ID OPENVAS:1361412562310106915 Type openvas Reporter This script is Copyright (C) 2017 Greenbone Networks GmbH Modified 2017-08-16T00:00:00
Description
A number of security issues have been identified within Citrix XenServer.
These issues could, if exploited, allow a malicious administrator of a guest VM to compromise the host. The issues
have the identifiers:
CVE-2017-10920, CVE-2017-10921, CVE-2017-10922 (High): Grant table operations mishandle reference counts.
CVE-2017-10918 (High): Stale P1M mappings due to insufficient error checking.
CVE-2017-10912 (Medium): Page transfer may allow PV guest to elevate privilege.
CVE-2017-10913,CVE-2017-10914 (Medium): Races in the grant table unmap code.
CVE-2017-10915 (Medium): x85: insufficient reference counts during shadow emulation.
CVE-2017-10917 (Medium): NULL pointer deref in event channel poll.
###############################################################################
# OpenVAS Vulnerability Test
# $Id: gb_xenserver_ctx224740.nasl 6928 2017-08-16 02:41:07Z ckuersteiner $
#
# Citrix XenServer Multiple Security Updates (CTX224740)
#
# Authors:
# Christian Kuersteiner <christian.kuersteiner@greenbone.net>
#
# Copyright:
# Copyright (c) 2017 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
CPE = "cpe:/a:citrix:xenserver";
if (description)
{
script_oid("1.3.6.1.4.1.25623.1.0.106915");
script_version("$Revision: 6928 $");
script_tag(name: "last_modification", value: "$Date: 2017-08-16 04:41:07 +0200 (Wed, 16 Aug 2017) $");
script_tag(name: "creation_date", value: "2017-06-30 16:20:13 +0700 (Fri, 30 Jun 2017)");
script_tag(name:"cvss_base", value:"10.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_cve_id("CVE-2017-10911", "CVE-2017-10912", "CVE-2017-10913", "CVE-2017-10914", "CVE-2017-10915",
"CVE-2017-10917", "CVE-2017-10918", "CVE-2017-10920", "CVE-2017-10921", "CVE-2017-10922");
script_tag(name: "qod_type", value: "package");
script_tag(name: "solution_type", value: "VendorFix");
script_name("Citrix XenServer Multiple Security Updates (CTX224740)");
script_category(ACT_GATHER_INFO);
script_copyright("This script is Copyright (C) 2017 Greenbone Networks GmbH");
script_family("Citrix Xenserver Local Security Checks");
script_dependencies("gb_xenserver_version.nasl");
script_mandatory_keys("xenserver/product_version","xenserver/patches");
script_tag(name: "summary", value: "A number of security issues have been identified within Citrix XenServer.
These issues could, if exploited, allow a malicious administrator of a guest VM to compromise the host. The issues
have the identifiers:
- CVE-2017-10920, CVE-2017-10921, CVE-2017-10922 (High): Grant table operations mishandle reference counts.
- CVE-2017-10918 (High): Stale P1M mappings due to insufficient error checking.
- CVE-2017-10912 (Medium): Page transfer may allow PV guest to elevate privilege.
- CVE-2017-10913,CVE-2017-10914 (Medium): Races in the grant table unmap code.
- CVE-2017-10915 (Medium): x85: insufficient reference counts during shadow emulation.
- CVE-2017-10917 (Medium): NULL pointer deref in event channel poll.
- CVE-2017-10911 (Low): blkif responses leak backend stack data.");
script_tag(name: "vuldetect", value: "Check the installed hotfixes.");
script_tag(name: "affected", value: "XenServer versions 7.2, 7.1, 7.0, 6.5, 6.2.0, 6.0.2.");
script_tag(name: "solution", value: "Apply the hotfix referenced in the advisory.");
script_xref(name: "URL", value: "https://support.citrix.com/article/CTX224740");
exit(0);
}
include("citrix_version_func.inc");
include("host_details.inc");
include("misc_func.inc");
if (!version = get_app_version(cpe: CPE))
exit(0);
if (!hotfixes = get_kb_item("xenserver/patches"))
exit(0);
patches = make_array();
patches['7.2.0'] = make_list('XS72E001', 'XS72E002');
patches['7.1.0'] = make_list('XS71E011', 'XS71E012');
patches['7.0.0'] = make_list('XS70E035', 'XS70E036');
patches['6.5.0'] = make_list('XS65ESP1057', 'XS65ESP1058');
patches['6.2.0'] = make_list('XS62ESP1061', 'XS62ESP1062');
patches['6.0.2'] = make_list('XS602ECC045', 'XS602ECC046');
report_if_citrix_xenserver_is_vulnerable(version: version, hotfixes: hotfixes, patches: patches);
exit(99);
{"href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106915", "history": [{"lastseen": "2017-07-17T10:56:23", "differentElements": ["cvss", "description", "cvelist", "modified", "sourceData"], "edition": 1, "bulletin": {"href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106915", "history": [], "naslFamily": "Citrix Xenserver Local Security Checks", "id": "OPENVAS:1361412562310106915", "title": "Citrix XenServer Multiple Security Updates", "description": "A number of security issues have been identified within Citrix XenServer.\nThese issues could, if exploited, allow a malicious administrator of a guest VM to compromise the host. The issues\nhave the identifiers:\n\n- CVE-TBA (High): Grant table operations mishandle reference counts.\n\n- CVE-TBA (High): Stale P1M mappings due to insufficient error checking.\n\n- CVE-TBA (Medium): Page transfer may allow PV guest to elevate privilege.\n\n- CVE-TBA (Medium): Races in the grant table unmap code.\n\n- CVE-TBA (Medium): x85: insufficient reference counts during shadow emulation.\n\n- CVE-TBA (Medium): NULL pointer deref in event channel poll.\n\n- CVE-TBA (Low): blkif responses leak backend stack data.", "published": "2017-06-30T00:00:00", "type": "openvas", "bulletinFamily": "scanner", "hashmap": [{"key": "sourceData", "hash": "fae2914b08105247d1c398134e38e9a2"}, {"key": "reporter", "hash": "34d8a75328683be1e03ea1de79387567"}, {"key": "modified", "hash": "9564b1250a06eb1a494ab04295d2334a"}, {"key": "naslFamily", "hash": "5b3ffa96845d67695f3a9a84aa63ae0f"}, {"key": "published", "hash": "9564b1250a06eb1a494ab04295d2334a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "pluginID", "hash": "7f646885f704c38b2553fc75fd077810"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "cvss", "hash": "8cd4821cb504d25572038ed182587d85"}, {"key": "references", "hash": "e4b78bd7f7dceb58d50c714a97e99127"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "href", "hash": "8139d8c20e2b0595960a5d5c7a642855"}, {"key": "title", "hash": "3c02b66cb1e0a345cbb3fd8ccf541a96"}, {"key": "description", "hash": "261346e9be6ad16185ad0882a85e8c77"}], "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_xenserver_ctx224740.nasl 6496 2017-06-30 09:50:25Z ckuersteiner $\n#\n# Citrix XenServer Multiple Security Updates\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:citrix:xenserver\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106915\");\n script_version(\"$Revision: 6496 $\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-06-30 11:50:25 +0200 (Fri, 30 Jun 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-06-30 16:20:13 +0700 (Fri, 30 Jun 2017)\");\n script_tag(name: \"cvss_base\", value: \"7.2\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n\n script_name(\"Citrix XenServer Multiple Security Updates\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Citrix Xenserver Local Security Checks\");\n script_dependencies(\"gb_xenserver_version.nasl\");\n script_mandatory_keys(\"xenserver/product_version\",\"xenserver/patches\");\n\n script_tag(name: \"summary\", value: \"A number of security issues have been identified within Citrix XenServer.\nThese issues could, if exploited, allow a malicious administrator of a guest VM to compromise the host. The issues\nhave the identifiers:\n\n- CVE-TBA (High): Grant table operations mishandle reference counts.\n\n- CVE-TBA (High): Stale P1M mappings due to insufficient error checking.\n\n- CVE-TBA (Medium): Page transfer may allow PV guest to elevate privilege.\n\n- CVE-TBA (Medium): Races in the grant table unmap code.\n\n- CVE-TBA (Medium): x85: insufficient reference counts during shadow emulation.\n\n- CVE-TBA (Medium): NULL pointer deref in event channel poll.\n\n- CVE-TBA (Low): blkif responses leak backend stack data.\");\n\n script_tag(name: \"vuldetect\", value: \"Check the installed hotfixes.\");\n\n script_tag(name: \"affected\", value: \"XenServer versions 7.2, 7.1, 7.0, 6.5, 6.2.0, 6.0.2.\");\n\n script_tag(name: \"solution\", value: \"Apply the hotfix referenced in the advisory.\");\n\n script_xref(name: \"URL\", value: \"https://support.citrix.com/article/CTX224740\");\n\n exit(0);\n}\n\ninclude(\"citrix_version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nif (!hotfixes = get_kb_item(\"xenserver/patches\"))\n exit(0);\n\npatches = make_array();\n\npatches['7.2.0'] = make_list('XS72E001', 'XS72E002');\npatches['7.1.0'] = make_list('XS71E011', 'XS71E012');\npatches['7.0.0'] = make_list('XS70E035', 'XS70E036');\npatches['6.5.0'] = make_list('XS65ESP1057', 'XS65ESP1058');\npatches['6.2.0'] = make_list('XS62ESP1061', 'XS62ESP1062');\npatches['6.0.2'] = make_list('XS602ECC045', 'XS602ECC046');\n\nreport_if_citrix_xenserver_is_vulnerable(version: version, hotfixes: hotfixes, patches: patches);\n\nexit(99);\n", "cvss": {"score": 0.0, "vector": "NONE"}, "pluginID": "1361412562310106915", "hash": "d2a8a9ddc095a2380f2692c395875a92e84c37f00c902213454caa52094c69f5", "modified": "2017-06-30T00:00:00", "edition": 1, "cvelist": [], "lastseen": "2017-07-17T10:56:23", "viewCount": 0, "enchantments": {}, "reporter": "This script is Copyright (C) 2017 Greenbone Networks GmbH", "objectVersion": "1.3", "references": ["https://support.citrix.com/article/CTX224740"]}}, {"lastseen": "2017-07-25T10:57:24", "differentElements": ["modified", "sourceData"], "edition": 2, "bulletin": {"href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106915", "history": [], "naslFamily": "Citrix Xenserver Local Security Checks", "id": "OPENVAS:1361412562310106915", "title": "Citrix XenServer Multiple Security Updates", "description": "A number of security issues have been identified within Citrix XenServer.\nThese issues could, if exploited, allow a malicious administrator of a guest VM to compromise the host. The issues\nhave the identifiers:\n\n- CVE-2017-10920, CVE-2017-10921, CVE-2017-10922 (High): Grant table operations mishandle reference counts.\n\n- CVE-2017-10918 (High): Stale P1M mappings due to insufficient error checking.\n\n- CVE-2017-10912 (Medium): Page transfer may allow PV guest to elevate privilege.\n\n- CVE-2017-10913,CVE-2017-10914 (Medium): Races in the grant table unmap code.\n\n- CVE-2017-10915 (Medium): x85: insufficient reference counts during shadow emulation.\n\n- CVE-2017-10917 (Medium): NULL pointer deref in event channel poll.\n\n- CVE-2017-10911 (Low): blkif responses leak backend stack data.", "published": "2017-06-30T00:00:00", "type": "openvas", "bulletinFamily": "scanner", "hashmap": [{"key": "reporter", "hash": "34d8a75328683be1e03ea1de79387567"}, {"key": "naslFamily", "hash": "5b3ffa96845d67695f3a9a84aa63ae0f"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "published", "hash": "9564b1250a06eb1a494ab04295d2334a"}, {"key": "description", "hash": "04430eef634a647ddb2b35bc74351297"}, {"key": "pluginID", "hash": "7f646885f704c38b2553fc75fd077810"}, {"key": "cvelist", "hash": "1713e064df470431171d23a85825cd70"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "references", "hash": "e4b78bd7f7dceb58d50c714a97e99127"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "href", "hash": "8139d8c20e2b0595960a5d5c7a642855"}, {"key": "sourceData", "hash": "d90ecd12208932dc4463b12d54eeedba"}, {"key": "title", "hash": "3c02b66cb1e0a345cbb3fd8ccf541a96"}, {"key": "modified", "hash": "0d134bf170d66438eb1e01173ee0187f"}], "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_xenserver_ctx224740.nasl 6621 2017-07-10 04:58:09Z ckuersteiner $\n#\n# Citrix XenServer Multiple Security Updates\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:citrix:xenserver\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106915\");\n script_version(\"$Revision: 6621 $\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-10 06:58:09 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-06-30 16:20:13 +0700 (Fri, 30 Jun 2017)\");\n script_tag(name: \"cvss_base\", value: \"7.2\");\n script_tag(name: \"cvss_base_vector\", value: \"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-10911\", \"CVE-2017-10912\", \"CVE-2017-10913\", \"CVE-2017-10914\", \"CVE-2017-10915\",\n\"CVE-2017-10917\", \"CVE-2017-10918\", \"CVE-2017-10920\", \"CVE-2017-10921\", \"CVE-2017-10922\");\n\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n\n script_name(\"Citrix XenServer Multiple Security Updates\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Citrix Xenserver Local Security Checks\");\n script_dependencies(\"gb_xenserver_version.nasl\");\n script_mandatory_keys(\"xenserver/product_version\",\"xenserver/patches\");\n\n script_tag(name: \"summary\", value: \"A number of security issues have been identified within Citrix XenServer.\nThese issues could, if exploited, allow a malicious administrator of a guest VM to compromise the host. The issues\nhave the identifiers:\n\n- CVE-2017-10920, CVE-2017-10921, CVE-2017-10922 (High): Grant table operations mishandle reference counts.\n\n- CVE-2017-10918 (High): Stale P1M mappings due to insufficient error checking.\n\n- CVE-2017-10912 (Medium): Page transfer may allow PV guest to elevate privilege.\n\n- CVE-2017-10913,CVE-2017-10914 (Medium): Races in the grant table unmap code.\n\n- CVE-2017-10915 (Medium): x85: insufficient reference counts during shadow emulation.\n\n- CVE-2017-10917 (Medium): NULL pointer deref in event channel poll.\n\n- CVE-2017-10911 (Low): blkif responses leak backend stack data.\");\n\n script_tag(name: \"vuldetect\", value: \"Check the installed hotfixes.\");\n\n script_tag(name: \"affected\", value: \"XenServer versions 7.2, 7.1, 7.0, 6.5, 6.2.0, 6.0.2.\");\n\n script_tag(name: \"solution\", value: \"Apply the hotfix referenced in the advisory.\");\n\n script_xref(name: \"URL\", value: \"https://support.citrix.com/article/CTX224740\");\n\n exit(0);\n}\n\ninclude(\"citrix_version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nif (!hotfixes = get_kb_item(\"xenserver/patches\"))\n exit(0);\n\npatches = make_array();\n\npatches['7.2.0'] = make_list('XS72E001', 'XS72E002');\npatches['7.1.0'] = make_list('XS71E011', 'XS71E012');\npatches['7.0.0'] = make_list('XS70E035', 'XS70E036');\npatches['6.5.0'] = make_list('XS65ESP1057', 'XS65ESP1058');\npatches['6.2.0'] = make_list('XS62ESP1061', 'XS62ESP1062');\npatches['6.0.2'] = make_list('XS602ECC045', 'XS602ECC046');\n\nreport_if_citrix_xenserver_is_vulnerable(version: version, hotfixes: hotfixes, patches: patches);\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "pluginID": "1361412562310106915", "hash": "486c0c86ea79dda67165fbeefdcbfedd7d41dc3124dae65f7090ab3e41a63683", "modified": "2017-07-10T00:00:00", "edition": 2, "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-10922", "CVE-2017-10913", "CVE-2017-10918", "CVE-2017-10911", "CVE-2017-10912", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2017-07-25T10:57:24", "viewCount": 0, "enchantments": {}, "reporter": "This script is Copyright (C) 2017 Greenbone Networks GmbH", "objectVersion": "1.3", "references": ["https://support.citrix.com/article/CTX224740"]}}, {"lastseen": "2017-08-03T10:57:36", "differentElements": ["modified", "sourceData", "title"], "edition": 3, "bulletin": {"href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106915", "history": [], "naslFamily": "Citrix Xenserver Local Security Checks", "id": "OPENVAS:1361412562310106915", "title": "Citrix XenServer Multiple Security Updates", "description": "A number of security issues have been identified within Citrix XenServer.\nThese issues could, if exploited, allow a malicious administrator of a guest VM to compromise the host. The issues\nhave the identifiers:\n\n- CVE-2017-10920, CVE-2017-10921, CVE-2017-10922 (High): Grant table operations mishandle reference counts.\n\n- CVE-2017-10918 (High): Stale P1M mappings due to insufficient error checking.\n\n- CVE-2017-10912 (Medium): Page transfer may allow PV guest to elevate privilege.\n\n- CVE-2017-10913,CVE-2017-10914 (Medium): Races in the grant table unmap code.\n\n- CVE-2017-10915 (Medium): x85: insufficient reference counts during shadow emulation.\n\n- CVE-2017-10917 (Medium): NULL pointer deref in event channel poll.\n\n- CVE-2017-10911 (Low): blkif responses leak backend stack data.", "published": "2017-06-30T00:00:00", "type": "openvas", "bulletinFamily": "scanner", "hashmap": [{"key": "reporter", "hash": "34d8a75328683be1e03ea1de79387567"}, {"key": "naslFamily", "hash": "5b3ffa96845d67695f3a9a84aa63ae0f"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "published", "hash": "9564b1250a06eb1a494ab04295d2334a"}, {"key": "description", "hash": "04430eef634a647ddb2b35bc74351297"}, {"key": "pluginID", "hash": "7f646885f704c38b2553fc75fd077810"}, {"key": "cvelist", "hash": "1713e064df470431171d23a85825cd70"}, {"key": "sourceData", "hash": "1927b2d6151040a71e96f135b55a4f04"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}, {"key": "references", "hash": "e4b78bd7f7dceb58d50c714a97e99127"}, {"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "href", "hash": "8139d8c20e2b0595960a5d5c7a642855"}, {"key": "modified", "hash": "f606ba9a77cd9c446457fc11e8033089"}, {"key": "title", "hash": "3c02b66cb1e0a345cbb3fd8ccf541a96"}], "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_xenserver_ctx224740.nasl 6757 2017-07-19 05:57:31Z cfischer $\n#\n# Citrix XenServer Multiple Security Updates\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:citrix:xenserver\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106915\");\n script_version(\"$Revision: 6757 $\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-19 07:57:31 +0200 (Wed, 19 Jul 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-06-30 16:20:13 +0700 (Fri, 30 Jun 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-10911\", \"CVE-2017-10912\", \"CVE-2017-10913\", \"CVE-2017-10914\", \"CVE-2017-10915\",\n\"CVE-2017-10917\", \"CVE-2017-10918\", \"CVE-2017-10920\", \"CVE-2017-10921\", \"CVE-2017-10922\");\n\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n\n script_name(\"Citrix XenServer Multiple Security Updates\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Citrix Xenserver Local Security Checks\");\n script_dependencies(\"gb_xenserver_version.nasl\");\n script_mandatory_keys(\"xenserver/product_version\",\"xenserver/patches\");\n\n script_tag(name: \"summary\", value: \"A number of security issues have been identified within Citrix XenServer.\nThese issues could, if exploited, allow a malicious administrator of a guest VM to compromise the host. The issues\nhave the identifiers:\n\n- CVE-2017-10920, CVE-2017-10921, CVE-2017-10922 (High): Grant table operations mishandle reference counts.\n\n- CVE-2017-10918 (High): Stale P1M mappings due to insufficient error checking.\n\n- CVE-2017-10912 (Medium): Page transfer may allow PV guest to elevate privilege.\n\n- CVE-2017-10913,CVE-2017-10914 (Medium): Races in the grant table unmap code.\n\n- CVE-2017-10915 (Medium): x85: insufficient reference counts during shadow emulation.\n\n- CVE-2017-10917 (Medium): NULL pointer deref in event channel poll.\n\n- CVE-2017-10911 (Low): blkif responses leak backend stack data.\");\n\n script_tag(name: \"vuldetect\", value: \"Check the installed hotfixes.\");\n\n script_tag(name: \"affected\", value: \"XenServer versions 7.2, 7.1, 7.0, 6.5, 6.2.0, 6.0.2.\");\n\n script_tag(name: \"solution\", value: \"Apply the hotfix referenced in the advisory.\");\n\n script_xref(name: \"URL\", value: \"https://support.citrix.com/article/CTX224740\");\n\n exit(0);\n}\n\ninclude(\"citrix_version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nif (!hotfixes = get_kb_item(\"xenserver/patches\"))\n exit(0);\n\npatches = make_array();\n\npatches['7.2.0'] = make_list('XS72E001', 'XS72E002');\npatches['7.1.0'] = make_list('XS71E011', 'XS71E012');\npatches['7.0.0'] = make_list('XS70E035', 'XS70E036');\npatches['6.5.0'] = make_list('XS65ESP1057', 'XS65ESP1058');\npatches['6.2.0'] = make_list('XS62ESP1061', 'XS62ESP1062');\npatches['6.0.2'] = make_list('XS602ECC045', 'XS602ECC046');\n\nreport_if_citrix_xenserver_is_vulnerable(version: version, hotfixes: hotfixes, patches: patches);\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "pluginID": "1361412562310106915", "hash": "590f92c12fe6366c8ebc39c0285d843bfa8fde7a148fa2b9b972f22c48b573ff", "modified": "2017-07-19T00:00:00", "edition": 3, "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-10922", "CVE-2017-10913", "CVE-2017-10918", "CVE-2017-10911", "CVE-2017-10912", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2017-08-03T10:57:36", "viewCount": 0, "enchantments": {}, "reporter": "This script is Copyright (C) 2017 Greenbone Networks GmbH", "objectVersion": "1.3", "references": ["https://support.citrix.com/article/CTX224740"]}}], "naslFamily": "Citrix Xenserver Local Security Checks", "id": "OPENVAS:1361412562310106915", "reporter": "This script is Copyright (C) 2017 Greenbone Networks GmbH", "published": "2017-06-30T00:00:00", "description": "A number of security issues have been identified within Citrix XenServer.\nThese issues could, if exploited, allow a malicious administrator of a guest VM to compromise the host. The issues\nhave the identifiers:\n\n- CVE-2017-10920, CVE-2017-10921, CVE-2017-10922 (High): Grant table operations mishandle reference counts.\n\n- CVE-2017-10918 (High): Stale P1M mappings due to insufficient error checking.\n\n- CVE-2017-10912 (Medium): Page transfer may allow PV guest to elevate privilege.\n\n- CVE-2017-10913,CVE-2017-10914 (Medium): Races in the grant table unmap code.\n\n- CVE-2017-10915 (Medium): x85: insufficient reference counts during shadow emulation.\n\n- CVE-2017-10917 (Medium): NULL pointer deref in event channel poll.\n\n- CVE-2017-10911 (Low): blkif responses leak backend stack data.", "title": "Citrix XenServer Multiple Security Updates (CTX224740)", "bulletinFamily": "scanner", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_xenserver_ctx224740.nasl 6928 2017-08-16 02:41:07Z ckuersteiner $\n#\n# Citrix XenServer Multiple Security Updates (CTX224740)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:citrix:xenserver\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106915\");\n script_version(\"$Revision: 6928 $\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-08-16 04:41:07 +0200 (Wed, 16 Aug 2017) $\");\n script_tag(name: \"creation_date\", value: \"2017-06-30 16:20:13 +0700 (Fri, 30 Jun 2017)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-10911\", \"CVE-2017-10912\", \"CVE-2017-10913\", \"CVE-2017-10914\", \"CVE-2017-10915\",\n\"CVE-2017-10917\", \"CVE-2017-10918\", \"CVE-2017-10920\", \"CVE-2017-10921\", \"CVE-2017-10922\");\n\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n\n script_name(\"Citrix XenServer Multiple Security Updates (CTX224740)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Citrix Xenserver Local Security Checks\");\n script_dependencies(\"gb_xenserver_version.nasl\");\n script_mandatory_keys(\"xenserver/product_version\",\"xenserver/patches\");\n\n script_tag(name: \"summary\", value: \"A number of security issues have been identified within Citrix XenServer.\nThese issues could, if exploited, allow a malicious administrator of a guest VM to compromise the host. The issues\nhave the identifiers:\n\n- CVE-2017-10920, CVE-2017-10921, CVE-2017-10922 (High): Grant table operations mishandle reference counts.\n\n- CVE-2017-10918 (High): Stale P1M mappings due to insufficient error checking.\n\n- CVE-2017-10912 (Medium): Page transfer may allow PV guest to elevate privilege.\n\n- CVE-2017-10913,CVE-2017-10914 (Medium): Races in the grant table unmap code.\n\n- CVE-2017-10915 (Medium): x85: insufficient reference counts during shadow emulation.\n\n- CVE-2017-10917 (Medium): NULL pointer deref in event channel poll.\n\n- CVE-2017-10911 (Low): blkif responses leak backend stack data.\");\n\n script_tag(name: \"vuldetect\", value: \"Check the installed hotfixes.\");\n\n script_tag(name: \"affected\", value: \"XenServer versions 7.2, 7.1, 7.0, 6.5, 6.2.0, 6.0.2.\");\n\n script_tag(name: \"solution\", value: \"Apply the hotfix referenced in the advisory.\");\n\n script_xref(name: \"URL\", value: \"https://support.citrix.com/article/CTX224740\");\n\n exit(0);\n}\n\ninclude(\"citrix_version_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\n\nif (!version = get_app_version(cpe: CPE))\n exit(0);\n\nif (!hotfixes = get_kb_item(\"xenserver/patches\"))\n exit(0);\n\npatches = make_array();\n\npatches['7.2.0'] = make_list('XS72E001', 'XS72E002');\npatches['7.1.0'] = make_list('XS71E011', 'XS71E012');\npatches['7.0.0'] = make_list('XS70E035', 'XS70E036');\npatches['6.5.0'] = make_list('XS65ESP1057', 'XS65ESP1058');\npatches['6.2.0'] = make_list('XS62ESP1061', 'XS62ESP1062');\npatches['6.0.2'] = make_list('XS602ECC045', 'XS602ECC046');\n\nreport_if_citrix_xenserver_is_vulnerable(version: version, hotfixes: hotfixes, patches: patches);\n\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "pluginID": "1361412562310106915", "hash": "d0869005f56eca76d7108be8dc8c1d23c3cde1c1e7c3534b33ae148c4a05c91a", "references": ["https://support.citrix.com/article/CTX224740"], "edition": 4, "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-10922", "CVE-2017-10913", "CVE-2017-10918", "CVE-2017-10911", "CVE-2017-10912", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2017-08-31T16:25:10", "viewCount": 4, "enchantments": {"vulnersScore": 7.5}, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "1713e064df470431171d23a85825cd70"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "04430eef634a647ddb2b35bc74351297"}, {"key": "href", "hash": "8139d8c20e2b0595960a5d5c7a642855"}, {"key": "modified", "hash": "c57caa13a9dffde9eebc944d367434c5"}, {"key": "naslFamily", "hash": "5b3ffa96845d67695f3a9a84aa63ae0f"}, {"key": "pluginID", "hash": "7f646885f704c38b2553fc75fd077810"}, {"key": "published", "hash": "9564b1250a06eb1a494ab04295d2334a"}, {"key": "references", "hash": "e4b78bd7f7dceb58d50c714a97e99127"}, {"key": "reporter", "hash": "34d8a75328683be1e03ea1de79387567"}, {"key": "sourceData", "hash": "68329dcee675f8a97d8a5072c623e0eb"}, {"key": "title", "hash": "7a2353f27d3520063b7c276267163033"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "objectVersion": "1.3", "modified": "2017-08-16T00:00:00"}
{"result": {"cve": [{"id": "CVE-2017-10920", "type": "cve", "title": "CVE-2017-10920", "description": "The grant-table feature in Xen through 4.8.x mishandles a GNTMAP_device_map and GNTMAP_host_map mapping, when followed by only a GNTMAP_host_map unmapping, which allows guest OS users to cause a denial of service (count mismanagement and memory corruption) or obtain privileged host OS access, aka XSA-224 bug 1.", "published": "2017-07-04T21:29:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10920", "cvelist": ["CVE-2017-10920"], "lastseen": "2017-11-04T10:53:59"}, {"id": "CVE-2017-10921", "type": "cve", "title": "CVE-2017-10921", "description": "The grant-table feature in Xen through 4.8.x does not ensure sufficient type counts for a GNTMAP_device_map and GNTMAP_host_map mapping, which allows guest OS users to cause a denial of service (count mismanagement and memory corruption) or obtain privileged host OS access, aka XSA-224 bug 2.", "published": "2017-07-04T21:29:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10921", "cvelist": ["CVE-2017-10921"], "lastseen": "2017-11-04T10:53:59"}, {"id": "CVE-2017-10922", "type": "cve", "title": "CVE-2017-10922", "description": "The grant-table feature in Xen through 4.8.x mishandles MMIO region grant references, which allows guest OS users to cause a denial of service (loss of grant trackability), aka XSA-224 bug 3.", "published": "2017-07-04T21:29:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10922", "cvelist": ["CVE-2017-10922"], "lastseen": "2017-11-04T10:53:59"}, {"id": "CVE-2017-10913", "type": "cve", "title": "CVE-2017-10913", "description": "The grant-table feature in Xen through 4.8.x provides false mapping information in certain cases of concurrent unmap calls, which allows backend attackers to obtain sensitive information or gain privileges, aka XSA-218 bug 1.", "published": "2017-07-04T21:29:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10913", "cvelist": ["CVE-2017-10913"], "lastseen": "2017-11-04T10:53:59"}, {"id": "CVE-2017-10918", "type": "cve", "title": "CVE-2017-10918", "description": "Xen through 4.8.x does not validate memory allocations during certain P2M operations, which allows guest OS users to obtain privileged host OS access, aka XSA-222.", "published": "2017-07-04T21:29:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10918", "cvelist": ["CVE-2017-10918"], "lastseen": "2017-11-04T10:53:59"}, {"id": "CVE-2017-10911", "type": "cve", "title": "CVE-2017-10911", "description": "The make_response function in drivers/block/xen-blkback/blkback.c in the Linux kernel before 4.11.8 allows guest OS users to obtain sensitive information from host OS (or other guest OS) kernel memory by leveraging the copying of uninitialized padding fields in Xen block-interface response structures, aka XSA-216.", "published": "2017-07-04T21:29:00", "cvss": {"score": 4.9, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10911", "cvelist": ["CVE-2017-10911"], "lastseen": "2017-11-06T11:53:12"}, {"id": "CVE-2017-10912", "type": "cve", "title": "CVE-2017-10912", "description": "Xen through 4.8.x mishandles page transfer, which allows guest OS users to obtain privileged host OS access, aka XSA-217.", "published": "2017-07-04T21:29:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10912", "cvelist": ["CVE-2017-10912"], "lastseen": "2017-11-04T10:53:59"}, {"id": "CVE-2017-10914", "type": "cve", "title": "CVE-2017-10914", "description": "The grant-table feature in Xen through 4.8.x has a race condition leading to a double free, which allows guest OS users to cause a denial of service (memory consumption), or possibly obtain sensitive information or gain privileges, aka XSA-218 bug 2.", "published": "2017-07-04T21:29:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10914", "cvelist": ["CVE-2017-10914"], "lastseen": "2017-11-04T10:53:59"}, {"id": "CVE-2017-10917", "type": "cve", "title": "CVE-2017-10917", "description": "Xen through 4.8.x does not validate the port numbers of polled event channel ports, which allows guest OS users to cause a denial of service (NULL pointer dereference and host OS crash) or possibly obtain sensitive information, aka XSA-221.", "published": "2017-07-04T21:29:00", "cvss": {"score": 9.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:NONE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10917", "cvelist": ["CVE-2017-10917"], "lastseen": "2017-11-04T10:53:59"}, {"id": "CVE-2017-10915", "type": "cve", "title": "CVE-2017-10915", "description": "The shadow-paging feature in Xen through 4.8.x mismanages page references and consequently introduces a race condition, which allows guest OS users to obtain Xen privileges, aka XSA-219.", "published": "2017-07-04T21:29:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-10915", "cvelist": ["CVE-2017-10915"], "lastseen": "2017-11-04T10:53:59"}], "gentoo": [{"id": "GLSA-201710-17", "type": "gentoo", "title": "Xen: Multiple vulnerabilities", "description": "### Background\n\nXen is a bare-metal hypervisor.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Xen. Please review the referenced CVE identifiers for details. \n\n### Impact\n\nA local attacker could escalate privileges, cause a Denial of Service condition, obtain sensitive information, or have other unspecified impacts. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Xen users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-4.7.3\"\n \n\nAll Xen pvgrub users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-pvgrub-4.7.3\"\n \n\nAll Xen Tools users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-tools-4.7.3\"", "published": "2017-10-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://security.gentoo.org/glsa/201710-17", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-10922", "CVE-2017-10913", "CVE-2017-10918", "CVE-2017-10912", "CVE-2017-10914", "CVE-2017-10915"], "lastseen": "2017-10-18T08:47:07"}], "nessus": [{"id": "GENTOO_GLSA-201710-17.NASL", "type": "nessus", "title": "GLSA-201710-17 : Xen: Multiple vulnerabilities", "description": "The remote host is affected by the vulnerability described in GLSA-201710-17 (Xen: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Xen. Please review the referenced CVE identifiers for details.\n Impact :\n\n A local attacker could escalate privileges, cause a Denial of Service condition, obtain sensitive information, or have other unspecified impacts.\n Workaround :\n\n There is no known workaround at this time.", "published": "2017-10-18T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=103910", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-10922", "CVE-2017-10913", "CVE-2017-10918", "CVE-2017-10912", "CVE-2017-10914", "CVE-2017-10915"], "lastseen": "2018-01-30T01:07:28"}, {"id": "FEDORA_2017-B3BDAF58BC.NASL", "type": "nessus", "title": "Fedora 24 : xen (2017-b3bdaf58bc)", "description": "xen: various flaws (#1463247) blkif responses leak backend stack data [XSA-216] page transfer may allow PV guest to elevate privilege [XSA-217] Races in the grant table unmap code [XSA-218] x86:\ninsufficient reference counts during shadow emulation [XSA-219] x86:\nPKRU and BND* leakage between vCPU-s [XSA-220] stale P2M mappings due to insufficient error checking [XSA-222] ARM guest disabling interrupt may crash Xen [XSA-223] grant table operations mishandle reference counts [XSA-224] arm: vgic: Out-of-bound access when sending SGIs [XSA-225] NULL pointer deref in event channel poll [XSA-221] (#1463231)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2017-07-03T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=101183", "cvelist": ["CVE-2017-10920", "CVE-2017-10919", "CVE-2017-10913", "CVE-2017-10918", "CVE-2017-10911", "CVE-2017-10912", "CVE-2017-10916", "CVE-2017-10923", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2018-02-04T11:09:34"}, {"id": "FEDORA_2017-5C6A9B07A3.NASL", "type": "nessus", "title": "Fedora 26 : xen (2017-5c6a9b07a3)", "description": "xen: various flaws (#1463247) blkif responses leak backend stack data [XSA-216] page transfer may allow PV guest to elevate privilege [XSA-217] Races in the grant table unmap code [XSA-218] x86:\ninsufficient reference counts during shadow emulation [XSA-219] x86:\nPKRU and BND* leakage between vCPU-s [XSA-220] NULL pointer deref in event channel poll [XSA-221] (#1463231) stale P2M mappings due to insufficient error checking [XSA-222] ARM guest disabling interrupt may crash Xen [XSA-223] grant table operations mishandle reference counts [XSA-224] arm: vgic: Out-of-bound access when sending SGIs [XSA-225]\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2017-07-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=101638", "cvelist": ["CVE-2017-10920", "CVE-2017-10919", "CVE-2017-10913", "CVE-2017-10918", "CVE-2017-10911", "CVE-2017-10912", "CVE-2017-10916", "CVE-2017-10923", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2018-02-04T11:03:37"}, {"id": "OPENSUSE-2017-799.NASL", "type": "nessus", "title": "openSUSE Security Update : xen (openSUSE-2017-799)", "description": "This update for xen fixes several issues.\n\nThese security issues were fixed :\n\n - CVE-2017-10912: Page transfer might have allowed PV guest to elevate privilege (XSA-217, bsc#1042882)\n\n - CVE-2017-10913 CVE-2017-10914: Races in the grant table unmap code allowed for informations leaks and potentially privilege escalation (XSA-218, bsc#1042893)\n\n - CVE-2017-10915: Insufficient reference counts during shadow emulation allowed a malicious pair of guest to elevate their privileges to the privileges that XEN runs under (XSA-219, bsc#1042915)\n\n - CVE-2017-10917: Missing NULL pointer check in event channel poll allows guests to DoS the host (XSA-221, bsc#1042924)\n\n - CVE-2017-10918: Stale P2M mappings due to insufficient error checking allowed malicious guest to leak information or elevate privileges (XSA-222, bsc#1042931)\n\n - CVE-2017-10920, CVE-2017-10921, CVE-2017-10922: Grant table operations mishandled reference counts allowing malicious guests to escape (XSA-224, bsc#1042938)\n\n - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value (bsc#1042160)\n\n - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture (bsc#1037243)\n\n - PKRU and BND* leakage between vCPU-s might have leaked information to other guests (XSA-220, bsc#1042923)\n\nThese non-security issues were fixed :\n\n - bsc#1027519: Included various upstream patches \n\n - bsc#1035642: Ensure that rpmbuild works\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update project.", "published": "2017-07-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=101349", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-10922", "CVE-2017-10913", "CVE-2017-9330", "CVE-2017-8309", "CVE-2017-10918", "CVE-2017-10912", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2018-01-30T00:55:16"}, {"id": "FEDORA_2017-C3149B5FCB.NASL", "type": "nessus", "title": "Fedora 25 : xen (2017-c3149b5fcb)", "description": "xen: various flaws (#1463247) blkif responses leak backend stack data [XSA-216] page transfer may allow PV guest to elevate privilege [XSA-217] Races in the grant table unmap code [XSA-218] x86:\ninsufficient reference counts during shadow emulation [XSA-219] x86:\nPKRU and BND* leakage between vCPU-s [XSA-220] stale P2M mappings due to insufficient error checking [XSA-222] ARM guest disabling interrupt may crash Xen [XSA-223] grant table operations mishandle reference counts [XSA-224] arm: vgic: Out-of-bound access when sending SGIs [XSA-225] NULL pointer deref in event channel poll [XSA-221] (#1463231)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2017-06-23T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=101028", "cvelist": ["CVE-2017-10920", "CVE-2017-10919", "CVE-2017-10913", "CVE-2017-10918", "CVE-2017-10911", "CVE-2017-10912", "CVE-2017-10916", "CVE-2017-10923", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2018-02-04T10:54:30"}, {"id": "ORACLEVM_OVMSA-2017-0142.NASL", "type": "nessus", "title": "OracleVM 3.4 : xen (OVMSA-2017-0142)", "description": "The remote OracleVM system is missing necessary patches to address critical security updates : please see Oracle VM Security Advisory OVMSA-2017-0142 for details.", "published": "2017-08-30T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=102835", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-10922", "CVE-2017-2615", "CVE-2017-12135", "CVE-2017-10913", "CVE-2017-12137", "CVE-2017-10918", "CVE-2017-8905", "CVE-2017-12136", "CVE-2017-8904", "CVE-2017-10912", "CVE-2017-2620", "CVE-2017-7228", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-8903", "CVE-2017-10915", "CVE-2016-9603"], "lastseen": "2018-01-31T01:12:30"}, {"id": "DEBIAN_DSA-3969.NASL", "type": "nessus", "title": "Debian DSA-3969-1 : xen - security update", "description": "Multiple vulnerabilities have been discovered in the Xen hypervisor :\n\n - CVE-2017-10912 Jann Horn discovered that incorrectly handling of page transfers might result in privilege escalation.\n\n - CVE-2017-10913 / CVE-2017-10914 Jann Horn discovered that race conditions in grant handling might result in information leaks or privilege escalation.\n\n - CVE-2017-10915 Andrew Cooper discovered that incorrect reference counting with shadow paging might result in privilege escalation.\n\n - CVE-2017-10916 Andrew Cooper discovered an information leak in the handling of the Memory Protection Extensions (MPX) and Protection Key (PKU) CPU features. This only affects Debian stretch.\n\n - CVE-2017-10917 Ankur Arora discovered a NULL pointer dereference in event polling, resulting in denial of service.\n\n - CVE-2017-10918 Julien Grall discovered that incorrect error handling in physical-to-machine memory mappings may result in privilege escalation, denial of service or an information leak.\n\n - CVE-2017-10919 Julien Grall discovered that incorrect handling of virtual interrupt injection on ARM systems may result in denial of service.\n\n - CVE-2017-10920 / CVE-2017-10921 / CVE-2017-10922 Jan Beulich discovered multiple places where reference counting on grant table operations was incorrect, resulting in potential privilege escalation.\n\n - CVE-2017-12135 Jan Beulich found multiple problems in the handling of transitive grants which could result in denial of service and potentially privilege escalation.\n\n - CVE-2017-12136 Ian Jackson discovered that race conditions in the allocator for grant mappings may result in denial of service or privilege escalation. This only affects Debian stretch.\n\n - CVE-2017-12137 Andrew Cooper discovered that incorrect validation of grants may result in privilege escalation.\n\n - CVE-2017-12855 Jan Beulich discovered that incorrect grant status handling, thus incorrectly informing the guest that the grant is no longer in use.\n\n - XSA-235 (no CVE yet)\n\n Wei Liu discovered that incorrect locking of add-to-physmap operations on ARM may result in denial of service.", "published": "2017-09-13T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=103146", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-10919", "CVE-2017-10922", "CVE-2017-12855", "CVE-2017-12135", "CVE-2017-10913", "CVE-2017-12137", "CVE-2017-10918", "CVE-2017-12136", "CVE-2017-10912", "CVE-2017-10916", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-10915", "CVE-2017-15596"], "lastseen": "2018-01-31T00:55:42"}, {"id": "DEBIAN_DLA-1132.NASL", "type": "nessus", "title": "Debian DLA-1132-1 : xen security update", "description": "Multiple vulnerabilities have been discovered in the Xen hypervisor :\n\nCVE-2017-10912\n\nJann Horn discovered that incorrectly handling of page transfers might result in privilege escalation.\n\nCVE-2017-10913 / CVE-2017-10914\n\nJann Horn discovered that race conditions in grant handling might result in information leaks or privilege escalation.\n\nCVE-2017-10915\n\nAndrew Cooper discovered that incorrect reference counting with shadow paging might result in privilege escalation.\n\nCVE-2017-10918\n\nJulien Grall discovered that incorrect error handling in physical-to-machine memory mappings may result in privilege escalation, denial of service or an information leak.\n\nCVE-2017-10920 / CVE-2017-10921 / CVE-2017-10922\n\nJan Beulich discovered multiple places where reference counting on grant table operations was incorrect, resulting in potential privilege escalation\n\nCVE-2017-12135\n\nJan Beulich found multiple problems in the handling of transitive grants which could result in denial of service and potentially privilege escalation.\n\nCVE-2017-12137\n\nAndrew Cooper discovered that incorrect validation of grants may result in privilege escalation.\n\nCVE-2017-12855\n\nJan Beulich discovered that incorrect grant status handling, thus incorrectly informing the guest that the grant is no longer in use.\n\nCVE-2017-14316\n\nMatthew Daley discovered that the NUMA node parameter wasn't verified which which may result in privilege escalation.\n\nCVE-2017-14317\n\nEric Chanudet discovered that a race conditions in cxenstored might result in information leaks or privilege escalation.\n\nCVE-2017-14318\n\nMatthew Daley discovered that incorrect validation of grants may result in a denial of service.\n\nCVE-2017-14319\n\nAndrew Cooper discovered that insufficient grant unmapping checks may result in denial of service and privilege escalation.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 4.1.6.lts1-9.\n\nWe recommend that you upgrade your xen packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2017-10-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=103791", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-14317", "CVE-2017-10922", "CVE-2017-12855", "CVE-2017-12135", "CVE-2017-10913", "CVE-2017-12137", "CVE-2017-10918", "CVE-2017-14316", "CVE-2017-14319", "CVE-2017-14318", "CVE-2017-10912", "CVE-2017-10914", "CVE-2017-10915"], "lastseen": "2018-07-07T02:09:25"}, {"id": "SUSE_SU-2017-1795-1.NASL", "type": "nessus", "title": "SUSE SLES12 Security Update : xen (SUSE-SU-2017:1795-1)", "description": "This update for xen fixes several issues. These security issues were fixed :\n\n - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a NULL pointer dereference issue which allowed a privileged user inside guest to crash the Qemu process on the host resulting in DoS (bsc#1043297)\n\n - CVE-2017-9374: Missing free of 's->ipacket', causes a host memory leak, allowing for DoS (bsc#1043074)\n\n - CVE-2017-10911: blkif responses leaked backend stack data, which allowed unprivileged guest to obtain sensitive information from the host or other guests (XSA-216, bsc#1042863)\n\n - CVE-2017-10912: Page transfer might have allowed PV guest to elevate privilege (XSA-217, bsc#1042882)\n\n - CVE-2017-10913, CVE-2017-10914: Races in the grant table unmap code allowed for informations leaks and potentially privilege escalation (XSA-218, bsc#1042893)\n\n - CVE-2017-10915: Insufficient reference counts during shadow emulation allowed a malicious pair of guest to elevate their privileges to the privileges that XEN runs under (XSA-219, bsc#1042915)\n\n - CVE-2017-10917: Missing NULL pointer check in event channel poll allows guests to DoS the host (XSA-221, bsc#1042924)\n\n - CVE-2017-10918: Stale P2M mappings due to insufficient error checking allowed malicious guest to leak information or elevate privileges (XSA-222, bsc#1042931)\n\n - CVE-2017-10920, CVE-2017-10921, CVE-2017-10922: Grant table operations mishandled reference counts allowing malicious guests to escape (XSA-224, bsc#1042938)\n\n - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value (bsc#1042160)\n\n - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture (bsc#1037243)\n\n - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count (bsc#1036470)\n\n - CVE-2017-8905: Xen a failsafe callback, which might have allowed PV guest OS users to execute arbitrary code on the host OS (XSA-215, bsc#1034845).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2017-07-07T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=101293", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-9503", "CVE-2017-8112", "CVE-2017-9374", "CVE-2017-10922", "CVE-2017-10913", "CVE-2017-9330", "CVE-2017-8309", "CVE-2017-10918", "CVE-2017-10911", "CVE-2017-8905", "CVE-2017-10912", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2018-02-02T07:12:32"}, {"id": "SUSE_SU-2017-1812-1.NASL", "type": "nessus", "title": "SUSE SLES12 Security Update : xen (SUSE-SU-2017:1812-1)", "description": "This update for xen fixes several issues. These security issues were fixed :\n\n - CVE-2017-10911: blkif responses leaked backend stack data, which allowed unprivileged guest to obtain sensitive information from the host or other guests (XSA-216, bsc#1042863)\n\n - CVE-2017-10912: Page transfer might have allowed PV guest to elevate privilege (XSA-217, bsc#1042882)\n\n - CVE-2017-10913, CVE-2017-10914: Races in the grant table unmap code allowed for informations leaks and potentially privilege escalation (XSA-218, bsc#1042893)\n\n - CVE-2017-10915: Insufficient reference counts during shadow emulation allowed a malicious pair of guest to elevate their privileges to the privileges that XEN runs under (XSA-219, bsc#1042915)\n\n - CVE-2017-10917: Missing NULL pointer check in event channel poll allows guests to DoS the host (XSA-221, bsc#1042924)\n\n - CVE-2017-10918: Stale P2M mappings due to insufficient error checking allowed malicious guest to leak information or elevate privileges (XSA-222, bsc#1042931)\n\n - CVE-2017-10922, CVE-2017-10921, CVE-2017-10920: Grant table operations mishandled reference counts allowing malicious guests to escape (XSA-224, bsc#1042938)\n\n - CVE-2017-10916: PKRU and BND* leakage between vCPU-s might have leaked information to other guests (XSA-220, bsc#1042923)\n\n - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users to cause a denial of service (infinite loop) by leveraging an incorrect return value (bsc#1042160)\n\n - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture (bsc#1037243)\n\n - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count (bsc#1036470)\n\n - CVE-2017-8905: Xen a failsafe callback, which might have allowed PV guest OS users to execute arbitrary code on the host OS (XSA-215, bsc#1034845).\n\n - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation support was vulnerable to a NULL pointer dereference issue which allowed a privileged user inside guest to crash the Qemu process on the host resulting in DoS (bsc#1043297)\n\n - CVE-2017-9374: Missing free of 's->ipacket', causes a host memory leak, allowing for DoS (bsc#1043074)\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2017-07-10T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=101350", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-9503", "CVE-2017-8112", "CVE-2017-9374", "CVE-2017-10922", "CVE-2017-10913", "CVE-2017-9330", "CVE-2017-8309", "CVE-2017-10918", "CVE-2017-10911", "CVE-2017-8905", "CVE-2017-10912", "CVE-2017-10916", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2018-02-02T07:05:40"}], "suse": [{"id": "OPENSUSE-SU-2017:1826-1", "type": "suse", "title": "Security update for xen (important)", "description": "This update for xen fixes several issues.\n\n These security issues were fixed:\n\n - CVE-2017-10912: Page transfer might have allowed PV guest to elevate\n privilege (XSA-217, bsc#1042882)\n - CVE-2017-10913 CVE-2017-10914: Races in the grant table unmap code\n allowed for informations leaks and potentially privilege escalation\n (XSA-218, bsc#1042893)\n - CVE-2017-10915: Insufficient reference counts during shadow emulation\n allowed a malicious pair of guest to elevate their privileges to the\n privileges that XEN runs under (XSA-219, bsc#1042915)\n - CVE-2017-10917: Missing NULL pointer check in event channel poll allows\n guests to DoS the host (XSA-221, bsc#1042924)\n - CVE-2017-10918: Stale P2M mappings due to insufficient error checking\n allowed malicious guest to leak information or elevate privileges\n (XSA-222, bsc#1042931)\n - CVE-2017-10920, CVE-2017-10921, CVE-2017-10922: Grant table operations\n mishandled reference counts allowing malicious guests to escape\n (XSA-224, bsc#1042938)\n - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users\n to cause a denial of service (infinite loop) by leveraging an incorrect\n return value (bsc#1042160)\n - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers\n to cause a denial of service (memory consumption) by repeatedly starting\n and stopping audio capture (bsc#1037243)\n - PKRU and BND* leakage between vCPU-s might have leaked information to\n other guests (XSA-220, bsc#1042923)\n\n These non-security issues were fixed:\n\n - bsc#1027519: Included various upstream patches\n - bsc#1035642: Ensure that rpmbuild works\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n", "published": "2017-07-08T15:12:52", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2017-07/msg00011.html", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-10922", "CVE-2017-10913", "CVE-2017-9330", "CVE-2017-8309", "CVE-2017-10918", "CVE-2017-10912", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2017-07-08T16:48:26"}, {"id": "SUSE-SU-2017:1812-1", "type": "suse", "title": "Security update for xen (important)", "description": "This update for xen fixes several issues.\n\n These security issues were fixed:\n\n - CVE-2017-10911: blkif responses leaked backend stack data, which allowed\n unprivileged guest to obtain sensitive information from the host or\n other guests (XSA-216, bsc#1042863)\n - CVE-2017-10912: Page transfer might have allowed PV guest to elevate\n privilege (XSA-217, bsc#1042882)\n - CVE-2017-10913, CVE-2017-10914: Races in the grant table unmap code\n allowed for informations leaks and potentially privilege escalation\n (XSA-218, bsc#1042893)\n - CVE-2017-10915: Insufficient reference counts during shadow emulation\n allowed a malicious pair of guest to elevate their privileges to the\n privileges that XEN runs under (XSA-219, bsc#1042915)\n - CVE-2017-10917: Missing NULL pointer check in event channel poll allows\n guests to DoS the host (XSA-221, bsc#1042924)\n - CVE-2017-10918: Stale P2M mappings due to insufficient error checking\n allowed malicious guest to leak information or elevate privileges\n (XSA-222, bsc#1042931)\n - CVE-2017-10922, CVE-2017-10921, CVE-2017-10920: Grant table operations\n mishandled reference counts allowing malicious guests to escape\n (XSA-224, bsc#1042938)\n - CVE-2017-10916: PKRU and BND* leakage between vCPU-s might have leaked\n information to other guests (XSA-220, bsc#1042923)\n - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users\n to cause a denial of service (infinite loop) by leveraging an incorrect\n return value (bsc#1042160)\n - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers\n to cause a denial of service (memory consumption) by repeatedly starting\n and stopping audio capture (bsc#1037243)\n - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged\n users to cause a denial of service (infinite loop and CPU consumption)\n via the message ring page count (bsc#1036470)\n - CVE-2017-8905: Xen a failsafe callback, which might have allowed PV\n guest OS users to execute arbitrary code on the host OS (XSA-215,\n bsc#1034845).\n - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation\n support was vulnerable to a null pointer dereference issue which allowed\n a privileged user inside guest to crash the Qemu process on the host\n resulting in DoS (bsc#1043297)\n - CVE-2017-9374: Missing free of 's->ipacket', causes a host memory leak,\n allowing for DoS (bsc#1043074)\n\n These non-security issues were fixed:\n\n - bsc#1031460: Fixed DomU Live Migration\n - bsc#1014136: Fixed kdump SLES12-SP2\n - bsc#1026236: Equalized paravirtualized vs. fully virtualized migration\n speed\n\n", "published": "2017-07-07T15:09:38", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2017-07/msg00008.html", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-9503", "CVE-2017-8112", "CVE-2017-9374", "CVE-2017-10922", "CVE-2017-10913", "CVE-2017-9330", "CVE-2017-8309", "CVE-2017-10918", "CVE-2017-10911", "CVE-2017-8905", "CVE-2017-10912", "CVE-2017-10916", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2017-07-07T16:48:26"}, {"id": "SUSE-SU-2017:1795-1", "type": "suse", "title": "Security update for xen (important)", "description": "This update for xen fixes several issues.\n\n These security issues were fixed:\n\n - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation\n support was vulnerable to a null pointer dereference issue which allowed\n a privileged user inside guest to crash the Qemu process on the host\n resulting in DoS (bsc#1043297)\n - CVE-2017-9374: Missing free of 's->ipacket', causes a host memory leak,\n allowing for DoS (bsc#1043074)\n - CVE-2017-10911: blkif responses leaked backend stack data, which allowed\n unprivileged guest to obtain sensitive information from the host or\n other guests (XSA-216, bsc#1042863)\n - CVE-2017-10912: Page transfer might have allowed PV guest to elevate\n privilege (XSA-217, bsc#1042882)\n - CVE-2017-10913, CVE-2017-10914: Races in the grant table unmap code\n allowed for informations leaks and potentially privilege escalation\n (XSA-218, bsc#1042893)\n - CVE-2017-10915: Insufficient reference counts during shadow emulation\n allowed a malicious pair of guest to elevate their privileges to the\n privileges that XEN runs under (XSA-219, bsc#1042915)\n - CVE-2017-10917: Missing NULL pointer check in event channel poll allows\n guests to DoS the host (XSA-221, bsc#1042924)\n - CVE-2017-10918: Stale P2M mappings due to insufficient error checking\n allowed malicious guest to leak information or elevate privileges\n (XSA-222, bsc#1042931)\n - CVE-2017-10920, CVE-2017-10921, CVE-2017-10922: Grant table operations\n mishandled reference counts allowing malicious guests to escape\n (XSA-224, bsc#1042938)\n - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users\n to cause a denial of service (infinite loop) by leveraging an incorrect\n return value (bsc#1042160)\n - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers\n to cause a denial of service (memory consumption) by repeatedly starting\n and stopping audio capture (bsc#1037243)\n - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged\n users to cause a denial of service (infinite loop and CPU consumption)\n via the message ring page count (bsc#1036470)\n - CVE-2017-8905: Xen a failsafe callback, which might have allowed PV\n guest OS users to execute arbitrary code on the host OS (XSA-215,\n bsc#1034845).\n\n These non-security issues were fixed:\n\n - bsc#1031460: Fixed DomU Live Migration\n - bsc#1014136: Fixed kdump SLES12-SP2\n - bsc#1026236: Equalized paravirtualized vs. fully virtualized migration\n speed\n - bsc#1032148: Ensure that time doesn't goes backwards during live\n migration of HVM domU\n - bsc#1027519: Included various upstream patches\n\n", "published": "2017-07-06T15:15:02", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2017-07/msg00005.html", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-9503", "CVE-2017-8112", "CVE-2017-9374", "CVE-2017-10922", "CVE-2017-10913", "CVE-2017-9330", "CVE-2017-8309", "CVE-2017-10918", "CVE-2017-10911", "CVE-2017-8905", "CVE-2017-10912", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2017-07-06T16:48:23"}, {"id": "OPENSUSE-SU-2017:2938-1", "type": "suse", "title": "Security update for qemu (important)", "description": "This update for qemu to version 2.9.1 fixes several issues.\n\n It also announces that the qed storage format will be no longer supported\n in Leap 15.0.\n\n These security issues were fixed:\n\n - CVE-2017-15268: Qemu allowed remote attackers to cause a memory leak by\n triggering slow data-channel read operations, related to\n io/channel-websock.c (bsc#1062942)\n - CVE-2017-15289: The mode4and5 write functions allowed local OS guest\n privileged users to cause a denial of service (out-of-bounds write\n access and Qemu process crash) via vectors related to dst calculation\n (bsc#1063122)\n - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local\n guest OS users to obtain sensitive information from host heap memory via\n vectors related to reading extended attributes (bsc#1062069)\n - CVE-2017-10911: The make_response function in the Linux kernel allowed\n guest OS users to obtain sensitive information from host OS (or other\n guest OS) kernel memory by leveraging the copying of uninitialized\n padding fields in Xen block-interface response structures (bsc#1057378)\n - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed\n local guest OS privileged users to cause a denial of service (NULL\n pointer dereference and QEMU process crash) by flushing an empty CDROM\n device drive (bsc#1054724)\n - CVE-2017-14167: Integer overflow in the load_multiboot function allowed\n local guest OS users to execute arbitrary code on the host via crafted\n multiboot header address values, which trigger an out-of-bounds write\n (bsc#1057585)\n - CVE-2017-13672: The VGA display emulator support allowed local guest OS\n privileged users to cause a denial of service (out-of-bounds read and\n QEMU process crash) via vectors involving display update (bsc#1056334)\n - CVE-2017-13711: Use-after-free vulnerability allowed attackers to cause\n a denial of service (QEMU instance crash) by leveraging failure to\n properly clear ifq_so from pending packets (bsc#1056291).\n\n These non-security issues were fixed:\n\n - Fixed not being able to build from rpm sources due to undefined macro\n (bsc#1057966)\n - Fiedx package build failure against new glibc (bsc#1055587)\n\n This update was imported from the SUSE:SLE-12-SP3:Update update project.\n\n", "published": "2017-11-07T06:09:17", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2017-11/msg00007.html", "cvelist": ["CVE-2017-15268", "CVE-2017-15038", "CVE-2017-14167", "CVE-2017-15289", "CVE-2017-12809", "CVE-2017-13711", "CVE-2017-10911", "CVE-2017-13672"], "lastseen": "2017-11-07T08:32:56"}, {"id": "SUSE-SU-2017:2924-1", "type": "suse", "title": "Security update for qemu (important)", "description": "This update for qemu to version 2.9.1 fixes several issues.\n\n It also announces that the qed storage format will be no longer supported\n in SLE 15 (fate#324200).\n\n These security issues were fixed:\n\n - CVE-2017-15268: Qemu allowed remote attackers to cause a memory leak by\n triggering slow data-channel read operations, related to\n io/channel-websock.c (bsc#1062942)\n - CVE-2017-15289: The mode4and5 write functions allowed local OS guest\n privileged users to cause a denial of service (out-of-bounds write\n access and Qemu process crash) via vectors related to dst calculation\n (bsc#1063122)\n - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local\n guest OS users to obtain sensitive information from host heap memory via\n vectors related to reading extended attributes (bsc#1062069)\n - CVE-2017-10911: The make_response function in the Linux kernel allowed\n guest OS users to obtain sensitive information from host OS (or other\n guest OS) kernel memory by leveraging the copying of uninitialized\n padding fields in Xen block-interface response structures (bsc#1057378)\n - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed\n local guest OS privileged users to cause a denial of service (NULL\n pointer dereference and QEMU process crash) by flushing an empty CDROM\n device drive (bsc#1054724)\n - CVE-2017-14167: Integer overflow in the load_multiboot function allowed\n local guest OS users to execute arbitrary code on the host via crafted\n multiboot header address values, which trigger an out-of-bounds write\n (bsc#1057585)\n - CVE-2017-13672: The VGA display emulator support allowed local guest OS\n privileged users to cause a denial of service (out-of-bounds read and\n QEMU process crash) via vectors involving display update (bsc#1056334)\n - CVE-2017-13711: Use-after-free vulnerability allowed attackers to cause\n a denial of service (QEMU instance crash) by leveraging failure to\n properly clear ifq_so from pending packets (bsc#1056291).\n\n These non-security issues were fixed:\n\n - Fixed not being able to build from rpm sources due to undefined macro\n (bsc#1057966)\n - Fiedx package build failure against new glibc (bsc#1055587)\n\n", "published": "2017-11-03T00:08:15", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2017-11/msg00003.html", "cvelist": ["CVE-2017-15268", "CVE-2017-15038", "CVE-2017-14167", "CVE-2017-15289", "CVE-2017-12809", "CVE-2017-13711", "CVE-2017-10911", "CVE-2017-13672"], "lastseen": "2017-11-03T02:32:22"}, {"id": "SUSE-SU-2017:2936-1", "type": "suse", "title": "Security update for qemu (important)", "description": "This update for qemu fixes several issues.\n\n These security issues were fixed:\n\n - CVE-2017-15268: Qemu allowed remote attackers to cause a memory leak by\n triggering slow data-channel read operations, related to\n io/channel-websock.c (bsc#1062942).\n - CVE-2017-9524: The qemu-nbd server when built with the Network Block\n Device (NBD) Server support allowed remote attackers to cause a denial\n of service (segmentation fault and server crash) by leveraging failure\n to ensure that all initialization occurs talking to a client in the\n nbd_negotiate function (bsc#1043808).\n - CVE-2017-15289: The mode4and5 write functions allowed local OS guest\n privileged users to cause a denial of service (out-of-bounds write\n access and Qemu process crash) via vectors related to dst calculation\n (bsc#1063122)\n - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local\n guest OS users to obtain sensitive information from host heap memory via\n vectors related to reading extended attributes (bsc#1062069)\n - CVE-2017-10911: The make_response function in the Linux kernel allowed\n guest OS users to obtain sensitive information from host OS (or other\n guest OS) kernel memory by leveraging the copying of uninitialized\n padding fields in Xen block-interface response structures (bsc#1057378)\n - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed\n local guest OS privileged users to cause a denial of service (NULL\n pointer dereference and QEMU process crash) by flushing an empty CDROM\n device drive (bsc#1054724)\n - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote\n attackers to cause a denial of service (daemon crash) by disconnecting\n during a server-to-client reply attempt (bsc#1046636)\n - CVE-2017-10806: Stack-based buffer overflow allowed local guest OS users\n to cause a denial of service (QEMU process crash) via vectors related to\n logging debug messages (bsc#1047674)\n - CVE-2017-14167: Integer overflow in the load_multiboot function allowed\n local guest OS users to execute arbitrary code on the host via crafted\n multiboot header address values, which trigger an out-of-bounds write\n (bsc#1057585)\n - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local\n guest OS users to cause a denial of service (out-of-bounds read) via a\n crafted DHCP options string (bsc#1049381)\n - CVE-2017-11334: The address_space_write_continue function allowed local\n guest OS privileged users to cause a denial of service (out-of-bounds\n access and guest instance crash) by leveraging use of qemu_map_ram_ptr\n to access guest ram block area (bsc#1048902)\n - CVE-2017-13672: The VGA display emulator support allowed local guest OS\n privileged users to cause a denial of service (out-of-bounds read and\n QEMU process crash) via vectors involving display update (bsc#1056334)\n\n These non-security issues were fixed:\n\n - Fixed not being able to build from rpm sources due to undefined macro\n (bsc#1057966)\n - Fixed wrong permissions for kvm_stat.1 file\n - Fixed KVM lun resize not working as expected on SLES12 SP2 HV\n (bsc#1043176)\n\n", "published": "2017-11-06T21:07:59", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2017-11/msg00006.html", "cvelist": ["CVE-2017-15268", "CVE-2017-11334", "CVE-2017-15038", "CVE-2017-14167", "CVE-2017-15289", "CVE-2017-12809", "CVE-2017-10911", "CVE-2017-10664", "CVE-2017-10806", "CVE-2017-13672", "CVE-2017-11434", "CVE-2017-9524"], "lastseen": "2017-11-07T00:32:53"}, {"id": "OPENSUSE-SU-2017:2941-1", "type": "suse", "title": "Security update for qemu (important)", "description": "This update for qemu fixes several issues.\n\n These security issues were fixed:\n\n - CVE-2017-15268: Qemu allowed remote attackers to cause a memory leak by\n triggering slow data-channel read operations, related to\n io/channel-websock.c (bsc#1062942).\n - CVE-2017-9524: The qemu-nbd server when built with the Network Block\n Device (NBD) Server support allowed remote attackers to cause a denial\n of service (segmentation fault and server crash) by leveraging failure\n to ensure that all initialization occurs talking to a client in the\n nbd_negotiate function (bsc#1043808).\n - CVE-2017-15289: The mode4and5 write functions allowed local OS guest\n privileged users to cause a denial of service (out-of-bounds write\n access and Qemu process crash) via vectors related to dst calculation\n (bsc#1063122)\n - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local\n guest OS users to obtain sensitive information from host heap memory via\n vectors related to reading extended attributes (bsc#1062069)\n - CVE-2017-10911: The make_response function in the Linux kernel allowed\n guest OS users to obtain sensitive information from host OS (or other\n guest OS) kernel memory by leveraging the copying of uninitialized\n padding fields in Xen block-interface response structures (bsc#1057378)\n - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed\n local guest OS privileged users to cause a denial of service (NULL\n pointer dereference and QEMU process crash) by flushing an empty CDROM\n device drive (bsc#1054724)\n - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote\n attackers to cause a denial of service (daemon crash) by disconnecting\n during a server-to-client reply attempt (bsc#1046636)\n - CVE-2017-10806: Stack-based buffer overflow allowed local guest OS users\n to cause a denial of service (QEMU process crash) via vectors related to\n logging debug messages (bsc#1047674)\n - CVE-2017-14167: Integer overflow in the load_multiboot function allowed\n local guest OS users to execute arbitrary code on the host via crafted\n multiboot header address values, which trigger an out-of-bounds write\n (bsc#1057585)\n - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local\n guest OS users to cause a denial of service (out-of-bounds read) via a\n crafted DHCP options string (bsc#1049381)\n - CVE-2017-11334: The address_space_write_continue function allowed local\n guest OS privileged users to cause a denial of service (out-of-bounds\n access and guest instance crash) by leveraging use of qemu_map_ram_ptr\n to access guest ram block area (bsc#1048902)\n - CVE-2017-13672: The VGA display emulator support allowed local guest OS\n privileged users to cause a denial of service (out-of-bounds read and\n QEMU process crash) via vectors involving display update (bsc#1056334)\n\n These non-security issues were fixed:\n\n - Fixed not being able to build from rpm sources due to undefined macro\n (bsc#1057966)\n - Fixed wrong permissions for kvm_stat.1 file\n - Fixed KVM lun resize not working as expected on SLES12 SP2 HV\n (bsc#1043176)\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n", "published": "2017-11-07T06:12:01", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2017-11/msg00008.html", "cvelist": ["CVE-2017-15268", "CVE-2017-11334", "CVE-2017-15038", "CVE-2017-14167", "CVE-2017-15289", "CVE-2017-12809", "CVE-2017-10911", "CVE-2017-10664", "CVE-2017-10806", "CVE-2017-13672", "CVE-2017-11434", "CVE-2017-9524"], "lastseen": "2017-11-07T08:32:55"}, {"id": "SUSE-SU-2017:2946-1", "type": "suse", "title": "Security update for qemu (important)", "description": "This update for qemu fixes several issues.\n\n These security issues were fixed:\n\n - CVE-2017-10911: The make_response function in the Linux kernel allowed\n guest OS users to obtain sensitive information from host OS (or other\n guest OS) kernel memory by leveraging the copying of uninitialized\n padding fields in Xen block-interface response structures (bsc#1057378).\n - CVE-2017-12809: The IDE disk and CD/DVD-ROM Emulator support allowed\n local guest OS privileged users to cause a denial of service (NULL\n pointer dereference and QEMU process crash) by flushing an empty CDROM\n device drive (bsc#1054724).\n - CVE-2017-15289: The mode4and5 write functions allowed local OS guest\n privileged users to cause a denial of service (out-of-bounds write\n access and Qemu process crash) via vectors related to dst calculation\n (bsc#1063122)\n - CVE-2017-15038: Race condition in the v9fs_xattrwalk function local\n guest OS users to obtain sensitive information from host heap memory via\n vectors related to reading extended attributes (bsc#1062069)\n - CVE-2017-14167: Integer overflow in the load_multiboot function allowed\n local guest OS users to execute arbitrary code on the host via crafted\n multiboot header address values, which trigger an out-of-bounds write\n (bsc#1057585)\n - CVE-2017-11434: The dhcp_decode function in slirp/bootp.c allowed local\n guest OS users to cause a denial of service (out-of-bounds read) via a\n crafted DHCP options string (bsc#1049381)\n - CVE-2017-11334: The address_space_write_continue function allowed local\n guest OS privileged users to cause a denial of service (out-of-bounds\n access and guest instance crash) by leveraging use of qemu_map_ram_ptr\n to access guest ram block area (bsc#1048902)\n - CVE-2017-13672: The VGA display emulator support allowed local guest OS\n privileged users to cause a denial of service (out-of-bounds read and\n QEMU process crash) via vectors involving display update (bsc#1056334)\n - CVE-2017-5973: A infinite loop while doing control transfer in\n xhci_kick_epctx allowed privileged user inside the guest to crash the\n host process resulting in DoS (bsc#1025109)\n - CVE-2017-5987: The sdhci_sdma_transfer_multi_blocks function in\n hw/sd/sdhci.c allowed local OS guest privileged users to cause a denial\n of service (infinite loop and QEMU process crash) via vectors involving\n the transfer mode register during multi block transfer (bsc#1025311)\n - CVE-2017-6505: The ohci_service_ed_list function allowed local guest OS\n users to cause a denial of service (infinite loop) via vectors involving\n the number of link endpoint list descriptors (bsc#1028184)\n - CVE-2016-9603: A privileged user within the guest VM could have caused a\n heap overflow in the device model process, potentially escalating their\n privileges to that of the device model process (bsc#1028656)\n - CVE-2017-7718: hw/display/cirrus_vga_rop.h allowed local guest OS\n privileged users to cause a denial of service (out-of-bounds read and\n QEMU process crash) via vectors related to copying VGA data via the\n cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions\n (bsc#1034908)\n - CVE-2017-7980: An out-of-bounds r/w access issues in the Cirrus CLGD\n 54xx VGA Emulator support allowed privileged user inside guest to use\n this flaw to crash the Qemu process resulting in DoS or potentially\n execute arbitrary code on a host with privileges of Qemu process on the\n host (bsc#1035406)\n - CVE-2017-8112: hw/scsi/vmw_pvscsi.c allowed local guest OS privileged\n users to cause a denial of service (infinite loop and CPU consumption)\n via the message ring page count (bsc#1036211)\n - CVE-2017-9375: The USB xHCI controller emulator support was vulnerable\n to an infinite recursive call loop issue, which allowed a privileged\n user inside guest to crash the Qemu process resulting in DoS\n (bsc#1042800)\n - CVE-2017-9374: Missing free of 's->ipacket', causes a host memory leak,\n allowing for DoS (bsc#1043073)\n - CVE-2017-9373: The IDE AHCI Emulation support was vulnerable to a host\n memory leakage issue, which allowed a privileged user inside guest to\n leak host memory resulting in DoS (bsc#1042801)\n - CVE-2017-9330: USB OHCI Emulation in qemu allowed local guest OS users\n to cause a denial of service (infinite loop) by leveraging an incorrect\n return value (bsc#1042159)\n - CVE-2017-8379: Memory leak in the keyboard input event handlers support\n allowed local guest OS privileged users to cause a denial of service\n (host memory consumption) by rapidly generating large keyboard events\n (bsc#1037334)\n - CVE-2017-8309: Memory leak in the audio/audio.c allowed remote attackers\n to cause a denial of service (memory consumption) by repeatedly starting\n and stopping audio capture (bsc#1037242)\n - CVE-2017-8380: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation\n support was vulnerable to an out-of-bounds read access issue which\n allowed a privileged user inside guest to read host memory resulting in\n DoS (bsc#1037336)\n - CVE-2017-7493: The VirtFS, host directory sharing via Plan 9 File\n System(9pfs) support, was vulnerable to an improper access control\n issue. It could occur while accessing virtfs metadata files in\n mapped-file security mode. A guest user could have used this flaw to\n escalate their privileges inside guest (bsc#1039495)\n - CVE-2016-9602: The VirtFS host directory sharing via Plan 9 File\n System(9pfs) support was vulnerable to an improper link following issue\n which allowed a privileged user inside guest to access host file system\n beyond the shared folder and potentially escalating their privileges on\n a host (bsc#1020427)\n - CVE-2017-5579: The 16550A UART serial device emulation support was\n vulnerable to a memory leakage issue allowing a privileged user to cause\n a DoS and/or potentially crash the Qemu process on the host (bsc#1021741)\n - CVE-2017-9503: The MegaRAID SAS 8708EM2 Host Bus Adapter emulation\n support was vulnerable to a null pointer dereference issue which allowed\n a privileged user inside guest to crash the Qemu process on the host\n resulting in DoS (bsc#1043296)\n - CVE-2017-10664: qemu-nbd did not ignore SIGPIPE, which allowed remote\n attackers to cause a denial of service (daemon crash) by disconnecting\n during a server-to-client reply attempt (bsc#1046636)\n - CVE-2017-10806: Stack-based buffer overflow allowed local guest OS users\n to cause a denial of service (QEMU process crash) via vectors related to\n logging debug messages (bsc#1047674)\n - CVE-2016-9602: The VirtFS host directory sharing via Plan 9 File\n System(9pfs) support was vulnerable to an improper link following issue\n which allowed a privileged user inside guest to access host file system\n beyond the shared folder and potentially escalating their privileges on\n a host (bsc#1020427)\n - CVE-2017-7377: The v9fs_create and v9fs_lcreate functions in\n hw/9pfs/9p.c allowed local guest OS privileged users to cause a denial\n of service (file descriptor or memory consumption) via vectors related\n to an already in-use fid (bsc#1032075)\n - CVE-2017-8086: A memory leak in the v9fs_list_xattr function in\n hw/9pfs/9p-xattr.c allowed local guest OS privileged users to cause a\n denial of service (memory consumption) via vectors involving the\n orig_value variable (bsc#1035950)\n - CVE-2017-7471: The VirtFS host directory sharing via Plan 9 File\n System(9pfs) support was vulnerable to an improper access control issue\n which allowed a privileged user inside guest to access host file system\n beyond the shared folder and potentially escalating their privileges on\n a host (bsc#1034866)\n - CVE-2016-6835: Buffer overflow in the VMWARE VMXNET3 NIC device support,\n causing an OOB read access (bsc#994605)\n - CVE-2016-6834: A infinite loop during packet fragmentation in the VMWARE\n VMXNET3 NIC device support allowed privileged user inside guest to crash\n the Qemu instance resulting in DoS (bsc#994418)\n - Fix privilege escalation in TCG mode (bsc#1030624)\n\n This non-security issue was fixed:\n\n - Fix regression introduced by recent virtfs security fixes (bsc#1045035)\n\n", "published": "2017-11-08T12:10:08", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2017-11/msg00010.html", "cvelist": ["CVE-2017-9503", "CVE-2017-9375", "CVE-2017-8112", "CVE-2017-7493", "CVE-2017-11334", "CVE-2017-7718", "CVE-2017-9374", "CVE-2017-8379", "CVE-2017-7980", "CVE-2017-15038", "CVE-2017-8086", "CVE-2017-6505", "CVE-2017-14167", "CVE-2016-6834", "CVE-2017-9330", "CVE-2016-6835", "CVE-2017-7377", "CVE-2017-15289", "CVE-2017-5579", "CVE-2017-8380", "CVE-2017-5973", "CVE-2017-8309", "CVE-2017-12809", "CVE-2017-5987", "CVE-2017-10911", "CVE-2017-7471", "CVE-2017-10664", "CVE-2017-10806", "CVE-2016-9602", "CVE-2017-13672", "CVE-2017-11434", "CVE-2017-9373", "CVE-2016-9603"], "lastseen": "2017-11-08T14:32:19"}], "openvas": [{"id": "OPENVAS:1361412562310851577", "type": "openvas", "title": "SuSE Update for xen openSUSE-SU-2017:1826-1 (xen)", "description": "Check the version of xen", "published": "2017-07-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851577", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-10922", "CVE-2017-10913", "CVE-2017-9330", "CVE-2017-8309", "CVE-2017-10918", "CVE-2017-10912", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2017-12-12T11:21:50"}, {"id": "OPENVAS:1361412562310872848", "type": "openvas", "title": "Fedora Update for xen FEDORA-2017-c3149b5fcb", "description": "Check the version of xen", "published": "2017-07-14T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310872848", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-10919", "CVE-2017-10922", "CVE-2017-10913", "CVE-2017-10918", "CVE-2017-10911", "CVE-2017-10912", "CVE-2017-10916", "CVE-2017-10923", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2017-07-31T10:57:48"}, {"id": "OPENVAS:1361412562310891132", "type": "openvas", "title": "Debian LTS Advisory ([SECURITY] [DLA 1132-1] xen security update)", "description": "Multiple vulnerabilities have been discovered in the Xen hypervisor:\n\nCVE-2017-10912\n\nJann Horn discovered that incorrectly handling of page transfers might\nresult in privilege escalation.\n\nCVE-2017-10913 / CVE-2017-10914\n\nJann Horn discovered that race conditions in grant handling might\nresult in information leaks or privilege escalation.\n\nCVE-2017-10915\n\nAndrew Cooper discovered that incorrect reference counting with\nshadow paging might result in privilege escalation.\n\nCVE-2017-10918\n\nJulien Grall discovered that incorrect error handling in\nphysical-to-machine memory mappings may result in privilege\nescalation, denial of service or an information leak.\n\nCVE-2017-10920 / CVE-2017-10921 / CVE-2017-10922\n\nJan Beulich discovered multiple places where reference\ncounting on grant table operations was incorrect, resulting\nin potential privilege escalation\n\nCVE-2017-12135\n\nJan Beulich found multiple problems in the handling of\ntransitive grants which could result in denial of service\nand potentially privilege escalation.\n\nCVE-2017-12137\n\nAndrew Cooper discovered that incorrect validation of\ngrants may result in privilege escalation.\n\nCVE-2017-12855\n\nJan Beulich discovered that incorrect grant status handling, thus\nincorrectly informing the guest that the grant is no longer in use.\n\nCVE-2017-14316\n\nMatthew Daley discovered that the NUMA node parameter wasn", "published": "2018-02-07T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891132", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-14317", "CVE-2017-10922", "CVE-2017-12855", "CVE-2017-12135", "CVE-2017-10913", "CVE-2017-12137", "CVE-2017-10918", "CVE-2017-14316", "CVE-2017-14319", "CVE-2017-14318", "CVE-2017-10912", "CVE-2017-10914", "CVE-2017-10915"], "lastseen": "2018-07-10T17:26:24"}, {"id": "OPENVAS:1361412562310703969", "type": "openvas", "title": "Debian Security Advisory DSA 3969-1 (xen - security update)", "description": "Multiple vulnerabilities have been discovered in the Xen hypervisor:\n\nCVE-2017-10912 \nJann Horn discovered that incorrectly handling of page transfers might\nresult in privilege escalation.\n\nCVE-2017-10913 / CVE-2017-10914 \nJann Horn discovered that race conditions in grant handling might\nresult in information leaks or privilege escalation.\n\nCVE-2017-10915 \nAndrew Cooper discovered that incorrect reference counting with\nshadow paging might result in privilege escalation.\n\nCVE-2017-10916 \nAndrew Cooper discovered an information leak in the handling\nof the Memory Protection Extensions (MPX) and Protection\nKey (PKU) CPU features. This only affects Debian stretch.\n\nCVE-2017-10917 \nAnkur Arora discovered a NULL pointer dereference in event\npolling, resulting in denial of service.\n\nCVE-2017-10918 \nJulien Grall discovered that incorrect error handling in\nphysical-to-machine memory mappings may result in privilege\nescalation, denial of service or an information leak.\n\nCVE-2017-10919 \nJulien Grall discovered that incorrect handling of\nvirtual interrupt injection on ARM systems may result in\ndenial of service.\n\nCVE-2017-10920 / CVE-2017-10921 / CVE-2017-10922 \nJan Beulich discovered multiple places where reference\ncounting on grant table operations was incorrect, resulting\nin potential privilege escalation.\n\nCVE-2017-12135 \nJan Beulich found multiple problems in the handling of\ntransitive grants which could result in denial of service\nand potentially privilege escalation.\n\nCVE-2017-12136 \nIan Jackson discovered that race conditions in the allocator\nfor grant mappings may result in denial of service or privilege\nescalation. This only affects Debian stretch.\n\nCVE-2017-12137 \nAndrew Cooper discovered that incorrect validation of\ngrants may result in privilege escalation.\n\nCVE-2017-12855 \nJan Beulich discovered that incorrect grant status handling, thus\nincorrectly informing the guest that the grant is no longer in use.\n\nXSA-235 (no CVE yet)\n\nWei Liu discovered that incorrect locking of add-to-physmap\noperations on ARM may result in denial of service.", "published": "2017-09-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703969", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-10919", "CVE-2017-10922", "CVE-2017-12855", "CVE-2017-12135", "CVE-2017-10913", "CVE-2017-12137", "CVE-2017-10918", "CVE-2017-12136", "CVE-2017-10912", "CVE-2017-10916", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-10915"], "lastseen": "2017-09-15T13:39:09"}, {"id": "OPENVAS:1361412562310843352", "type": "openvas", "title": "Ubuntu Update for linux-hwe USN-3468-2", "description": "Check the version of linux-hwe", "published": "2017-11-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843352", "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "lastseen": "2018-04-30T14:20:57"}, {"id": "OPENVAS:1361412562310843353", "type": "openvas", "title": "Ubuntu Update for linux USN-3468-1", "description": "Check the version of linux", "published": "2017-11-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843353", "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "lastseen": "2018-04-30T14:20:57"}, {"id": "OPENVAS:1361412562310843356", "type": "openvas", "title": "Ubuntu Update for linux-gcp USN-3468-3", "description": "Check the version of linux-gcp", "published": "2017-11-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843356", "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "lastseen": "2018-04-30T14:21:01"}, {"id": "OPENVAS:703920", "type": "openvas", "title": "Debian Security Advisory DSA 3920-1 (qemu - security update)", "description": "Multiple vulnerabilities were found in qemu, a fast processor\nemulator:\n\nCVE-2017-9310 \nDenial of service via infinite loop in e1000e NIC emulation.\n\nCVE-2017-9330 \nDenial of service via infinite loop in USB OHCI emulation.\n\nCVE-2017-9373 \nDenial of service via memory leak in IDE AHCI emulation.\n\nCVE-2017-9374 \nDenial of service via memory leak in USB EHCI emulation.\n\nCVE-2017-9375 \nDenial of service via memory leak in USB XHCI emulation.\n\nCVE-2017-9524 \nDenial of service in qemu-nbd server.\n\nCVE-2017-10664 \nDenial of service in qemu-nbd server.\n\nCVE-2017-10911 \nInformation leak in Xen blkif response handling.", "published": "2017-07-25T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=703920", "cvelist": ["CVE-2017-9375", "CVE-2017-9374", "CVE-2017-9330", "CVE-2017-10911", "CVE-2017-10664", "CVE-2017-9373", "CVE-2017-9524", "CVE-2017-9310"], "lastseen": "2017-08-23T11:19:54"}, {"id": "OPENVAS:1361412562310843357", "type": "openvas", "title": "Ubuntu Update for linux USN-3470-1", "description": "Check the version of linux", "published": "2017-11-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843357", "cvelist": ["CVE-2017-11176", "CVE-2016-8632", "CVE-2017-10661", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663", "CVE-2017-10662"], "lastseen": "2018-04-30T14:20:56"}, {"id": "OPENVAS:1361412562310851640", "type": "openvas", "title": "SuSE Update for qemu openSUSE-SU-2017:2938-1 (qemu)", "description": "Check the version of qemu", "published": "2017-11-07T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851640", "cvelist": ["CVE-2017-15268", "CVE-2017-15038", "CVE-2017-14167", "CVE-2017-15289", "CVE-2017-12809", "CVE-2017-13711", "CVE-2017-10911", "CVE-2017-13672"], "lastseen": "2017-12-12T11:23:15"}], "debian": [{"id": "DSA-3969", "type": "debian", "title": "xen -- security update", "description": "Multiple vulnerabilities have been discovered in the Xen hypervisor:\n\n * [CVE-2017-10912](<https://security-tracker.debian.org/tracker/CVE-2017-10912>)\n\nJann Horn discovered that incorrectly handling of page transfers might result in privilege escalation.\n\n * [CVE-2017-10913](<https://security-tracker.debian.org/tracker/CVE-2017-10913>) / [CVE-2017-10914](<https://security-tracker.debian.org/tracker/CVE-2017-10914>)\n\nJann Horn discovered that race conditions in grant handling might result in information leaks or privilege escalation.\n\n * [CVE-2017-10915](<https://security-tracker.debian.org/tracker/CVE-2017-10915>)\n\nAndrew Cooper discovered that incorrect reference counting with shadow paging might result in privilege escalation.\n\n * [CVE-2017-10916](<https://security-tracker.debian.org/tracker/CVE-2017-10916>)\n\nAndrew Cooper discovered an information leak in the handling of the Memory Protection Extensions (MPX) and Protection Key (PKU) CPU features. This only affects Debian stretch.\n\n * [CVE-2017-10917](<https://security-tracker.debian.org/tracker/CVE-2017-10917>)\n\nAnkur Arora discovered a NULL pointer dereference in event polling, resulting in denial of service.\n\n * [CVE-2017-10918](<https://security-tracker.debian.org/tracker/CVE-2017-10918>)\n\nJulien Grall discovered that incorrect error handling in physical-to-machine memory mappings may result in privilege escalation, denial of service or an information leak.\n\n * [CVE-2017-10919](<https://security-tracker.debian.org/tracker/CVE-2017-10919>)\n\nJulien Grall discovered that incorrect handling of virtual interrupt injection on ARM systems may result in denial of service.\n\n * [CVE-2017-10920](<https://security-tracker.debian.org/tracker/CVE-2017-10920>) / [CVE-2017-10921](<https://security-tracker.debian.org/tracker/CVE-2017-10921>) / [CVE-2017-10922](<https://security-tracker.debian.org/tracker/CVE-2017-10922>)\n\nJan Beulich discovered multiple places where reference counting on grant table operations was incorrect, resulting in potential privilege escalation.\n\n * [CVE-2017-12135](<https://security-tracker.debian.org/tracker/CVE-2017-12135>)\n\nJan Beulich found multiple problems in the handling of transitive grants which could result in denial of service and potentially privilege escalation.\n\n * [CVE-2017-12136](<https://security-tracker.debian.org/tracker/CVE-2017-12136>)\n\nIan Jackson discovered that race conditions in the allocator for grant mappings may result in denial of service or privilege escalation. This only affects Debian stretch.\n\n * [CVE-2017-12137](<https://security-tracker.debian.org/tracker/CVE-2017-12137>)\n\nAndrew Cooper discovered that incorrect validation of grants may result in privilege escalation.\n\n * [CVE-2017-12855](<https://security-tracker.debian.org/tracker/CVE-2017-12855>)\n\nJan Beulich discovered that incorrect grant status handling, thus incorrectly informing the guest that the grant is no longer in use.\n\n * XSA-235 (no CVE yet) \n\nWei Liu discovered that incorrect locking of add-to-physmap operations on ARM may result in denial of service.\n\nFor the oldstable distribution (jessie), these problems have been fixed in version 4.4.1-9+deb8u10.\n\nFor the stable distribution (stretch), these problems have been fixed in version 4.8.1-1+deb9u3.\n\nWe recommend that you upgrade your xen packages.", "published": "2017-09-12T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3969", "cvelist": ["CVE-2017-10920", "CVE-2017-10921", "CVE-2017-10919", "CVE-2017-10922", "CVE-2017-12855", "CVE-2017-12135", "CVE-2017-10913", "CVE-2017-12137", "CVE-2017-10918", "CVE-2017-12136", "CVE-2017-10912", "CVE-2017-10916", "CVE-2017-10914", "CVE-2017-10917", "CVE-2017-10915", "CVE-2017-15596"], "lastseen": "2018-05-29T01:09:37"}, {"id": "DSA-3920", "type": "debian", "title": "qemu -- security update", "description": "Multiple vulnerabilities were found in qemu, a fast processor emulator:\n\n * [CVE-2017-9310](<https://security-tracker.debian.org/tracker/CVE-2017-9310>)\n\nDenial of service via infinite loop in e1000e NIC emulation.\n\n * [CVE-2017-9330](<https://security-tracker.debian.org/tracker/CVE-2017-9330>)\n\nDenial of service via infinite loop in USB OHCI emulation.\n\n * [CVE-2017-9373](<https://security-tracker.debian.org/tracker/CVE-2017-9373>)\n\nDenial of service via memory leak in IDE AHCI emulation.\n\n * [CVE-2017-9374](<https://security-tracker.debian.org/tracker/CVE-2017-9374>)\n\nDenial of service via memory leak in USB EHCI emulation.\n\n * [CVE-2017-10664](<https://security-tracker.debian.org/tracker/CVE-2017-10664>)\n\nDenial of service in qemu-nbd server.\n\n * [CVE-2017-10911](<https://security-tracker.debian.org/tracker/CVE-2017-10911>)\n\nInformation leak in Xen blkif response handling.\n\nFor the oldstable distribution (jessie), a separate DSA will be issued.\n\nFor the stable distribution (stretch), these problems have been fixed in version 1:2.8+dfsg-6+deb9u1.\n\nFor the unstable distribution (sid), these problems will be fixed soon.\n\nWe recommend that you upgrade your qemu packages.", "published": "2017-07-25T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-3920", "cvelist": ["CVE-2017-9374", "CVE-2017-9330", "CVE-2017-10911", "CVE-2017-10664", "CVE-2017-9373", "CVE-2017-9310"], "lastseen": "2017-10-05T13:05:33"}, {"id": "DSA-3945", "type": "debian", "title": "linux -- security update", "description": "Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.\n\n * [CVE-2014-9940](<https://security-tracker.debian.org/tracker/CVE-2014-9940>)\n\nA use-after-free flaw in the voltage and current regulator driver could allow a local user to cause a denial of service or potentially escalate privileges.\n\n * [CVE-2017-7346](<https://security-tracker.debian.org/tracker/CVE-2017-7346>)\n\nLi Qiang discovered that the DRM driver for VMware virtual GPUs does not properly check user-controlled values in the vmw_surface_define_ioctl() functions for upper limits. A local user can take advantage of this flaw to cause a denial of service.\n\n * [CVE-2017-7482](<https://security-tracker.debian.org/tracker/CVE-2017-7482>)\n\nShi Lei discovered that RxRPC Kerberos 5 ticket handling code does not properly verify metadata, leading to information disclosure, denial of service or potentially execution of arbitrary code.\n\n * [CVE-2017-7533](<https://security-tracker.debian.org/tracker/CVE-2017-7533>)\n\nFan Wu and Shixiong Zhao discovered a race condition between inotify events and VFS rename operations allowing an unprivileged local attacker to cause a denial of service or escalate privileges.\n\n * [CVE-2017-7541](<https://security-tracker.debian.org/tracker/CVE-2017-7541>)\n\nA buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN driver could allow a local user to cause kernel memory corruption, leading to a denial of service or potentially privilege escalation.\n\n * [CVE-2017-7542](<https://security-tracker.debian.org/tracker/CVE-2017-7542>)\n\nAn integer overflow vulnerability in the ip6_find_1stfragopt() function was found allowing a local attacker with privileges to open raw sockets to cause a denial of service.\n\n * [CVE-2017-7889](<https://security-tracker.debian.org/tracker/CVE-2017-7889>)\n\nTommi Rantala and Brad Spengler reported that the mm subsystem does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, allowing a local attacker with access to /dev/mem to obtain sensitive information or potentially execute arbitrary code.\n\n * [CVE-2017-9605](<https://security-tracker.debian.org/tracker/CVE-2017-9605>)\n\nMurray McAllister discovered that the DRM driver for VMware virtual GPUs does not properly initialize memory, potentially allowing a local attacker to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call.\n\n * [CVE-2017-10911](<https://security-tracker.debian.org/tracker/CVE-2017-10911>)\n\n/ XSA-216\n\nAnthony Perard of Citrix discovered an information leak flaw in Xen blkif response handling, allowing a malicious unprivileged guest to obtain sensitive information from the host or other guests.\n\n * [CVE-2017-11176](<https://security-tracker.debian.org/tracker/CVE-2017-11176>)\n\nIt was discovered that the mq_notify() function does not set the sock pointer to NULL upon entry into the retry logic. An attacker can take advantage of this flaw during a userspace close of a Netlink socket to cause a denial of service or potentially cause other impact.\n\n * [CVE-2017-1000363](<https://security-tracker.debian.org/tracker/CVE-2017-1000363>)\n\nRoee Hay reported that the lp driver does not properly bounds-check passed arguments, allowing a local attacker with write access to the kernel command line arguments to execute arbitrary code.\n\n * [CVE-2017-1000365](<https://security-tracker.debian.org/tracker/CVE-2017-1000365>)\n\nIt was discovered that argument and environment pointers are not taken properly into account to the imposed size restrictions on arguments and environmental strings passed through RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of this flaw in conjunction with other flaws to execute arbitrary code.\n\nFor the oldstable distribution (jessie), these problems have been fixed in version 3.16.43-2+deb8u3.\n\nWe recommend that you upgrade your linux packages.", "published": "2017-08-17T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3945", "cvelist": ["CVE-2017-11176", "CVE-2017-7889", "CVE-2017-7346", "CVE-2014-9940", "CVE-2017-7533", "CVE-2017-10911", "CVE-2017-7482", "CVE-2017-7541", "CVE-2017-1000363", "CVE-2017-7542", "CVE-2017-9605", "CVE-2017-1000365"], "lastseen": "2018-07-16T01:40:46"}, {"id": "DSA-3927", "type": "debian", "title": "linux -- security update", "description": "Several vulnerabilities have been discovered in the Linux kernel that may lead to a privilege escalation, denial of service or information leaks.\n\n * [CVE-2017-7346](<https://security-tracker.debian.org/tracker/CVE-2017-7346>)\n\nLi Qiang discovered that the DRM driver for VMware virtual GPUs does not properly check user-controlled values in the vmw_surface_define_ioctl() functions for upper limits. A local user can take advantage of this flaw to cause a denial of service.\n\n * [CVE-2017-7482](<https://security-tracker.debian.org/tracker/CVE-2017-7482>)\n\nShi Lei discovered that RxRPC Kerberos 5 ticket handling code does not properly verify metadata, leading to information disclosure, denial of service or potentially execution of arbitrary code.\n\n * [CVE-2017-7533](<https://security-tracker.debian.org/tracker/CVE-2017-7533>)\n\nFan Wu and Shixiong Zhao discovered a race condition between inotify events and VFS rename operations allowing an unprivileged local attacker to cause a denial of service or escalate privileges.\n\n * [CVE-2017-7541](<https://security-tracker.debian.org/tracker/CVE-2017-7541>)\n\nA buffer overflow flaw in the Broadcom IEEE802.11n PCIe SoftMAC WLAN driver could allow a local user to cause kernel memory corruption, leading to a denial of service or potentially privilege escalation.\n\n * [CVE-2017-7542](<https://security-tracker.debian.org/tracker/CVE-2017-7542>)\n\nAn integer overflow vulnerability in the ip6_find_1stfragopt() function was found allowing a local attacker with privileges to open raw sockets to cause a denial of service.\n\n * [CVE-2017-9605](<https://security-tracker.debian.org/tracker/CVE-2017-9605>)\n\nMurray McAllister discovered that the DRM driver for VMware virtual GPUs does not properly initialize memory, potentially allowing a local attacker to obtain sensitive information from uninitialized kernel memory via a crafted ioctl call.\n\n * [CVE-2017-10810](<https://security-tracker.debian.org/tracker/CVE-2017-10810>)\n\nLi Qiang discovered a memory leak flaw within the VirtIO GPU driver resulting in denial of service (memory consumption).\n\n * [CVE-2017-10911](<https://security-tracker.debian.org/tracker/CVE-2017-10911>) / [XSA-216](<https://xenbits.xen.org/xsa/advisory-216.txt>)\n\nAnthony Perard of Citrix discovered an information leak flaw in Xen blkif response handling, allowing a malicious unprivileged guest to obtain sensitive information from the host or other guests.\n\n * [CVE-2017-11176](<https://security-tracker.debian.org/tracker/CVE-2017-11176>)\n\nIt was discovered that the mq_notify() function does not set the sock pointer to NULL upon entry into the retry logic. An attacker can take advantage of this flaw during a user-space close of a Netlink socket to cause a denial of service or potentially cause other impact.\n\n * [CVE-2017-1000365](<https://security-tracker.debian.org/tracker/CVE-2017-1000365>)\n\nIt was discovered that argument and environment pointers are not taken properly into account to the imposed size restrictions on arguments and environmental strings passed through RLIMIT_STACK/RLIMIT_INFINITY. A local attacker can take advantage of this flaw in conjunction with other flaws to execute arbitrary code.\n\nFor the oldstable distribution (jessie), these problems will be fixed in a subsequent DSA.\n\nFor the stable distribution (stretch), these problems have been fixed in version 4.9.30-2+deb9u3.\n\nWe recommend that you upgrade your linux packages.", "published": "2017-08-07T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3927", "cvelist": ["CVE-2017-11176", "CVE-2017-7346", "CVE-2017-10810", "CVE-2017-7533", "CVE-2017-10911", "CVE-2017-7482", "CVE-2017-7541", "CVE-2017-7542", "CVE-2017-9605", "CVE-2017-1000365"], "lastseen": "2018-07-15T01:34:35"}], "ubuntu": [{"id": "USN-3468-3", "type": "ubuntu", "title": "Linux kernel (GCP) vulnerabilities", "description": "It was discovered that the KVM subsystem in the Linux kernel did not properly bound guest IRQs. A local attacker in a guest VM could use this to cause a denial of service (host system crash). (CVE-2017-1000252)\n\nIt was discovered that the Flash-Friendly File System (f2fs) implementation in the Linux kernel did not properly validate superblock metadata. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not properly initialize some data structures before passing them to user space. A local attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. (CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that the realtime inode flag was settable only on filesystems on a realtime device. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14340)", "published": "2017-10-31T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3468-3/", "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "lastseen": "2018-03-29T18:20:16"}, {"id": "USN-3468-1", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "description": "It was discovered that the KVM subsystem in the Linux kernel did not properly bound guest IRQs. A local attacker in a guest VM could use this to cause a denial of service (host system crash). (CVE-2017-1000252)\n\nIt was discovered that the Flash-Friendly File System (f2fs) implementation in the Linux kernel did not properly validate superblock metadata. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not properly initialize some data structures before passing them to user space. A local attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. (CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that the realtime inode flag was settable only on filesystems on a realtime device. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14340)", "published": "2017-10-31T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3468-1/", "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "lastseen": "2018-03-29T18:17:01"}, {"id": "USN-3468-2", "type": "ubuntu", "title": "Linux kernel (HWE) vulnerabilities", "description": "USN-3468-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.\n\nIt was discovered that the KVM subsystem in the Linux kernel did not properly bound guest IRQs. A local attacker in a guest VM could use this to cause a denial of service (host system crash). (CVE-2017-1000252)\n\nIt was discovered that the Flash-Friendly File System (f2fs) implementation in the Linux kernel did not properly validate superblock metadata. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not properly initialize some data structures before passing them to user space. A local attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. (CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that the realtime inode flag was settable only on filesystems on a realtime device. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14340)", "published": "2017-10-31T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3468-2/", "cvelist": ["CVE-2017-11176", "CVE-2017-1000252", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663"], "lastseen": "2018-03-29T18:21:27"}, {"id": "USN-3470-1", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "description": "Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function in the Linux kernel. A local attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-8632)\n\nDmitry Vyukov discovered that a race condition existed in the timerfd subsystem of the Linux kernel when handling might_cancel queuing. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-10661)\n\nIt was discovered that the Flash-Friendly File System (f2fs) implementation in the Linux kernel did not properly validate superblock metadata. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-10662, CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not properly initialize some data structures before passing them to user space. A local attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. (CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that the realtime inode flag was settable only on filesystems on a realtime device. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14340)", "published": "2017-10-31T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3470-1/", "cvelist": ["CVE-2017-11176", "CVE-2016-8632", "CVE-2017-10661", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663", "CVE-2017-10662"], "lastseen": "2018-03-29T18:19:45"}, {"id": "USN-3470-2", "type": "ubuntu", "title": "Linux kernel (Trusty HWE) vulnerabilities", "description": "USN-3470-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu 12.04 ESM.\n\nQian Zhang discovered a heap-based buffer overflow in the tipc_msg_build() function in the Linux kernel. A local attacker could use to cause a denial of service (system crash) or possibly execute arbitrary code with administrative privileges. (CVE-2016-8632)\n\nDmitry Vyukov discovered that a race condition existed in the timerfd subsystem of the Linux kernel when handling might_cancel queuing. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-10661)\n\nIt was discovered that the Flash-Friendly File System (f2fs) implementation in the Linux kernel did not properly validate superblock metadata. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-10662, CVE-2017-10663)\n\nAnthony Perard discovered that the Xen virtual block driver did not properly initialize some data structures before passing them to user space. A local attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. (CVE-2017-10911)\n\nIt was discovered that a use-after-free vulnerability existed in the POSIX message queue implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-11176)\n\nDave Chinner discovered that the XFS filesystem did not enforce that the realtime inode flag was settable only on filesystems on a realtime device. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14340)", "published": "2017-10-31T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3470-2/", "cvelist": ["CVE-2017-11176", "CVE-2016-8632", "CVE-2017-10661", "CVE-2017-10911", "CVE-2017-14340", "CVE-2017-10663", "CVE-2017-10662"], "lastseen": "2018-03-29T18:19:02"}, {"id": "USN-3469-2", "type": "ubuntu", "title": "Linux kernel (Xenial HWE) vulnerabilities", "description": "USN-3469-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nAnthony Perard discovered that the Xen virtual block driver did not properly initialize some data structures before passing them to user space. A local attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. (CVE-2017-10911)\n\nBo Zhang discovered that the netlink wireless configuration interface in the Linux kernel did not properly validate attributes when handling certain requests. A local attacker with the CAP_NET_ADMIN could use this to cause a denial of service (system crash). (CVE-2017-12153)\n\nIt was discovered that the nested KVM implementation in the Linux kernel in some situations did not properly prevent second level guests from reading and writing the hardware CR8 register. A local attacker in a guest could use this to cause a denial of service (system crash).\n\nIt was discovered that the key management subsystem in the Linux kernel did not properly restrict key reads on negatively instantiated keys. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12192)\n\nIt was discovered that an integer overflow existed in the sysfs interface for the QLogic 24xx+ series SCSI driver in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2017-14051)\n\nIt was discovered that the ATI Radeon framebuffer driver in the Linux kernel did not properly initialize a data structure returned to user space. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14156)\n\nDave Chinner discovered that the XFS filesystem did not enforce that the realtime inode flag was settable only on filesystems on a realtime device. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14340)\n\nChunYu Wang discovered that the iSCSI transport implementation in the Linux kernel did not properly validate data structures. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14489)\n\nIt was discovered that the generic SCSI driver in the Linux kernel did not properly initialize data returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14991)\n\nDmitry Vyukov discovered that the Floating Point Unit (fpu) subsystem in the Linux kernel did not properly handle attempts to set reserved bits in a task\u2019s extended state (xstate) area. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-15537)\n\nPengfei Wang discovered that the Turtle Beach MultiSound audio device driver in the Linux kernel contained race conditions when fetching from the ring-buffer. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985)", "published": "2017-10-31T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3469-2/", "cvelist": ["CVE-2017-14051", "CVE-2017-14489", "CVE-2017-14991", "CVE-2017-9984", "CVE-2017-15537", "CVE-2017-12192", "CVE-2017-9985", "CVE-2017-10911", "CVE-2017-14156", "CVE-2017-14340", "CVE-2017-12153", "CVE-2017-12154"], "lastseen": "2018-03-29T18:20:38"}, {"id": "USN-3469-1", "type": "ubuntu", "title": "Linux kernel vulnerabilities", "description": "Anthony Perard discovered that the Xen virtual block driver did not properly initialize some data structures before passing them to user space. A local attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. (CVE-2017-10911)\n\nBo Zhang discovered that the netlink wireless configuration interface in the Linux kernel did not properly validate attributes when handling certain requests. A local attacker with the CAP_NET_ADMIN could use this to cause a denial of service (system crash). (CVE-2017-12153)\n\nIt was discovered that the nested KVM implementation in the Linux kernel in some situations did not properly prevent second level guests from reading and writing the hardware CR8 register. A local attacker in a guest could use this to cause a denial of service (system crash).\n\nIt was discovered that the key management subsystem in the Linux kernel did not properly restrict key reads on negatively instantiated keys. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12192)\n\nIt was discovered that an integer overflow existed in the sysfs interface for the QLogic 24xx+ series SCSI driver in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). (CVE-2017-14051)\n\nIt was discovered that the ATI Radeon framebuffer driver in the Linux kernel did not properly initialize a data structure returned to user space. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14156)\n\nDave Chinner discovered that the XFS filesystem did not enforce that the realtime inode flag was settable only on filesystems on a realtime device. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14340)\n\nChunYu Wang discovered that the iSCSI transport implementation in the Linux kernel did not properly validate data structures. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14489)\n\nIt was discovered that the generic SCSI driver in the Linux kernel did not properly initialize data returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14991)\n\nDmitry Vyukov discovered that the Floating Point Unit (fpu) subsystem in the Linux kernel did not properly handle attempts to set reserved bits in a task\u2019s extended state (xstate) area. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-15537)\n\nPengfei Wang discovered that the Turtle Beach MultiSound audio device driver in the Linux kernel contained race conditions when fetching from the ring-buffer. A local attacker could use this to cause a denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985)", "published": "2017-10-31T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3469-1/", "cvelist": ["CVE-2017-14051", "CVE-2017-14489", "CVE-2017-14991", "CVE-2017-9984", "CVE-2017-15537", "CVE-2017-12192", "CVE-2017-9985", "CVE-2017-10911", "CVE-2017-14156", "CVE-2017-14340", "CVE-2017-12153", "CVE-2017-12154"], "lastseen": "2018-03-29T18:21:22"}, {"id": "USN-3414-1", "type": "ubuntu", "title": "QEMU vulnerabilities", "description": "Leo Gaspard discovered that QEMU incorrectly handled VirtFS access control. A guest attacker could use this issue to elevate privileges inside the guest. (CVE-2017-7493)\n\nLi Qiang discovered that QEMU incorrectly handled VMWare PVSCSI emulation. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources or crash, resulting in a denial of service. (CVE-2017-8112)\n\nIt was discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly to obtain sensitive host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-8380)\n\nLi Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. This issue only affected Ubuntu 17.04. (CVE-2017-9060)\n\nLi Qiang discovered that QEMU incorrectly handled the e1000e device. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. This issue only affected Ubuntu 17.04. (CVE-2017-9310)\n\nLi Qiang discovered that QEMU incorrectly handled USB OHCI emulation support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9330)\n\nLi Qiang discovered that QEMU incorrectly handled IDE AHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9373)\n\nLi Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9374)\n\nLi Qiang discovered that QEMU incorrectly handled USB xHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2017-9375)\n\nZhangyanyu discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9503)\n\nIt was discovered that the QEMU qemu-nbd server incorrectly handled initialization. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-9524)\n\nIt was discovered that the QEMU qemu-nbd server incorrectly handled signals. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-10664)\n\nLi Qiang discovered that the QEMU USB redirector incorrectly handled logging debug messages. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-10806)\n\nAnthony Perard discovered that QEMU incorrectly handled Xen block-interface responses. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. (CVE-2017-10911)\n\nReno Robert discovered that QEMU incorrectly handled certain DHCP options strings. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-11434)\n\nRyan Salsamendi discovered that QEMU incorrectly handled empty CDROM device drives. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-12809)", "published": "2017-09-13T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/3414-1/", "cvelist": ["CVE-2017-9503", "CVE-2017-9375", "CVE-2017-8112", "CVE-2017-7493", "CVE-2017-9374", "CVE-2017-9330", "CVE-2017-8380", "CVE-2017-12809", "CVE-2017-10911", "CVE-2017-10664", "CVE-2017-9060", "CVE-2017-10806", "CVE-2017-11434", "CVE-2017-9373", "CVE-2017-9524", "CVE-2017-9310"], "lastseen": "2018-03-29T18:20:47"}, {"id": "USN-3414-2", "type": "ubuntu", "title": "QEMU regression", "description": "USN-3414-1 fixed vulnerabilities in QEMU. The patch backport for CVE-2017-9375 was incomplete and caused a regression in the USB xHCI controller emulation support. This update fixes the problem.\n\nWe apologize for the inconvenience.\n\nOriginal advisory details:\n\nLeo Gaspard discovered that QEMU incorrectly handled VirtFS access control. A guest attacker could use this issue to elevate privileges inside the guest. (CVE-2017-7493)\n\nLi Qiang discovered that QEMU incorrectly handled VMWare PVSCSI emulation. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources or crash, resulting in a denial of service. (CVE-2017-8112)\n\nIt was discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly to obtain sensitive host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-8380)\n\nLi Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. This issue only affected Ubuntu 17.04. (CVE-2017-9060)\n\nLi Qiang discovered that QEMU incorrectly handled the e1000e device. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. This issue only affected Ubuntu 17.04. (CVE-2017-9310)\n\nLi Qiang discovered that QEMU incorrectly handled USB OHCI emulation support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9330)\n\nLi Qiang discovered that QEMU incorrectly handled IDE AHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9373)\n\nLi Qiang discovered that QEMU incorrectly handled USB EHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to consume resources and crash, resulting in a denial of service. (CVE-2017-9374)\n\nLi Qiang discovered that QEMU incorrectly handled USB xHCI emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2017-9375)\n\nZhangyanyu discovered that QEMU incorrectly handled MegaRAID SAS 8708EM2 Host Bus Adapter emulation support. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-9503)\n\nIt was discovered that the QEMU qemu-nbd server incorrectly handled initialization. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-9524)\n\nIt was discovered that the QEMU qemu-nbd server incorrectly handled signals. A remote attacker could use this issue to cause the server to crash, resulting in a denial of service. (CVE-2017-10664)\n\nLi Qiang discovered that the QEMU USB redirector incorrectly handled logging debug messages. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-10806)\n\nAnthony Perard discovered that QEMU incorrectly handled Xen block-interface responses. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. (CVE-2017-10911)\n\nReno Robert discovered that QEMU incorrectly handled certain DHCP options strings. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-11434)\n\nRyan Salsamendi discovered that QEMU incorrectly handled empty CDROM device drives. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.04. (CVE-2017-12809)", "published": "2017-09-20T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/3414-2/", "cvelist": ["CVE-2017-9503", "CVE-2017-9375", "CVE-2017-8112", "CVE-2017-7493", "CVE-2017-9374", "CVE-2017-9330", "CVE-2017-8380", "CVE-2017-12809", "CVE-2017-10911", "CVE-2017-10664", "CVE-2017-9060", "CVE-2017-10806", "CVE-2017-11434", "CVE-2017-9373", "CVE-2017-9524", "CVE-2017-9310"], "lastseen": "2018-03-29T18:20:27"}], "cloudfoundry": [{"id": "CFOUNDRY:14981E32944F89BB69AF2D0158A379F0", "type": "cloudfoundry", "title": "USN-3469-2: Linux kernel (Xenial HWE) vulnerabilities - Cloud Foundry", "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nUSN-3469-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04 LTS. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu 14.04 LTS.\n\nAnthony Perard discovered that the Xen virtual block driver did not properly initialize some data structures before passing them to user space. A local attacker in a guest VM could use this to expose sensitive information from the host OS or other guest VMs. ([CVE-2017-10911](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-10911>))\n\nBo Zhang discovered that the netlink wireless configuration interface in the Linux kernel did not properly validate attributes when handling certain requests. A local attacker with the CAP_NET_ADMIN could use this to cause a denial of service (system crash). ([CVE-2017-12153](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12153>))\n\nIt was discovered that the nested KVM implementation in the Linux kernel in some situations did not properly prevent second level guests from reading and writing the hardware CR8 register. A local attacker in a guest could use this to cause a denial of service (system crash).\n\nIt was discovered that the key management subsystem in the Linux kernel did not properly restrict key reads on negatively instantiated keys. A local attacker could use this to cause a denial of service (system crash). ([CVE-2017-12192](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12192>))\n\nIt was discovered that an integer overflow existed in the sysfs interface for the QLogic 24xx+ series SCSI driver in the Linux kernel. A local privileged attacker could use this to cause a denial of service (system crash). ([CVE-2017-14051](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14051>))\n\nIt was discovered that the ATI Radeon framebuffer driver in the Linux kernel did not properly initialize a data structure returned to user space. A local attacker could use this to expose sensitive information (kernel memory). ([CVE-2017-14156](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14156>))\n\nDave Chinner discovered that the XFS filesystem did not enforce that the realtime inode flag was settable only on filesystems on a realtime device. A local attacker could use this to cause a denial of service (system crash). ([CVE-2017-14340](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14340>))\n\nChunYu Wang discovered that the iSCSI transport implementation in the Linux kernel did not properly validate data structures. A local attacker could use this to cause a denial of service (system crash). ([CVE-2017-14489](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14489>))\n\nIt was discovered that the generic SCSI driver in the Linux kernel did not properly initialize data returned to user space in some situations. A local attacker could use this to expose sensitive information (kernel memory). ([CVE-2017-14991](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14991>))\n\nDmitry Vyukov discovered that the Floating Point Unit (fpu) subsystem in the Linux kernel did not properly handle attempts to set reserved bits in a task\u2019s extended state (xstate) area. A local attacker could use this to cause a denial of service (system crash). ([CVE-2017-15537](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-15537>))\n\nPengfei Wang discovered that the Turtle Beach MultiSound audio device driver in the Linux kernel contained race conditions when fetching from the ring-buffer. A local attacker could use this to cause a denial of service (infinite loop). ([CVE-2017-9984](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-9984>), [CVE-2017-9985](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-9985>))\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3421.x versions prior to 3421.32\n * 3445.x versions prior to 3445.17\n * 3468.x versions prior to 3468.11\n * All other stemcells not listed.\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3421.x versions prior to 3421.32\n * Upgrade 3445.x versions prior to 3445.17\n * Upgrade 3468.x versions prior to 3468.11\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io>).\n\n# References\n\n * [USN-3469-2](<http://www.ubuntu.com/usn/usn-3469-2/>)\n * [CVE-2017-10911](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-10911>)\n * [CVE-2017-12153](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12153>)\n * [CVE-2017-12192](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12192>)\n * [CVE-2017-14051](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14051>)\n * [CVE-2017-14156](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14156>)\n * [CVE-2017-14340](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14340>)\n * [CVE-2017-14489](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14489>)\n * [CVE-2017-14991](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-14991>)\n * [CVE-2017-15537](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-15537>)\n * [CVE-2017-9984](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-9984>)\n * [CVE-2017-9985](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-9985>)\n * [CVE-2017-12154](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-12154>)\n", "published": "2017-11-27T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.cloudfoundry.org/blog/usn-3469-2/", "cvelist": ["CVE-2017-14051", "CVE-2017-14489", "CVE-2017-14991", "CVE-2017-9984", "CVE-2017-15537", "CVE-2017-12192", "CVE-2017-9985", "CVE-2017-10911", "CVE-2017-14156", "CVE-2017-14340", "CVE-2017-12153", "CVE-2017-12154"], "lastseen": "2018-01-12T14:53:05"}]}}
