Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.AL2_ALAS-2018-1034.NASL
HistoryJun 12, 2018 - 12:00 a.m.

Amazon Linux 2 : qemu-kvm (ALAS-2018-1034) (Spectre)

2018-06-1200:00:00
This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
28
JSON

An out-of-bounds read access issue was found in the VGA display emulator built into the Quick emulator (QEMU). It could occur while reading VGA memory to update graphics display. A privileged user/process inside guest could use this flaw to crash the QEMU process on the host resulting in denial of service situation.(CVE-2017-13672)

A memory leakage issue was found in the I/O channels websockets implementation of the Quick Emulator (QEMU). It could occur while sending screen updates to a client, which is slow to read and process them further. A privileged guest user could use this flaw to cause a denial of service on the host and/or potentially crash the QEMU process instance on the host.(CVE-2017-15268)

A use-after-free issue was found in the Slirp networking implementation of the Quick emulator (QEMU). It occurs when a Socket referenced from multiple packets is freed while responding to a message. A user/process could use this flaw to crash the QEMU process on the host resulting in denial of service.(CVE-2017-13711 )

Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA Emulator support, allows local guest OS privileged users to cause a denial of service (out-of-bounds access and QEMU process crash) by leveraging incorrect region calculation when updating VGA display.(CVE-2018-7858)

VNC server implementation in Quick Emulator (QEMU) was found to be vulnerable to an unbounded memory allocation issue, as it did not throttle the framebuffer updates sent to its client. If the client did not consume these updates, VNC server allocates growing memory to hold onto this data. A malicious remote VNC client could use this flaw to cause DoS to the server host.(CVE-2017-15124)

An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of Load & Store instructions (a commonly used performance optimization). It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory read from address to which a recent memory write has occurred may see an older value and subsequently cause an update into the microprocessor’s data cache even for speculatively executed instructions that never actually commit (retire). As a result, an unprivileged attacker could use this flaw to read privileged memory by conducting targeted cache side-channel attacks.(CVE-2018-3639)

An out-of-bounds read access issue was found in the VGA emulator of QEMU. It could occur in vga_draw_text routine, while updating display area for a vnc client. A privileged user inside a guest could use this flaw to crash the QEMU process resulting in DoS.(CVE-2018-5683)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALAS-2018-1034.
#

include("compat.inc");

if (description)
{
  script_id(110451);
  script_version("1.2");
  script_cvs_date("Date: 2019/04/05 23:25:05");

  script_cve_id("CVE-2017-13672", "CVE-2017-13711", "CVE-2017-15124", "CVE-2017-15268", "CVE-2018-3639", "CVE-2018-5683", "CVE-2018-7858");
  script_xref(name:"ALAS", value:"2018-1034");

  script_name(english:"Amazon Linux 2 : qemu-kvm (ALAS-2018-1034) (Spectre)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Amazon Linux 2 host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"An out-of-bounds read access issue was found in the VGA display
emulator built into the Quick emulator (QEMU). It could occur while
reading VGA memory to update graphics display. A privileged
user/process inside guest could use this flaw to crash the QEMU
process on the host resulting in denial of service
situation.(CVE-2017-13672)

A memory leakage issue was found in the I/O channels websockets
implementation of the Quick Emulator (QEMU). It could occur while
sending screen updates to a client, which is slow to read and process
them further. A privileged guest user could use this flaw to cause a
denial of service on the host and/or potentially crash the QEMU
process instance on the host.(CVE-2017-15268)

A use-after-free issue was found in the Slirp networking
implementation of the Quick emulator (QEMU). It occurs when a Socket
referenced from multiple packets is freed while responding to a
message. A user/process could use this flaw to crash the QEMU process
on the host resulting in denial of service.(CVE-2017-13711 )

Quick Emulator (aka QEMU), when built with the Cirrus CLGD 54xx VGA
Emulator support, allows local guest OS privileged users to cause a
denial of service (out-of-bounds access and QEMU process crash) by
leveraging incorrect region calculation when updating VGA
display.(CVE-2018-7858)

VNC server implementation in Quick Emulator (QEMU) was found to be
vulnerable to an unbounded memory allocation issue, as it did not
throttle the framebuffer updates sent to its client. If the client did
not consume these updates, VNC server allocates growing memory to hold
onto this data. A malicious remote VNC client could use this flaw to
cause DoS to the server host.(CVE-2017-15124)

An industry-wide issue was found in the way many modern microprocessor
designs have implemented speculative execution of Load & Store
instructions (a commonly used performance optimization). It relies on
the presence of a precisely-defined instruction sequence in the
privileged code as well as the fact that memory read from address to
which a recent memory write has occurred may see an older value and
subsequently cause an update into the microprocessor's data cache even
for speculatively executed instructions that never actually commit
(retire). As a result, an unprivileged attacker could use this flaw to
read privileged memory by conducting targeted cache side-channel
attacks.(CVE-2018-3639)

An out-of-bounds read access issue was found in the VGA emulator of
QEMU. It could occur in vga_draw_text routine, while updating display
area for a vnc client. A privileged user inside a guest could use this
flaw to crash the QEMU process resulting in DoS.(CVE-2018-5683)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://alas.aws.amazon.com/AL2/ALAS-2018-1034.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Run 'yum update qemu-kvm' to update your system."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:qemu-img");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:qemu-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:qemu-kvm-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:qemu-kvm-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:qemu-kvm-tools");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/06/07");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/12");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Amazon Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"AL2", cpu:"x86_64", reference:"qemu-img-1.5.3-156.amzn2.2.3")) flag++;
if (rpm_check(release:"AL2", cpu:"x86_64", reference:"qemu-kvm-1.5.3-156.amzn2.2.3")) flag++;
if (rpm_check(release:"AL2", cpu:"x86_64", reference:"qemu-kvm-common-1.5.3-156.amzn2.2.3")) flag++;
if (rpm_check(release:"AL2", cpu:"x86_64", reference:"qemu-kvm-debuginfo-1.5.3-156.amzn2.2.3")) flag++;
if (rpm_check(release:"AL2", cpu:"x86_64", reference:"qemu-kvm-tools-1.5.3-156.amzn2.2.3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "qemu-img / qemu-kvm / qemu-kvm-common / qemu-kvm-debuginfo / etc");
}
VendorProductVersionCPE
amazonlinuxqemu-imgp-cpe:/a:amazon:linux:qemu-img
amazonlinuxqemu-kvmp-cpe:/a:amazon:linux:qemu-kvm
amazonlinuxqemu-kvm-commonp-cpe:/a:amazon:linux:qemu-kvm-common
amazonlinuxqemu-kvm-debuginfop-cpe:/a:amazon:linux:qemu-kvm-debuginfo
amazonlinuxqemu-kvm-toolsp-cpe:/a:amazon:linux:qemu-kvm-tools
amazonlinux2cpe:/o:amazon:linux:2

Related

nessus 75
openvas 20
amazon 3
centos 4
redhat 20
oraclelinux 8
suse 3
redhatcve 6
fedora 6
ubuntu 2
debiancve 6
veracode 6
prion 6
cve 6
osv 9
debian 3
ubuntucve 6
ibm 3
f5 2
virtuozzo 1
gentoo 1
kaspersky 1
zdt 1
photon 1
nessus
nessus
Amazon Linux AMI : qemu-kvm (ALAS-2018-1034) (Spectre)
2018-06-12 00:00:00
EulerOS 2.0 SP3 : qemu-kvm (EulerOS-SA-2018-1201)
2018-07-03 00:00:00
EulerOS 2.0 SP1 : qemu-kvm (EulerOS-SA-2018-1144)
2018-05-29 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for qemu-kvm (EulerOS-SA-2018-1201)
2020-01-23 00:00:00
Huawei EulerOS: Security Advisory for qemu-kvm (EulerOS-SA-2018-1144)
2020-01-23 00:00:00
Huawei EulerOS: Security Advisory for qemu-kvm (EulerOS-SA-2018-1113)
2020-01-23 00:00:00
amazon
amazon
Important: qemu-kvm
2018-06-08 18:29:00
Important: qemu-kvm
2018-06-07 23:41:00
Important: java-1.7.0-openjdk
2018-06-08 18:32:00
centos
centos
qemu security update
2018-04-26 17:50:14
qemu security update
2018-07-13 16:56:49
qemu security update
2018-05-30 18:24:29
redhat
redhat
(RHSA-2018:0816) Low: qemu-kvm security, bug fix, and enhancement update
2018-04-10 05:01:42
(RHSA-2018:2162) Important: qemu-kvm security update
2018-07-10 15:33:41
(RHSA-2018:1113) Moderate: qemu-kvm-rhev security and bug fix update
2018-04-11 17:35:52
oraclelinux
oraclelinux
qemu-kvm security, bug fix, and enhancement update
2018-04-16 00:00:00
qemu-kvm security update
2018-07-10 00:00:00
qemu-kvm security update
2018-05-14 00:00:00
suse
suse
Security update for qemu (important)
2017-11-03 00:08:15
Security update for qemu (important)
2017-11-07 06:09:17
Security update for libvirt (important)
2018-06-09 15:07:56
redhatcve
redhatcve
CVE-2017-15268
2017-10-12 20:49:03
CVE-2017-15124
2017-12-19 09:49:40
CVE-2017-13711
2020-04-05 16:53:34
fedora
fedora
[SECURITY] Fedora 27 Update: qemu-2.10.1-4.fc27
2018-07-06 15:45:59
[SECURITY] Fedora 27 Update: qemu-2.10.2-1.fc27
2018-08-24 07:15:55
[SECURITY] Fedora 26 Update: qemu-2.9.1-2.fc26
2017-11-07 22:20:31
ubuntu
ubuntu
QEMU vulnerabilities
2018-02-20 00:00:00
QEMU regression
2018-03-05 00:00:00
debiancve
debiancve
CVE-2017-13711
2017-09-01 13:29:00
CVE-2017-15124
2018-01-09 21:29:00
CVE-2017-15268
2017-10-12 15:29:00
veracode
veracode
Denial Of Service (DoS)
2019-05-16 02:53:05
Denial Of Service (DoS)
2019-05-16 02:53:04
Denial Of Service (DoS)
2019-05-16 02:53:05
prion
prion
Memory corruption
2017-10-12 15:29:00
Design/Logic Flaw
2017-09-01 13:29:00
Design/Logic Flaw
2018-01-09 21:29:00
cve
cve
CVE-2017-15268
2017-10-12 15:29:00
CVE-2017-13711
2017-09-01 13:29:00
CVE-2017-15124
2018-01-09 21:29:00
osv
osv
qemu - security update
2017-10-03 00:00:00
CVE-2017-13711
2017-09-01 13:29:00
CVE-2017-15124
2018-01-09 21:29:00
debian
debian
[SECURITY] [DSA 3991-1] qemu security update
2017-10-03 21:33:55
[SECURITY] [DSA 4213-1] qemu security update
2018-05-29 21:25:45
[SECURITY] [DSA 4213-1] qemu security update
2018-05-29 21:26:07
ubuntucve
ubuntucve
CVE-2017-15124
2018-01-09 00:00:00
CVE-2017-15268
2017-10-12 00:00:00
CVE-2017-13711
2017-09-01 00:00:00
ibm
ibm
Security Bulletin: App Connect Professional is affected by Quick Emulator vulnerability
2022-02-21 04:46:26
Security Bulletin: IBM Cloud Manager is affected by the vulnerabilities known as SpectreNG (CVE-2018-3639)
2018-08-08 04:13:55
Security Bulletin: IBM has released the following fixes for AIX and VIOS in response to Speculative Store Bypass (SSB), also known as Variant 4.
2018-08-17 23:06:03
f5
f5
K23893104 : QEMU vulnerability CVE-2017-13672
2020-12-17 00:00:00
K51543541 : QEMU vulnerability CVE-2018-7858
2020-12-17 00:00:00
virtuozzo
virtuozzo
Product update: Virtuozzo 7.0 Update 5 Hotfix 3 (7.0.5-646)
2017-09-28 00:00:00
gentoo
gentoo
QEMU: Multiple vulnerabilities
2018-04-08 00:00:00
kaspersky
kaspersky
KLA11893 Microsoft Advisory for Microsoft Products (ESU)
2018-05-21 00:00:00
zdt
zdt
AMD / ARM / Intel - Speculative Execution Variant 4 Speculative Store Bypass Exploit
2018-05-23 00:00:00
photon
photon
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-1.0-0151
2018-06-22 00:00:00
JSON
Related for AL2_ALAS-2018-1034.NASL
nessus75openvas20amazon3centos4redhat20oraclelinux8suse3redhatcve6fedora6ubuntu2debiancve6veracode6prion6cve6osv9debian3ubuntucve6ibm3f52virtuozzo1gentoo1kaspersky1zdt1photon1