By sending specially crafted packets, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/108362 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2015-5158**
DESCRIPTION:** QEMU, built with the SCSI device emulation support, is vulnerable to a denial of service, caused by a stack-based buffer overflow when parsing SCSI command descriptor block with an invalid operation code. A local authenticated attacker could exploit this vulnerability to overflow a buffer and cause the Qemu instance to crash.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105008 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2015-1779**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by an error when processing incoming frames by the websocket frame decoder. A remote attacker from within the local network with access to a guest’s VNC console could exploit this vulnerability to exhaust all available CPU and memory resources.
CVSS Base Score: 5.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101834 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:M/Au:N/C:N/I:N/A:C)

CVEID: CVE-2015-6855**
DESCRIPTION:** Qemu is vulnerable to a denial of service, caused by a divide-by-zero error within an emulator built with IDE disk and CD/DVD-ROM emulation support when executing IDE’s WIN_READ_NATIVE_MAX command. A remote authenticated attacker could exploit this vulnerability to cause the QEMU instance to crash.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106313 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2015-7295**
DESCRIPTION:** Qemu is vulnerable to a denial of service, caused by an error within an emulator built with Virtual Network Device(virtio-net) support. By sending overly large jumbo frames, a remote attacker from within the local network could exploit this vulnerability to disable the guest’s networking and exhaust all receive buffers.
CVSS Base Score: 4.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107016 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L)

Affected Products and Versions

PowerKVM v2.1 and v3.1

Remediation/Fixes

Customers can update PowerKVM systems by using “yum update”.

Fix images are made available via Fix Central. For version 3.1, see https://ibm.biz/BdHggw_ _for 3.1.0.2 update 1 or later.

For version 2.1, see PowerKVM 2.1.1.3-65. Update 11 at https://ibm.biz/BdEnT8_ _ or later. Customers running v2.1 are, in any case, encouraged to upgrade to v3.1.

For v2.1 systems currently running fix levels of PowerKVM prior to 2.1.1, please see <http://download4.boulder.ibm.com/sar/CMA/OSA/05e4c/0/README&gt; for prerequisite fixes and instructions.

Workarounds and Mitigations

None