Security Bulletin: Multiple vulnerabilities in qemu-kvm and libguestfs affect SmartCloud Entry (CVE-2016-9603 CVE-2017-2633 CVE-2017-7718 CVE-2017-7980 CVE-2015-8869)

Summary

Multiple vulnerabilitieshave been identified in qemu-kvm and libguestfs. Qemu-kvm and libguestfs shipped with IBM SmartCloud Entry Appliance. IBM SmartCloud Entry Appliance has addressed the vulnerabilities.

Vulnerability Details

CVE-2016-9603**
DESCRIPTION:** Xen is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the CIRRUS VGA emulator. By resizing the display refresh to be larger than before, a local authenticated attacker could overflow a buffer and execute arbitrary code on the host system with elevated privileges.
CVSS Base Score: 8.2
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123183 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

CVEID: CVE-2017-2633**
DESCRIPTION:** QEMU is vulnerable to a denial of service, caused by an out-of-bounds memory access error in VNC display driver support while refreshing the VNC display surface area in the ‘vnc_refresh_server_surface’. A remote attacker from with the local network could exploit this vulnerability to corrupt memory and crash the QEMU process.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125932 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L)

CVEID: CVE-2017-7718**
DESCRIPTION:** QEMU (aka Quick Emulator) is vulnerable to a denial of service, caused by an out-of-bounds read flaw in hw/display/cirrus_vga_rop.h. By using vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions, a local authenticated attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125885 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-7980**
DESCRIPTION:** QEMU, built with the Cirrus CLGD 54xx VGA Emulator support, could allow a remote attacker from with the local network to execute arbitrary code on the system, caused by an out-of-bounds read and write access issue while copying VGA data using multiple bitblt function. An attacker could exploit this vulnerability to execute arbitrary code on the host with elevated privileges.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125934 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L)

CVEID:CVE-2015-8869**
DESCRIPTION:** OCaml is vulnerable to a buffer overflow, caused by improper bounds checking by the caml_bit_string function. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112826 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM SmartCloud Entry Appliance 3.1.0 through 3.1.0.4 fix pack 25,
IBM SmartCloud Entry Appliance 3.2.0 through 3.2.0.4 fix pack 25

Remediation/Fixes

Product

|

VRMF

|

APAR

|

Remediation/First Fix

—|—|—|—
IBM SmartCloud Entry| 3.1| None| IBM SmartCloud Entry Appliance 3.1.0.4 fix pack 26:

http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=3.1.0.4-IBM-SCE_APPL-FP26&source=SAR
IBM SmartCloud Entry| 3.2| None| IBM SmartCloud Entry Appliance 3.2.0.4 fix pack 26:

http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FIBM+SmartCloud+Entry&fixids=3.2.0.4-IBM-SCE_APPL-FP26&source=SAR

Workarounds and Mitigations

None