Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT_UNPATCHED_QEMU-KVM-RHEL7.NASL
HistoryJun 03, 2024 - 12:00 a.m.

RHEL 7 : qemu-kvm (Unpatched Vulnerability)

2024-06-0300:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
rhel 7
qemu-kvm
unpatched vulnerability
buffer overflow
msi-x mmio
denial of service
null pointer dereference
redhat enterprise linux

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.141 Low

EPSS

Percentile

95.7%

JSON

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  • QEMU: net: ignore packets with large size (CVE-2018-17963)

  • Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0 allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message.
    (CVE-2015-5745)

  • The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure to define the .write method. (CVE-2015-7549)

Note that Nessus has not tested for these issues but has instead relied on the package manager’s report that the package is installed.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory qemu-kvm. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(198727);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/03");

  script_cve_id(
    "CVE-2015-5745",
    "CVE-2015-7549",
    "CVE-2015-8504",
    "CVE-2015-8558",
    "CVE-2015-8567",
    "CVE-2015-8568",
    "CVE-2015-8613",
    "CVE-2016-1922",
    "CVE-2016-2198",
    "CVE-2016-2392",
    "CVE-2016-2538",
    "CVE-2016-2858",
    "CVE-2016-4037",
    "CVE-2016-6834",
    "CVE-2016-6888",
    "CVE-2016-7116",
    "CVE-2016-7421",
    "CVE-2016-7423",
    "CVE-2016-7907",
    "CVE-2016-7908",
    "CVE-2016-7909",
    "CVE-2016-8576",
    "CVE-2016-8909",
    "CVE-2016-9102",
    "CVE-2016-9103",
    "CVE-2016-9104",
    "CVE-2016-9105",
    "CVE-2016-9106",
    "CVE-2016-9907",
    "CVE-2016-9911",
    "CVE-2016-9923",
    "CVE-2016-10155",
    "CVE-2017-5973",
    "CVE-2017-6414",
    "CVE-2017-9373",
    "CVE-2017-9374",
    "CVE-2017-9375",
    "CVE-2017-10806",
    "CVE-2017-18043",
    "CVE-2018-10839",
    "CVE-2018-12617",
    "CVE-2018-17958",
    "CVE-2018-17963",
    "CVE-2019-8934",
    "CVE-2019-13164",
    "CVE-2020-13765",
    "CVE-2020-15469",
    "CVE-2020-25084",
    "CVE-2020-25741",
    "CVE-2020-25743",
    "CVE-2020-27617",
    "CVE-2021-3416",
    "CVE-2021-20257"
  );
  script_xref(name:"IAVB", value:"2020-B-0063-S");

  script_name(english:"RHEL 7 : qemu-kvm (Unpatched Vulnerability)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat 7 host is affected by multiple vulnerabilities that will not be patched.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple
vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - QEMU: net: ignore packets with large size (CVE-2018-17963)

  - Buffer overflow in the send_control_msg function in hw/char/virtio-serial-bus.c in QEMU before 2.4.0
    allows guest users to cause a denial of service (QEMU process crash) via a crafted virtio control message.
    (CVE-2015-5745)

  - The MSI-X MMIO support in hw/pci/msix.c in QEMU (aka Quick Emulator) allows local guest OS privileged
    users to cause a denial of service (NULL pointer dereference and QEMU process crash) by leveraging failure
    to define the .write method. (CVE-2015-7549)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package
is installed.");
  script_set_attribute(attribute:"solution", value:
"The vendor has acknowledged the vulnerabilities but no solution has been provided. Refer to the vendor for remediation
guidance.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-17963");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/06/03");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-guest-agent");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-ma");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-rhev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:virtio-win");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item("global_settings/vendor_unpatched"))
exit(0, "Unpatched Vulnerabilities Detection not active.");

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'pkgs': [
      {'reference':'qemu-guest-agent', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'qemu-guest-agent', 'cves':['CVE-2015-5745', 'CVE-2018-12617']},
      {'reference':'qemu-kvm', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'qemu-kvm', 'cves':['CVE-2015-5745', 'CVE-2015-7549', 'CVE-2015-8504', 'CVE-2015-8558', 'CVE-2015-8567', 'CVE-2015-8568', 'CVE-2015-8613', 'CVE-2016-1922', 'CVE-2016-2198', 'CVE-2016-2392', 'CVE-2016-2538', 'CVE-2016-2858', 'CVE-2016-4037', 'CVE-2016-6834', 'CVE-2016-6888', 'CVE-2016-7116', 'CVE-2016-7421', 'CVE-2016-7423', 'CVE-2016-7907', 'CVE-2016-7908', 'CVE-2016-7909', 'CVE-2016-8576', 'CVE-2016-8909', 'CVE-2016-9102', 'CVE-2016-9103', 'CVE-2016-9104', 'CVE-2016-9105', 'CVE-2016-9106', 'CVE-2016-9907', 'CVE-2016-9911', 'CVE-2016-9923', 'CVE-2016-10155', 'CVE-2017-5973', 'CVE-2017-6414', 'CVE-2017-9373', 'CVE-2017-9374', 'CVE-2017-9375', 'CVE-2017-10806', 'CVE-2017-18043', 'CVE-2018-10839', 'CVE-2018-17958', 'CVE-2018-17963', 'CVE-2019-13164', 'CVE-2020-15469', 'CVE-2020-25084', 'CVE-2020-27617', 'CVE-2021-3416', 'CVE-2021-20257']},
      {'reference':'qemu-kvm-ma', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'qemu-kvm-ma', 'cves':['CVE-2019-8934', 'CVE-2019-13164', 'CVE-2020-15469', 'CVE-2020-25084', 'CVE-2020-27617']},
      {'reference':'qemu-kvm-rhev', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'qemu-kvm-rhev', 'cves':['CVE-2015-5745', 'CVE-2015-8558', 'CVE-2015-8613', 'CVE-2016-2198', 'CVE-2016-2392', 'CVE-2016-2538', 'CVE-2016-2858', 'CVE-2016-4037', 'CVE-2016-6834', 'CVE-2016-7116', 'CVE-2016-7421', 'CVE-2016-7423', 'CVE-2016-7907', 'CVE-2016-7908', 'CVE-2016-7909', 'CVE-2016-9102', 'CVE-2016-9103', 'CVE-2016-9104', 'CVE-2016-9105', 'CVE-2016-9106', 'CVE-2016-9923', 'CVE-2017-6414', 'CVE-2017-10806', 'CVE-2017-18043', 'CVE-2018-10839', 'CVE-2019-8934', 'CVE-2020-13765', 'CVE-2020-15469', 'CVE-2020-25084', 'CVE-2020-25741', 'CVE-2020-25743', 'CVE-2020-27617', 'CVE-2021-3416', 'CVE-2021-20257']},
      {'reference':'qemu-kvm-rhev', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'qemu-kvm-rhev', 'cves':['CVE-2015-7549', 'CVE-2015-8504', 'CVE-2016-10155', 'CVE-2017-9373']},
      {'reference':'virtio-win', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'unpatched_pkg':'virtio-win', 'cves':['CVE-2018-12617']}
    ]
  }
];


var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);
  foreach var pkg ( constraint_array['pkgs'] ) {
    var unpatched_pkg = NULL;
    var _release = NULL;
    var sp = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['unpatched_pkg'])) unpatched_pkg = pkg['unpatched_pkg'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (unpatched_pkg &&
        _release &&
        (!exists_check || rpm_exists(release:_release, rpm:exists_check)) &&
        unpatched_package_exists(release:_release, package:unpatched_pkg, cves: cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : unpatched_packages_report()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu-guest-agent / qemu-kvm / qemu-kvm-ma / qemu-kvm-rhev / etc');
}
VendorProductVersionCPE
redhatenterprise_linuxvirtio-winp-cpe:/a:redhat:enterprise_linux:virtio-win
redhatenterprise_linuxqemu-kvm-map-cpe:/a:redhat:enterprise_linux:qemu-kvm-ma
redhatenterprise_linuxqemu-guest-agentp-cpe:/a:redhat:enterprise_linux:qemu-guest-agent
redhatenterprise_linux7cpe:/o:redhat:enterprise_linux:7
redhatenterprise_linuxqemu-kvm-rhevp-cpe:/a:redhat:enterprise_linux:qemu-kvm-rhev
redhatenterprise_linuxqemu-kvmp-cpe:/a:redhat:enterprise_linux:qemu-kvm

References

Related

nessus 59
osv 7
openvas 53
debian 6
fedora 17
f5 2
gentoo 2
suse 13
redhat 2
ubuntu 3
freebsd 2
ubuntucve 6
cve 4
nvd 5
cvelist 3
debiancve 5
prion 2
ibm 1
citrix 1
mageia 2
oraclelinux 1
veracode 2
redhatcve 1
nessus
nessus
RHEL 6 : qemu-kvm (Unpatched Vulnerability)
2024-06-03 00:00:00
Debian DLA-698-1 : qemu security update
2016-11-04 00:00:00
EulerOS 2.0 SP2 : qemu-kvm (EulerOS-SA-2019-2431)
2019-12-04 00:00:00
osv
osv
qemu-kvm - security update
2016-10-30 00:00:00
qemu - security update
2016-11-03 00:00:00
qemu - security update
2018-11-29 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-689-1)
2023-03-08 00:00:00
Huawei EulerOS: Security Advisory for qemu-kvm (EulerOS-SA-2019-2431)
2020-01-23 00:00:00
Debian: Security Advisory (DLA-698-1)
2023-03-08 00:00:00
debian
debian
[SECURITY] [DLA 698-1] qemu security update
2016-11-03 14:43:45
[SECURITY] [DLA 1599-1] qemu security update
2018-11-30 14:28:32
[SECURITY] [DLA 689-1] qemu-kvm security update
2016-10-30 13:33:36
fedora
fedora
[SECURITY] Fedora 24 Update: xen-4.6.3-7.fc24
2016-11-10 03:33:10
[SECURITY] Fedora 23 Update: xen-4.5.5-3.fc23
2016-11-10 15:54:47
[SECURITY] Fedora 25 Update: xen-4.7.0-7.fc25
2016-11-19 21:36:03
f5
f5
SOL04755144 - Multiple QEMU vulnerabilities
2016-05-10 00:00:00
K04755144 : Multiple QEMU vulnerabilities
2016-05-10 00:00:00
gentoo
gentoo
QEMU: Multiple vulnerabilities
2016-11-18 00:00:00
QEMU: Multiple vulnerabilities
2016-04-02 00:00:00
suse
suse
Security update for qemu (important)
2016-12-02 21:06:55
Security update for qemu (important)
2016-11-29 14:07:08
Security update for qemu (important)
2016-12-12 19:18:29
redhat
redhat
(RHSA-2017:2392) Important: qemu-kvm-rhev security, bug fix, and enhancement update
2017-08-01 15:48:43
(RHSA-2017:2408) Moderate: qemu-kvm-rhev security and bug fix update
2017-08-01 20:47:32
ubuntu
ubuntu
QEMU vulnerabilities
2016-11-09 00:00:00
QEMU vulnerabilities
2016-02-03 00:00:00
QEMU vulnerabilities
2018-11-26 00:00:00
freebsd
freebsd
qemu -- denial of service vulnerability in VMWARE VMXNET3 NIC support
2015-12-15 00:00:00
qemu -- denial of service vulnerability in MegaRAID SAS HBA emulation
2015-12-21 00:00:00
ubuntucve
ubuntucve
CVE-2015-8568
2015-12-16 00:00:00
CVE-2016-4037
2016-04-20 00:00:00
CVE-2016-7907
2016-10-05 00:00:00
cve
cve
CVE-2016-4037
2016-05-23 19:59:06
CVE-2016-9103
2016-12-09 22:59:09
CVE-2018-17958
2018-10-09 22:29:00
nvd
nvd
CVE-2016-4037
2016-05-23 19:59:06
CVE-2016-8909
2016-11-04 21:59:09
CVE-2016-9103
2016-12-09 22:59:09
cvelist
cvelist
CVE-2016-4037
2016-05-23 19:00:00
CVE-2016-9102
2016-12-09 22:00:00
CVE-2015-8613
2017-04-11 19:00:00
debiancve
debiancve
CVE-2016-4037
2016-05-23 19:59:06
CVE-2015-8567
2017-04-13 17:59:00
CVE-2017-18043
2018-01-31 20:29:00
prion
prion
Design/Logic Flaw
2016-05-23 19:59:00
Out-of-bounds
2016-10-10 16:59:00
ibm
ibm
Security Bulletin: Vulnerabilities in Qemu affect PowerKVM
2018-06-18 01:35:35
citrix
citrix
Citrix Hypervisor Security Update
2021-06-23 11:06:42
mageia
mageia
Updated qemu packages fix security vulnerabilities
2016-01-17 03:26:26
Updated qemu packages fix security vulnerabilities
2016-05-18 23:14:22
oraclelinux
oraclelinux
qemu security update
2018-10-29 00:00:00
veracode
veracode
Denial Of Service (DoS)
2019-05-02 06:36:20
Denial Of Service (DoS)
2020-09-21 06:37:26
redhatcve
redhatcve
CVE-2017-18043
2020-03-29 01:56:50

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

6.8 Medium

AI Score

Confidence

High

0.141 Low

EPSS

Percentile

95.7%

JSON
Related for REDHAT_UNPATCHED_QEMU-KVM-RHEL7.NASL
nessus59osv7openvas53debian6fedora17f52gentoo2suse13redhat2ubuntu3freebsd2ubuntucve6cve4nvd5cvelist3debiancve5prion2ibm1citrix1mageia2oraclelinux1veracode2redhatcve1