{"id": "RHSA-2015:2694", "hash": "07be08bfff454616423483b00ce04253", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2015:2694) Important: qemu-kvm security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm package provides the\nuser-space component for running virtual machines using KVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD\nPC-Net II Ethernet Controller emulation received certain packets in\nloopback mode. A privileged user (with the CAP_SYS_RAWIO capability) inside\na guest could use this flaw to crash the host QEMU process (resulting in\ndenial of service) or, potentially, execute arbitrary code with privileges\nof the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II emulation\nvalidated certain received packets from a remote host in non-loopback mode.\nA remote, unprivileged attacker could potentially use this flaw to execute\narbitrary code on the host with the privileges of the QEMU process.\nNote that to exploit this flaw, the guest network interface must have a\nlarge MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and Ling\nLiu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and Ling Liu\nof Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The CVE-2015-7512\nissue was independently discovered by Jason Wang of Red Hat.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, shut down all running virtual machines. Once all virtual machines\nhave shut down, start them again for this update to take effect.\n", "published": "2015-12-22T05:00:00", "modified": "2018-06-06T20:24:29", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2015:2694", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2015-7504", "CVE-2015-7512"], "lastseen": "2018-12-11T19:41:52", "history": [{"bulletin": {"id": "RHSA-2015:2694", "hash": "", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2015:2694) Important: qemu-kvm security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm package provides the\nuser-space component for running virtual machines using KVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD\nPC-Net II Ethernet Controller emulation received certain packets in\nloopback mode. A privileged user (with the CAP_SYS_RAWIO capability) inside\na guest could use this flaw to crash the host QEMU process (resulting in\ndenial of service) or, potentially, execute arbitrary code with privileges\nof the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II emulation\nvalidated certain received packets from a remote host in non-loopback mode.\nA remote, unprivileged attacker could potentially use this flaw to execute\narbitrary code on the host with the privileges of the QEMU process.\nNote that to exploit this flaw, the guest network interface must have a\nlarge MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and Ling\nLiu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and Ling Liu\nof Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The CVE-2015-7512\nissue was independently discovered by Jason Wang of Red Hat.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, shut down all running virtual machines. Once all virtual machines\nhave shut down, start them again for this update to take effect.\n", "published": "2015-12-22T05:00:00", "modified": "2017-03-03T17:40:54", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2015:2694", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2015-7504", "CVE-2015-7512"], "lastseen": "2017-03-07T03:19:18", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "affectedPackage": [{"arch": "x86_64", "packageFilename": "qemu-kvm-debuginfo-0.12.1.2-2.479.el6_7.3.x86_64.rpm", "OSVersion": "6", "packageName": "qemu-kvm-debuginfo", "OS": "RedHat", "packageVersion": "0.12.1.2-2.479.el6_7.3", "operator": "lt"}, {"arch": "i686", "packageFilename": "qemu-kvm-debuginfo-0.12.1.2-2.479.el6_7.3.i686.rpm", "OSVersion": "6", "packageName": "qemu-kvm-debuginfo", "OS": "RedHat", "packageVersion": "0.12.1.2-2.479.el6_7.3", "operator": "lt"}, {"arch": "i686", "packageFilename": "qemu-guest-agent-0.12.1.2-2.479.el6_7.3.i686.rpm", "OSVersion": "6", "packageName": "qemu-guest-agent", "OS": "RedHat", "packageVersion": "0.12.1.2-2.479.el6_7.3", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "qemu-kvm-0.12.1.2-2.479.el6_7.3.x86_64.rpm", "OSVersion": "6", "packageName": "qemu-kvm", "OS": "RedHat", "packageVersion": "0.12.1.2-2.479.el6_7.3", "operator": "lt"}, {"arch": "src", "packageFilename": "qemu-kvm-0.12.1.2-2.479.el6_7.3.src.rpm", "OSVersion": "6", "packageName": "qemu-kvm", "OS": "RedHat", "packageVersion": "0.12.1.2-2.479.el6_7.3", "operator": "lt"}, {"arch": "ppc64", "packageFilename": "qemu-guest-agent-0.12.1.2-2.479.el6_7.3.ppc64.rpm", "OSVersion": "6", "packageName": "qemu-guest-agent", "OS": "RedHat", "packageVersion": "0.12.1.2-2.479.el6_7.3", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "qemu-img-0.12.1.2-2.479.el6_7.3.x86_64.rpm", "OSVersion": "6", "packageName": "qemu-img", "OS": "RedHat", "packageVersion": "0.12.1.2-2.479.el6_7.3", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "qemu-kvm-tools-0.12.1.2-2.479.el6_7.3.x86_64.rpm", "OSVersion": "6", "packageName": "qemu-kvm-tools", "OS": "RedHat", "packageVersion": "0.12.1.2-2.479.el6_7.3", "operator": "lt"}, {"arch": "x86_64", "packageFilename": "qemu-guest-agent-0.12.1.2-2.479.el6_7.3.x86_64.rpm", "OSVersion": "6", "packageName": "qemu-guest-agent", "OS": "RedHat", "packageVersion": "0.12.1.2-2.479.el6_7.3", "operator": "lt"}, {"arch": "ppc64", "packageFilename": "qemu-kvm-debuginfo-0.12.1.2-2.479.el6_7.3.ppc64.rpm", "OSVersion": "6", "packageName": "qemu-kvm-debuginfo", "OS": "RedHat", "packageVersion": "0.12.1.2-2.479.el6_7.3", "operator": "lt"}]}, "lastseen": "2017-03-07T03:19:18", "differentElements": ["modified"], "edition": 1}, {"bulletin": {"id": "RHSA-2015:2694", "hash": "070ff33aa2bcd42742981ec0075885cd", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2015:2694) Important: qemu-kvm security update", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm package provides the\nuser-space component for running virtual machines using KVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD\nPC-Net II Ethernet Controller emulation received certain packets in\nloopback mode. A privileged user (with the CAP_SYS_RAWIO capability) inside\na guest could use this flaw to crash the host QEMU process (resulting in\ndenial of service) or, potentially, execute arbitrary code with privileges\nof the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II emulation\nvalidated certain received packets from a remote host in non-loopback mode.\nA remote, unprivileged attacker could potentially use this flaw to execute\narbitrary code on the host with the privileges of the QEMU process.\nNote that to exploit this flaw, the guest network interface must have a\nlarge MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and Ling\nLiu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and Ling Liu\nof Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The CVE-2015-7512\nissue was independently discovered by Jason Wang of Red Hat.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, shut down all running virtual machines. Once all virtual machines\nhave shut down, start them again for this update to take effect.\n", "published": "2015-12-22T05:00:00", "modified": "2018-06-06T20:24:29", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2015:2694", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2015-7504", "CVE-2015-7512"], "lastseen": "2018-06-06T18:04:51", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "arch": "i686", "packageName": "qemu-kvm-debuginfo", "packageVersion": "0.12.1.2-2.479.el6_7.3", "packageFilename": "qemu-kvm-debuginfo-0.12.1.2-2.479.el6_7.3.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "src", "packageName": "qemu-kvm", "packageVersion": "0.12.1.2-2.479.el6_7.3", "packageFilename": "qemu-kvm-0.12.1.2-2.479.el6_7.3.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "qemu-kvm-debuginfo", "packageVersion": "0.12.1.2-2.479.el6_7.3", "packageFilename": "qemu-kvm-debuginfo-0.12.1.2-2.479.el6_7.3.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "i686", "packageName": "qemu-guest-agent", "packageVersion": "0.12.1.2-2.479.el6_7.3", "packageFilename": "qemu-guest-agent-0.12.1.2-2.479.el6_7.3.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "qemu-kvm-tools", "packageVersion": "0.12.1.2-2.479.el6_7.3", "packageFilename": "qemu-kvm-tools-0.12.1.2-2.479.el6_7.3.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "qemu-img", "packageVersion": "0.12.1.2-2.479.el6_7.3", "packageFilename": "qemu-img-0.12.1.2-2.479.el6_7.3.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "qemu-guest-agent", "packageVersion": "0.12.1.2-2.479.el6_7.3", "packageFilename": "qemu-guest-agent-0.12.1.2-2.479.el6_7.3.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "x86_64", "packageName": "qemu-kvm", "packageVersion": "0.12.1.2-2.479.el6_7.3", "packageFilename": "qemu-kvm-0.12.1.2-2.479.el6_7.3.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "ppc64", "packageName": "qemu-kvm-debuginfo", "packageVersion": "0.12.1.2-2.479.el6_7.3", "packageFilename": "qemu-kvm-debuginfo-0.12.1.2-2.479.el6_7.3.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "ppc64", "packageName": "qemu-guest-agent", "packageVersion": "0.12.1.2-2.479.el6_7.3", "packageFilename": "qemu-guest-agent-0.12.1.2-2.479.el6_7.3.ppc64.rpm", "operator": "lt"}]}, "lastseen": "2018-06-06T18:04:51", "differentElements": ["affectedPackage"], "edition": 2}], "viewCount": 0, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-7504", "CVE-2015-7512"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2015-2696.NASL", "REDHAT-RHSA-2015-2694.NASL", "CENTOS_RHSA-2015-2694.NASL", "ORACLELINUX_ELSA-2015-2694.NASL", "FREEBSD_PKG_405446F4B1B311E59728002590263BF5.NASL", "SL_20151222_QEMU_KVM_ON_SL6_X.NASL", "FEDORA_2015-2773B85B49.NASL", "UBUNTU_USN-2828-1.NASL", "SUSE_SU-2016-0020-1.NASL", "F5_BIGIP_SOL63519101.NASL"]}, {"type": "redhat", "idList": ["RHSA-2015:2696", "RHSA-2015:2695"]}, {"type": "seebug", "idList": ["SSV:90067"]}, {"type": "centos", "idList": ["CESA-2015:2694"]}, {"type": "oraclelinux", "idList": ["ELSA-2015-2694", "ELSA-2016-0997"]}, {"type": "freebsd", "idList": ["405446F4-B1B3-11E5-9728-002590263BF5"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310122811", "OPENVAS:1361412562310871530", "OPENVAS:1361412562310842547", "OPENVAS:1361412562310806909", "OPENVAS:1361412562310851213", "OPENVAS:703469", "OPENVAS:1361412562310703470", "OPENVAS:703470", "OPENVAS:1361412562310703469", "OPENVAS:703471"]}, {"type": "ubuntu", "idList": ["USN-2828-1"]}, {"type": "xen", "idList": ["XSA-162"]}, {"type": "myhack58", "idList": ["MYHACK58:62201788615"]}, {"type": "f5", "idList": ["F5:K63519101", "SOL63519101"]}, {"type": "suse", "idList": ["SUSE-SU-2016:0459-1", "OPENSUSE-SU-2016:0536-1", "SUSE-SU-2016:0020-1", "SUSE-SU-2016:0010-1", "SUSE-SU-2016:0658-1", "OPENSUSE-SU-2016:0123-1", "OPENSUSE-SU-2016:0124-1", "OPENSUSE-SU-2016:0126-1", "OPENSUSE-SU-2016:0914-1", "SUSE-SU-2016:1154-1"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3470-1:E622E", "DEBIAN:DSA-3469-1:9C2F1", "DEBIAN:DSA-3471-1:91F2D"]}, {"type": "gentoo", "idList": ["GLSA-201602-01", "GLSA-201604-03"]}], "modified": "2018-12-11T19:41:52"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "arch": "i686", "packageName": "qemu-kvm-debuginfo", "packageVersion": "0.12.1.2-2.479.el6_7.3", "packageFilename": "qemu-kvm-debuginfo-0.12.1.2-2.479.el6_7.3.i686.rpm", "operator": "lt"}], "_object_type": "robots.models.redhat.RedHatBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"]}

{"cve": [{"lastseen": "2018-01-05T11:51:51", "bulletinFamily": "NVD", "description": "Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.", "modified": "2018-01-04T21:30:16", "published": "2017-10-16T16:29:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7504", "id": "CVE-2015-7504", "type": "cve", "title": "CVE-2015-7504", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-05T11:51:51", "bulletinFamily": "NVD", "description": "Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.", "modified": "2018-01-04T21:30:16", "published": "2016-01-08T16:59:02", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7512", "id": "CVE-2015-7512", "title": "CVE-2015-7512", "type": "cve", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:25:45", "bulletinFamily": "scanner", "description": "Updated qemu-kvm-rhev packages that fix two security issues are now available for Red Hat Enterprise Virtualization.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the user-space component for running virtual machines using KVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD PC-Net II Ethernet Controller emulation received certain packets in loopback mode. A privileged user (with the CAP_SYS_RAWIO capability) inside a guest could use this flaw to crash the host QEMU process (resulting in denial of service) or, potentially, execute arbitrary code with privileges of the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II emulation validated certain received packets from a remote host in non-loopback mode. A remote, unprivileged attacker could potentially use this flaw to execute arbitrary code on the host with the privileges of the QEMU process. Note that to exploit this flaw, the guest network interface must have a large MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and Ling Liu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and Ling Liu of Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The CVE-2015-7512 issue was independently discovered by Jason Wang of Red Hat.\n\nAll qemu-kvm-rhev users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.\nAfter installing this update, shut down all running virtual machines.\nOnce all virtual machines have shut down, start them again for this update to take effect.", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2015-2696.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=87664", "published": "2015-12-30T00:00:00", "title": "RHEL 6 : qemu-kvm-rhev (RHSA-2015:2696)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:2696. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87664);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2018/11/10 11:49:55\");\n\n script_cve_id(\"CVE-2015-7504\", \"CVE-2015-7512\");\n script_xref(name:\"RHSA\", value:\"2015:2696\");\n\n script_name(english:\"RHEL 6 : qemu-kvm-rhev (RHSA-2015:2696)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated qemu-kvm-rhev packages that fix two security issues are now\navailable for Red Hat Enterprise Virtualization.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution\nfor Linux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package\nprovides the user-space component for running virtual machines using\nKVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD\nPC-Net II Ethernet Controller emulation received certain packets in\nloopback mode. A privileged user (with the CAP_SYS_RAWIO capability)\ninside a guest could use this flaw to crash the host QEMU process\n(resulting in denial of service) or, potentially, execute arbitrary\ncode with privileges of the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II\nemulation validated certain received packets from a remote host in\nnon-loopback mode. A remote, unprivileged attacker could potentially\nuse this flaw to execute arbitrary code on the host with the\nprivileges of the QEMU process. Note that to exploit this flaw, the\nguest network interface must have a large MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and\nLing Liu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and\nLing Liu of Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The\nCVE-2015-7512 issue was independently discovered by Jason Wang of Red\nHat.\n\nAll qemu-kvm-rhev users are advised to upgrade to these updated\npackages, which contain backported patches to correct these issues.\nAfter installing this update, shut down all running virtual machines.\nOnce all virtual machines have shut down, start them again for this\nupdate to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:2696\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7512\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7504\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-img-rhev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-rhev\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-rhev-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-rhev-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:2696\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qemu-img-rhev-0.12.1.2-2.479.el6_7.3\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qemu-kvm-rhev-0.12.1.2-2.479.el6_7.3\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qemu-kvm-rhev-debuginfo-0.12.1.2-2.479.el6_7.3\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qemu-kvm-rhev-tools-0.12.1.2-2.479.el6_7.3\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-img-rhev / qemu-kvm-rhev / qemu-kvm-rhev-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:25:44", "bulletinFamily": "scanner", "description": "Updated qemu-kvm packages that fix two security issues are now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD PC-Net II Ethernet Controller emulation received certain packets in loopback mode. A privileged user (with the CAP_SYS_RAWIO capability) inside a guest could use this flaw to crash the host QEMU process (resulting in denial of service) or, potentially, execute arbitrary code with privileges of the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II emulation validated certain received packets from a remote host in non-loopback mode. A remote, unprivileged attacker could potentially use this flaw to execute arbitrary code on the host with the privileges of the QEMU process. Note that to exploit this flaw, the guest network interface must have a large MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and Ling Liu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and Ling Liu of Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The CVE-2015-7512 issue was independently discovered by Jason Wang of Red Hat.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.", "modified": "2018-11-10T00:00:00", "id": "CENTOS_RHSA-2015-2694.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=87604", "published": "2015-12-29T00:00:00", "title": "CentOS 6 : qemu-kvm (CESA-2015:2694)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:2694 and \n# CentOS Errata and Security Advisory 2015:2694 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87604);\n script_version(\"2.10\");\n script_cvs_date(\"Date: 2018/11/10 11:49:31\");\n\n script_cve_id(\"CVE-2015-7504\", \"CVE-2015-7512\");\n script_xref(name:\"RHSA\", value:\"2015:2694\");\n\n script_name(english:\"CentOS 6 : qemu-kvm (CESA-2015:2694)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated qemu-kvm packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution\nfor Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides\nthe user-space component for running virtual machines using KVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD\nPC-Net II Ethernet Controller emulation received certain packets in\nloopback mode. A privileged user (with the CAP_SYS_RAWIO capability)\ninside a guest could use this flaw to crash the host QEMU process\n(resulting in denial of service) or, potentially, execute arbitrary\ncode with privileges of the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II\nemulation validated certain received packets from a remote host in\nnon-loopback mode. A remote, unprivileged attacker could potentially\nuse this flaw to execute arbitrary code on the host with the\nprivileges of the QEMU process. Note that to exploit this flaw, the\nguest network interface must have a large MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and\nLing Liu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and\nLing Liu of Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The\nCVE-2015-7512 issue was independently discovered by Jason Wang of Red\nHat.\n\nAll qemu-kvm users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling this update, shut down all running virtual machines. Once\nall virtual machines have shut down, start them again for this update\nto take effect.\"\n );\n # https://lists.centos.org/pipermail/centos-announce/2015-December/021581.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ee147ed7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected qemu-kvm packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:qemu-kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"qemu-guest-agent-0.12.1.2-2.479.el6_7.3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", cpu:\"x86_64\", reference:\"qemu-img-0.12.1.2-2.479.el6_7.3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", cpu:\"x86_64\", reference:\"qemu-kvm-0.12.1.2-2.479.el6_7.3\")) flag++;\nif (rpm_check(release:\"CentOS-6\", cpu:\"x86_64\", reference:\"qemu-kvm-tools-0.12.1.2-2.479.el6_7.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:25:45", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2015:2694 :\n\nUpdated qemu-kvm packages that fix two security issues are now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD PC-Net II Ethernet Controller emulation received certain packets in loopback mode. A privileged user (with the CAP_SYS_RAWIO capability) inside a guest could use this flaw to crash the host QEMU process (resulting in denial of service) or, potentially, execute arbitrary code with privileges of the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II emulation validated certain received packets from a remote host in non-loopback mode. A remote, unprivileged attacker could potentially use this flaw to execute arbitrary code on the host with the privileges of the QEMU process. Note that to exploit this flaw, the guest network interface must have a large MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and Ling Liu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and Ling Liu of Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The CVE-2015-7512 issue was independently discovered by Jason Wang of Red Hat.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.", "modified": "2018-07-25T00:00:00", "id": "ORACLELINUX_ELSA-2015-2694.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=87636", "published": "2015-12-29T00:00:00", "title": "Oracle Linux 6 : qemu-kvm (ELSA-2015-2694)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2015:2694 and \n# Oracle Linux Security Advisory ELSA-2015-2694 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87636);\n script_version(\"2.7\");\n script_cvs_date(\"Date: 2018/07/25 14:27:30\");\n\n script_cve_id(\"CVE-2015-7504\", \"CVE-2015-7512\");\n script_xref(name:\"RHSA\", value:\"2015:2694\");\n\n script_name(english:\"Oracle Linux 6 : qemu-kvm (ELSA-2015-2694)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2015:2694 :\n\nUpdated qemu-kvm packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution\nfor Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides\nthe user-space component for running virtual machines using KVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD\nPC-Net II Ethernet Controller emulation received certain packets in\nloopback mode. A privileged user (with the CAP_SYS_RAWIO capability)\ninside a guest could use this flaw to crash the host QEMU process\n(resulting in denial of service) or, potentially, execute arbitrary\ncode with privileges of the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II\nemulation validated certain received packets from a remote host in\nnon-loopback mode. A remote, unprivileged attacker could potentially\nuse this flaw to execute arbitrary code on the host with the\nprivileges of the QEMU process. Note that to exploit this flaw, the\nguest network interface must have a large MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and\nLing Liu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and\nLing Liu of Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The\nCVE-2015-7512 issue was independently discovered by Jason Wang of Red\nHat.\n\nAll qemu-kvm users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling this update, shut down all running virtual machines. Once\nall virtual machines have shut down, start them again for this update\nto take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2015-December/005655.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected qemu-kvm packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:qemu-kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"qemu-guest-agent-0.12.1.2-2.479.el6_7.3\")) flag++;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"qemu-img-0.12.1.2-2.479.el6_7.3\")) flag++;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"qemu-kvm-0.12.1.2-2.479.el6_7.3\")) flag++;\nif (rpm_check(release:\"EL6\", cpu:\"x86_64\", reference:\"qemu-kvm-tools-0.12.1.2-2.479.el6_7.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-guest-agent / qemu-img / qemu-kvm / qemu-kvm-tools\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:25:45", "bulletinFamily": "scanner", "description": "Updated qemu-kvm packages that fix two security issues are now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD PC-Net II Ethernet Controller emulation received certain packets in loopback mode. A privileged user (with the CAP_SYS_RAWIO capability) inside a guest could use this flaw to crash the host QEMU process (resulting in denial of service) or, potentially, execute arbitrary code with privileges of the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II emulation validated certain received packets from a remote host in non-loopback mode. A remote, unprivileged attacker could potentially use this flaw to execute arbitrary code on the host with the privileges of the QEMU process. Note that to exploit this flaw, the guest network interface must have a large MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and Ling Liu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and Ling Liu of Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The CVE-2015-7512 issue was independently discovered by Jason Wang of Red Hat.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2015-2694.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=87637", "published": "2015-12-29T00:00:00", "title": "RHEL 6 : qemu-kvm (RHSA-2015:2694)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2015:2694. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87637);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2018/11/10 11:49:55\");\n\n script_cve_id(\"CVE-2015-7504\", \"CVE-2015-7512\");\n script_xref(name:\"RHSA\", value:\"2015:2694\");\n\n script_name(english:\"RHEL 6 : qemu-kvm (RHSA-2015:2694)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated qemu-kvm packages that fix two security issues are now\navailable for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Important\nsecurity impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution\nfor Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides\nthe user-space component for running virtual machines using KVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD\nPC-Net II Ethernet Controller emulation received certain packets in\nloopback mode. A privileged user (with the CAP_SYS_RAWIO capability)\ninside a guest could use this flaw to crash the host QEMU process\n(resulting in denial of service) or, potentially, execute arbitrary\ncode with privileges of the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II\nemulation validated certain received packets from a remote host in\nnon-loopback mode. A remote, unprivileged attacker could potentially\nuse this flaw to execute arbitrary code on the host with the\nprivileges of the QEMU process. Note that to exploit this flaw, the\nguest network interface must have a large MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and\nLing Liu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and\nLing Liu of Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The\nCVE-2015-7512 issue was independently discovered by Jason Wang of Red\nHat.\n\nAll qemu-kvm users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After\ninstalling this update, shut down all running virtual machines. Once\nall virtual machines have shut down, start them again for this update\nto take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2015:2694\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7512\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7504\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-guest-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-img\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qemu-kvm-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.7\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2015:2694\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qemu-guest-agent-0.12.1.2-2.479.el6_7.3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qemu-guest-agent-0.12.1.2-2.479.el6_7.3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qemu-img-0.12.1.2-2.479.el6_7.3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qemu-kvm-0.12.1.2-2.479.el6_7.3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"qemu-kvm-debuginfo-0.12.1.2-2.479.el6_7.3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qemu-kvm-debuginfo-0.12.1.2-2.479.el6_7.3\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"qemu-kvm-tools-0.12.1.2-2.479.el6_7.3\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-guest-agent / qemu-img / qemu-kvm / qemu-kvm-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:25:46", "bulletinFamily": "scanner", "description": "Prasad J Pandit, Red Hat Product Security Team, reports :\n\nQemu emulator built with the AMD PC-Net II Ethernet Controller support is vulnerable to a heap buffer overflow flaw. While receiving packets in the loopback mode, it appends CRC code to the receive buffer. If the data size given is same as the receive buffer size, the appended CRC code overwrites 4 bytes beyond this 's->buffer' array.\n\nA privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS or potentially execute arbitrary code with privileges of the Qemu process on the host.\n\nThe AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets from a remote host(non-loopback mode), fails to validate the received data size, thus resulting in a buffer overflow issue. It could potentially lead to arbitrary code execution on the host, with privileges of the Qemu process. It requires the guest NIC to have larger MTU limit.\n\nA remote user could use this flaw to crash the guest instance resulting in DoS or potentially execute arbitrary code on a remote host with privileges of the Qemu process.", "modified": "2018-11-21T00:00:00", "id": "FREEBSD_PKG_405446F4B1B311E59728002590263BF5.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=87691", "published": "2016-01-04T00:00:00", "title": "FreeBSD : qemu and xen-tools -- denial of service vulnerabilities in AMD PC-Net II NIC support (405446f4-b1b3-11e5-9728-002590263bf5)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87691);\n script_version(\"2.8\");\n script_cvs_date(\"Date: 2018/11/21 10:46:31\");\n\n script_cve_id(\"CVE-2015-7504\", \"CVE-2015-7512\");\n\n script_name(english:\"FreeBSD : qemu and xen-tools -- denial of service vulnerabilities in AMD PC-Net II NIC support (405446f4-b1b3-11e5-9728-002590263bf5)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Prasad J Pandit, Red Hat Product Security Team, reports :\n\nQemu emulator built with the AMD PC-Net II Ethernet Controller support\nis vulnerable to a heap buffer overflow flaw. While receiving packets\nin the loopback mode, it appends CRC code to the receive buffer. If\nthe data size given is same as the receive buffer size, the appended\nCRC code overwrites 4 bytes beyond this 's->buffer' array.\n\nA privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to\ncrash the Qemu instance resulting in DoS or potentially execute\narbitrary code with privileges of the Qemu process on the host.\n\nThe AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets\nfrom a remote host(non-loopback mode), fails to validate the received\ndata size, thus resulting in a buffer overflow issue. It could\npotentially lead to arbitrary code execution on the host, with\nprivileges of the Qemu process. It requires the guest NIC to have\nlarger MTU limit.\n\nA remote user could use this flaw to crash the guest instance\nresulting in DoS or potentially execute arbitrary code on a remote\nhost with privileges of the Qemu process.\"\n );\n # http://www.openwall.com/lists/oss-security/2015/11/30/2\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openwall.com/lists/oss-security/2015/11/30/2\"\n );\n # http://www.openwall.com/lists/oss-security/2015/11/30/3\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.openwall.com/lists/oss-security/2015/11/30/3\"\n );\n # http://git.qemu.org/?p=qemu.git;a=commit;h=837f21aacf5a714c23ddaadbbc5212f9b661e3f7\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?816ec3d4\"\n );\n # http://git.qemu.org/?p=qemu.git;a=commit;h=8b98a2f07175d46c3f7217639bd5e03f2ec56343\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a347bda6\"\n );\n # https://github.com/seanbruno/qemu-bsd-user/commit/837f21aacf5a714c23ddaadbbc5212f9b661e3f7\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?81b29577\"\n );\n # https://github.com/seanbruno/qemu-bsd-user/commit/8b98a2f07175d46c3f7217639bd5e03f2ec56343\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?98c7fdb7\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://xenbits.xen.org/xsa/advisory-162.html\"\n );\n # https://vuxml.freebsd.org/freebsd/405446f4-b1b3-11e5-9728-002590263bf5.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c52ec24c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:qemu-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:qemu-sbruno\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:qemu-user-static\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:xen-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/11/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"qemu<2.5.0\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"qemu-devel<2.5.0\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"qemu-sbruno<2.5.50.g20151224\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"qemu-user-static<2.5.50.g20151224\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"xen-tools<4.5.2_1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:25:45", "bulletinFamily": "scanner", "description": "A heap-based buffer overflow flaw was discovered in the way QEMU's AMD PC- Net II Ethernet Controller emulation received certain packets in loopback mode. A privileged user (with the CAP_SYS_RAWIO capability) inside a guest could use this flaw to crash the host QEMU process (resulting in denial of service) or, potentially, execute arbitrary code with privileges of the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II emulation validated certain received packets from a remote host in non-loopback mode. A remote, unprivileged attacker could potentially use this flaw to execute arbitrary code on the host with the privileges of the QEMU process. Note that to exploit this flaw, the guest network interface must have a large MTU limit. (CVE-2015-7512)\n\nAfter installing this update, shut down all running virtual machines.\nOnce all virtual machines have shut down, start them again for this update to take effect.", "modified": "2018-12-28T00:00:00", "id": "SL_20151222_QEMU_KVM_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=87639", "published": "2015-12-29T00:00:00", "title": "Scientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87639);\n script_version(\"2.4\");\n script_cvs_date(\"Date: 2018/12/28 10:10:36\");\n\n script_cve_id(\"CVE-2015-7504\", \"CVE-2015-7512\");\n\n script_name(english:\"Scientific Linux Security Update : qemu-kvm on SL6.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A heap-based buffer overflow flaw was discovered in the way QEMU's AMD\nPC- Net II Ethernet Controller emulation received certain packets in\nloopback mode. A privileged user (with the CAP_SYS_RAWIO capability)\ninside a guest could use this flaw to crash the host QEMU process\n(resulting in denial of service) or, potentially, execute arbitrary\ncode with privileges of the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II\nemulation validated certain received packets from a remote host in\nnon-loopback mode. A remote, unprivileged attacker could potentially\nuse this flaw to execute arbitrary code on the host with the\nprivileges of the QEMU process. Note that to exploit this flaw, the\nguest network interface must have a large MTU limit. (CVE-2015-7512)\n\nAfter installing this update, shut down all running virtual machines.\nOnce all virtual machines have shut down, start them again for this\nupdate to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1512&L=scientific-linux-errata&F=&S=&P=19489\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?348df215\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"qemu-guest-agent-0.12.1.2-2.479.el6_7.3\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"x86_64\", reference:\"qemu-img-0.12.1.2-2.479.el6_7.3\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"x86_64\", reference:\"qemu-kvm-0.12.1.2-2.479.el6_7.3\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"qemu-kvm-debuginfo-0.12.1.2-2.479.el6_7.3\")) flag++;\nif (rpm_check(release:\"SL6\", cpu:\"x86_64\", reference:\"qemu-kvm-tools-0.12.1.2-2.479.el6_7.3\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:26:13", "bulletinFamily": "scanner", "description": "- Fix SSE4 emulation with accel=tcg (bz #1270703) * CVE-2015-8345: Fix infinite loop in eepro100 (bz #1285214) * CVE-2015-7504: Fix heap overflow in pcnet (bz #1286543) * CVE-2015-7512: Fix buffer overflow in pcnet (bz #1286549)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2016-10-18T00:00:00", "id": "FEDORA_2015-2773B85B49.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=89181", "published": "2016-03-04T00:00:00", "title": "Fedora 23 : qemu-2.4.1-2.fc23 (2015-2773b85b49)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-2773b85b49.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(89181);\n script_version(\"$Revision: 2.2 $\");\n script_cvs_date(\"$Date: 2016/10/18 16:42:52 $\");\n\n script_cve_id(\"CVE-2015-7504\", \"CVE-2015-7512\", \"CVE-2015-8345\");\n script_xref(name:\"FEDORA\", value:\"2015-2773b85b49\");\n\n script_name(english:\"Fedora 23 : qemu-2.4.1-2.fc23 (2015-2773b85b49)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Fix SSE4 emulation with accel=tcg (bz #1270703) *\n CVE-2015-8345: Fix infinite loop in eepro100 (bz\n #1285214) * CVE-2015-7504: Fix heap overflow in pcnet\n (bz #1286543) * CVE-2015-7512: Fix buffer overflow in\n pcnet (bz #1286549)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1261461\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1285061\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1285213\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174026.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?73deb2fb\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected qemu package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:qemu\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"qemu-2.4.1-2.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:25:32", "bulletinFamily": "scanner", "description": "Jason Wang discovered that QEMU incorrectly handled the virtio-net device. A remote attacker could use this issue to cause guest network consumption, resulting in a denial of service. (CVE-2015-7295)\n\nQinghao Tang and Ling Liu discovered that QEMU incorrectly handled the pcnet driver when used in loopback mode. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-7504)\n\nLing Liu and Jason Wang discovered that QEMU incorrectly handled the pcnet driver. A remote attacker could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-7512)\n\nQinghao Tang discovered that QEMU incorrectly handled the eepro100 driver. A malicious guest could use this issue to cause an infinite loop, leading to a denial of service. (CVE-2015-8345).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-12-01T00:00:00", "id": "UBUNTU_USN-2828-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=87205", "published": "2015-12-04T00:00:00", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : qemu, qemu-kvm vulnerabilities (USN-2828-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-2828-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87205);\n script_version(\"2.11\");\n script_cvs_date(\"Date: 2018/12/01 15:12:40\");\n\n script_cve_id(\"CVE-2015-7295\", \"CVE-2015-7504\", \"CVE-2015-7512\", \"CVE-2015-8345\");\n script_xref(name:\"USN\", value:\"2828-1\");\n\n script_name(english:\"Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : qemu, qemu-kvm vulnerabilities (USN-2828-1)\");\n script_summary(english:\"Checks dpkg output for updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Ubuntu host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Jason Wang discovered that QEMU incorrectly handled the virtio-net\ndevice. A remote attacker could use this issue to cause guest network\nconsumption, resulting in a denial of service. (CVE-2015-7295)\n\nQinghao Tang and Ling Liu discovered that QEMU incorrectly handled the\npcnet driver when used in loopback mode. A malicious guest could use\nthis issue to cause a denial of service, or possibly execute arbitrary\ncode on the host as the user running the QEMU process. In the default\ninstallation, when QEMU is used with libvirt, attackers would be\nisolated by the libvirt AppArmor profile. (CVE-2015-7504)\n\nLing Liu and Jason Wang discovered that QEMU incorrectly handled the\npcnet driver. A remote attacker could use this issue to cause a denial\nof service, or possibly execute arbitrary code on the host as the user\nrunning the QEMU process. In the default installation, when QEMU is\nused with libvirt, attackers would be isolated by the libvirt AppArmor\nprofile. (CVE-2015-7512)\n\nQinghao Tang discovered that QEMU incorrectly handled the eepro100\ndriver. A malicious guest could use this issue to cause an infinite\nloop, leading to a denial of service. (CVE-2015-8345).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/2828-1/\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:12.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:15.10\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2015-2018 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! ereg(pattern:\"^(12\\.04|14\\.04|15\\.04|15\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 12.04 / 14.04 / 15.04 / 15.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Ubuntu\", cpu);\n\nflag = 0;\n\nif (ubuntu_check(osver:\"12.04\", pkgname:\"qemu-kvm\", pkgver:\"1.0+noroms-0ubuntu14.26\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system\", pkgver:\"2.0.0+dfsg-2ubuntu1.21\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-aarch64\", pkgver:\"2.0.0+dfsg-2ubuntu1.21\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-arm\", pkgver:\"2.0.0+dfsg-2ubuntu1.21\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-mips\", pkgver:\"2.0.0+dfsg-2ubuntu1.21\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-misc\", pkgver:\"2.0.0+dfsg-2ubuntu1.21\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-ppc\", pkgver:\"2.0.0+dfsg-2ubuntu1.21\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-sparc\", pkgver:\"2.0.0+dfsg-2ubuntu1.21\")) flag++;\nif (ubuntu_check(osver:\"14.04\", pkgname:\"qemu-system-x86\", pkgver:\"2.0.0+dfsg-2ubuntu1.21\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"qemu-system\", pkgver:\"1:2.2+dfsg-5expubuntu9.7\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"qemu-system-aarch64\", pkgver:\"1:2.2+dfsg-5expubuntu9.7\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"qemu-system-arm\", pkgver:\"1:2.2+dfsg-5expubuntu9.7\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"qemu-system-mips\", pkgver:\"1:2.2+dfsg-5expubuntu9.7\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"qemu-system-misc\", pkgver:\"1:2.2+dfsg-5expubuntu9.7\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"qemu-system-ppc\", pkgver:\"1:2.2+dfsg-5expubuntu9.7\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"qemu-system-sparc\", pkgver:\"1:2.2+dfsg-5expubuntu9.7\")) flag++;\nif (ubuntu_check(osver:\"15.04\", pkgname:\"qemu-system-x86\", pkgver:\"1:2.2+dfsg-5expubuntu9.7\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"qemu-system\", pkgver:\"1:2.3+dfsg-5ubuntu9.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"qemu-system-aarch64\", pkgver:\"1:2.3+dfsg-5ubuntu9.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"qemu-system-arm\", pkgver:\"1:2.3+dfsg-5ubuntu9.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"qemu-system-mips\", pkgver:\"1:2.3+dfsg-5ubuntu9.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"qemu-system-misc\", pkgver:\"1:2.3+dfsg-5ubuntu9.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"qemu-system-ppc\", pkgver:\"1:2.3+dfsg-5ubuntu9.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"qemu-system-sparc\", pkgver:\"1:2.3+dfsg-5ubuntu9.1\")) flag++;\nif (ubuntu_check(osver:\"15.10\", pkgname:\"qemu-system-x86\", pkgver:\"1:2.3+dfsg-5ubuntu9.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"qemu-kvm / qemu-system / qemu-system-aarch64 / qemu-system-arm / etc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:25:50", "bulletinFamily": "scanner", "description": "This update for kvm fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2015-7512: The receive packet size is now checked in the emulated pcnet driver, eliminating buffer overflow and potential security issue by malicious guest systems.\n (bsc#957162)\n\n - CVE-2015-8345: A infinite loop in processing command block list was fixed that could be exploit by malicious guest systems (bsc#956829).\n\nBugs fixed :\n\n - Fix cases of wrong clock values in kvmclock timekeeping (bsc#947164 and bsc#953187)\n\n - Enforce pxe rom sizes to ensure migration compatibility.\n (bsc#950590)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-29T00:00:00", "id": "SUSE_SU-2016-0020-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=87859", "published": "2016-01-12T00:00:00", "title": "SUSE SLED11 / SLES11 Security Update : kvm (SUSE-SU-2016:0020-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:0020-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87859);\n script_version(\"2.9\");\n script_cvs_date(\"Date: 2018/11/29 12:03:38\");\n\n script_cve_id(\"CVE-2015-7512\", \"CVE-2015-8345\");\n\n script_name(english:\"SUSE SLED11 / SLES11 Security Update : kvm (SUSE-SU-2016:0020-1)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for kvm fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2015-7512: The receive packet size is now checked in\n the emulated pcnet driver, eliminating buffer overflow\n and potential security issue by malicious guest systems.\n (bsc#957162)\n\n - CVE-2015-8345: A infinite loop in processing command\n block list was fixed that could be exploit by malicious\n guest systems (bsc#956829).\n\nBugs fixed :\n\n - Fix cases of wrong clock values in kvmclock timekeeping\n (bsc#947164 and bsc#953187)\n\n - Enforce pxe rom sizes to ensure migration compatibility.\n (bsc#950590)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=947164\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=950590\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=953187\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=956829\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=957162\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7512/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8345/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20160020-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?26348bb2\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP3 :\n\nzypper in -t patch slessp3-kvm-12294=1\n\nSUSE Linux Enterprise Desktop 11-SP3 :\n\nzypper in -t patch sledsp3-kvm-12294=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:kvm\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED11|SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED11 / SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! ereg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED11\" && (! ereg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED11 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"3\", reference:\"kvm-1.4.2-37.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"x86_64\", reference:\"kvm-1.4.2-37.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"3\", cpu:\"i586\", reference:\"kvm-1.4.2-37.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kvm\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:26:04", "bulletinFamily": "scanner", "description": "CVE-2014-8106\n\nHeap-based buffer overflow in the Cirrus VGA emulator (hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest users to execute arbitrary code via vectors related to blit regions.\nNOTE: this vulnerability exists because an incomplete fix for CVE-2007-1320.\n\nCVE-2015-3209 Heap-based buffer overflow in the PCNET controller in QEMU allows remote attackers to execute arbitrary code by sending a packet with TXSTATUS_STARTPACKET set and then a crafted packet with TXSTATUS_DEVICEOWNS set.\n\nCVE-2015-5165 The C+ mode offload emulation in the RTL8139 network card device model in QEMU, as used in Xen 4.5.x and earlier, allows remote attackers to read process heap memory via unspecified vectors.\n\nCVE-2015-5279 Heap-based buffer overflow in the ne2000_receive function in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS users to cause a denial of service (instance crash) or possibly execute arbitrary code via vectors related to receiving packets.\n\nCVE-2015-7504 Heap-based buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU allows guest OS administrators to cause a denial of service (instance crash) or possibly execute arbitrary code via a series of packets in loopback mode.\n\nCVE-2015-7512 Buffer overflow in the pcnet_receive function in hw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows remote attackers to cause a denial of service (guest OS crash) or execute arbitrary code via a large packet.\n\nImpact\n\nAn attacker may be able to cause a denial of service (DoS) or execute arbitrary code if using the virtual drivers specified in these CVE descriptions.", "modified": "2019-01-04T00:00:00", "id": "F5_BIGIP_SOL63519101.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=88770", "published": "2016-02-17T00:00:00", "title": "F5 Networks BIG-IP : Multiple QEMU vulnerabilities (K63519101)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K63519101.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88770);\n script_version(\"2.16\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2007-1320\", \"CVE-2014-8106\", \"CVE-2015-3209\", \"CVE-2015-5165\", \"CVE-2015-5279\", \"CVE-2015-7504\", \"CVE-2015-7512\");\n script_bugtraq_id(23731, 71477, 75123);\n\n script_name(english:\"F5 Networks BIG-IP : Multiple QEMU vulnerabilities (K63519101)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2014-8106\n\nHeap-based buffer overflow in the Cirrus VGA emulator\n(hw/display/cirrus_vga.c) in QEMU before 2.2.0 allows local guest\nusers to execute arbitrary code via vectors related to blit regions.\nNOTE: this vulnerability exists because an incomplete fix for\nCVE-2007-1320.\n\nCVE-2015-3209 Heap-based buffer overflow in the PCNET controller in\nQEMU allows remote attackers to execute arbitrary code by sending a\npacket with TXSTATUS_STARTPACKET set and then a crafted packet with\nTXSTATUS_DEVICEOWNS set.\n\nCVE-2015-5165 The C+ mode offload emulation in the RTL8139 network\ncard device model in QEMU, as used in Xen 4.5.x and earlier, allows\nremote attackers to read process heap memory via unspecified vectors.\n\nCVE-2015-5279 Heap-based buffer overflow in the ne2000_receive\nfunction in hw/net/ne2000.c in QEMU before 2.4.0.1 allows guest OS\nusers to cause a denial of service (instance crash) or possibly\nexecute arbitrary code via vectors related to receiving packets.\n\nCVE-2015-7504 Heap-based buffer overflow in the pcnet_receive function\nin hw/net/pcnet.c in QEMU allows guest OS administrators to cause a\ndenial of service (instance crash) or possibly execute arbitrary code\nvia a series of packets in loopback mode.\n\nCVE-2015-7512 Buffer overflow in the pcnet_receive function in\nhw/net/pcnet.c in QEMU, when a guest NIC has a larger MTU, allows\nremote attackers to cause a denial of service (guest OS crash) or\nexecute arbitrary code via a large packet.\n\nImpact\n\nAn attacker may be able to cause a denial of service (DoS) or execute\narbitrary code if using the virtual drivers specified in these CVE\ndescriptions.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K63519101\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K63519101.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K63519101\";\nvmatrix = make_array();\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.3.0-11.6.1\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.4.0-11.6.1\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.0.0-11.6.1\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.1.0\",\"10.1.0-10.2.4\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.0.0-11.6.1\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.1.0\",\"10.1.0-10.2.4\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"12.0.0\",\"11.0.0-11.6.1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.6.1\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"10.1.0-10.2.4\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"12.0.0\",\"11.0.0-11.6.1\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.1.0\",\"10.1.0-10.2.4\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.0.0-11.6.1\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.1.0\",\"10.1.0-10.2.4\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.3.0-11.6.1\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.1.0\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.4.1\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"10.1.0-10.2.4\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"11.0.0-11.3.0\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"10.1.0-10.2.4\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"11.0.0-11.3.0\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"10.1.0-10.2.4\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_hole(port:0, extra:bigip_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2018-12-11T19:42:05", "bulletinFamily": "unix", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the\nuser-space component for running virtual machines using KVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD\nPC-Net II Ethernet Controller emulation received certain packets in\nloopback mode. A privileged user (with the CAP_SYS_RAWIO capability) inside\na guest could use this flaw to crash the host QEMU process (resulting in\ndenial of service) or, potentially, execute arbitrary code with privileges\nof the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II emulation\nvalidated certain received packets from a remote host in non-loopback mode.\nA remote, unprivileged attacker could potentially use this flaw to execute\narbitrary code on the host with the privileges of the QEMU process.\nNote that to exploit this flaw, the guest network interface must have a\nlarge MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and Ling\nLiu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and Ling Liu\nof Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The CVE-2015-7512\nissue was independently discovered by Jason Wang of Red Hat.\n\nAll qemu-kvm-rhev users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After installing\nthis update, shut down all running virtual machines. Once all virtual\nmachines have shut down, start them again for this update to take effect.\n", "modified": "2018-06-07T08:59:32", "published": "2015-12-22T05:00:00", "id": "RHSA-2015:2696", "href": "https://access.redhat.com/errata/RHSA-2015:2696", "type": "redhat", "title": "(RHSA-2015:2696) Important: qemu-kvm-rhev security update", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-12-11T19:41:54", "bulletinFamily": "unix", "description": "KVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm-rhev package provides the\nuser-space component for running virtual machines using KVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD\nPC-Net II Ethernet Controller emulation received certain packets in\nloopback mode. A privileged user (with the CAP_SYS_RAWIO capability) inside\na guest could use this flaw to crash the host QEMU process (resulting in\ndenial of service) or, potentially, execute arbitrary code with privileges\nof the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II emulation\nvalidated certain received packets from a remote host in non-loopback mode.\nA remote, unprivileged attacker could potentially use this flaw to execute\narbitrary code on the host with the privileges of the QEMU process.\nNote that to exploit this flaw, the guest network interface must have a\nlarge MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and Ling\nLiu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and Ling Liu\nof Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The CVE-2015-7512\nissue was independently discovered by Jason Wang of Red Hat.\n\nAll qemu-kvm-rhev users are advised to upgrade to these updated packages,\nwhich contain backported patches to correct these issues. After installing\nthis update, shut down all running virtual machines. Once all virtual\nmachines have shut down, start them again for this update to take effect.", "modified": "2018-06-07T02:48:04", "published": "2015-12-22T20:16:25", "id": "RHSA-2015:2695", "href": "https://access.redhat.com/errata/RHSA-2015:2695", "type": "redhat", "title": "(RHSA-2015:2695) Important: qemu-kvm-rhev security update", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T13:05:45", "bulletinFamily": "exploit", "description": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttps://lists.gnu.org/archive/html/qemu-devel/2015-11/msg06342.html\r\n\r\npcnet\u662f\u865a\u62df\u5316\u8f6f\u4ef6QEMU\u4e2d\u5b9e\u73b0AMD PCNET\u7f51\u5361\u529f\u80fd\u6a21\u62df\u7684\u7ec4\u4ef6\uff0c\u76f8\u5173\u7684\u4ee3\u7801\u5b9e\u73b0\u4f4d\u4e8e/hw/net/pcnet.c\u4e2d\u3002\r\n\r\n\u5728qemu\u8f6f\u4ef6\u4e2d\u4f7f\u7528pcnet\u7f51\u5361\uff0c\u9700\u8981\u5982\u4e0b\u7684\u547d\u4ee4\u884c\u8fdb\u884c\u914d\u7f6e\uff1a\r\n```\r\nqemu-system-x86_64 centos-6.5-x64.img -m 1024 - net nic,model=pcnet -net user\r\n```\r\n\r\n\u8be5\u6f0f\u6d1e\u53d1\u751f\u5728pcnet\u7f51\u5361\u6a21\u5757\u7684\u63a5\u6536\u6570\u636e\u5305\u7684\u8fc7\u7a0b\u4e2d\uff0c\u76f8\u5173\u51fd\u6570pcnet_receive\u7684\u6267\u884c\u903b\u8f91\uff1a\u9996\u5148\u68c0\u6d4bCSR_DRX(s)\uff0cCSR_STOP(s)\uff0cCSR_SPND(s)\uff0csize\uff0cCSR_LOOP(s)\uff0cs->looptest\u8fd9\u4e9b\u503c\u662f\u5426\u7b26\u5408\u8fb9\u754c\u8981\u6c42\uff0c\u786e\u5b9a\u51fd\u6570\u662f\u5426\u7ee7\u7eed\u5904\u7406\u3002\u5e76\u4e14\u5982\u679cbuf\u592a\u5c0f\uff0c\u5219\u628a\u5b83\u6269\u5145\u5230MIN_BUF_SIZE\uff0c\u4e4b\u540e\u68c0\u6d4b\u662f\u5426\u8981\u63a5\u53d7\u6b64\u5305\u3002\u6700\u7ec8\u628a\u6570\u636e\u62f7\u5230rmd\u4e2d\u7269\u7406\u5730\u5740\u4e2d\u3002\u76f8\u5173\u4ee3\u7801\u622a\u56fe\u5982\u4e0b\uff1a\r\n\r\n\u5728\u4e0a\u8ff0\u4ee3\u7801\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230\uff0c\u5728\u5b9e\u73b0\u6570\u636e\u5305buffer\u64cd\u4f5c\u7684\u903b\u8f91\u65f6\uff0c\u7a0b\u5e8f\u5458\u51fa\u73b0\u4e86\u4e00\u4e2a\u660e\u663e\u7684\u9519\u8bef\uff1a\u672a\u5224\u65ad\u6570\u636e\u5305\u7684\u957f\u5ea6\u662f\u5426\u5df2\u7ecf\u7b49\u4e8ebuffer\u957f\u5ea6\u3002\u53e6\u5916\uff0c\u5728pcnet.c\u7684\u53e6\u4e00\u4e2a\u51fd\u6570pcnet_transmit\u4e2d\u4e5f\u6709\u5bf9\u7f13\u51b2\u533a\u4f4d\u7f6e\u548c\u6570\u636e\u5305\u957f\u5ea6\u7684\u5904\u7406\uff0c\u622a\u56fe\u5982\u4e0b\uff1a\r\n\r\n\r\n\r\n\u5982\u679c\u6570\u636e\u5305\u957f\u5ea6\u4e34\u8fd1\u7f13\u51b2\u533a\u957f\u5ea6\uff084096\uff09\u65f6\uff0c\u7531\u4e8e\u4ee3\u7801\u903b\u8f91\u4f1a\u81ea\u52a8\u6dfb\u52a04\u4e2a\u5b57\u8282\u7684crc\u503c\uff0c\u56e0\u6b64\u5c31\u4f1a\u53d1\u751f\u7f13\u51b2\u533a\u6ea2\u51fa\u3002\r\n\r\n\u5de7\u5408\u7684\u662f\u6ea2\u51fa\u4e86buffer\u4e4b\u540e\u7684\u56db\u4e2a\u5b57\u8282\u6070\u597d\u4f1a\u8986\u76d6\u4e00\u4e2a\u7ed3\u6784\u4f53\u6307\u9488\u3002\u5982\u56fe\u6240\u793a\uff1a\r\n\r\n\r\n\r\n\r\n\u5728\u6ea2\u51fa\u53d1\u751f\u4e4b\u540e\uff0c\u4ee3\u7801\u6d41\u7a0b\u8fdb\u5165pcnet_update_irq\u51fd\u6570\u4e2d\uff0c\u8be5\u51fd\u6570\u7ecf\u8fc7\u5c42\u5c42\u8c03\u7528\uff0c\u6700\u7ec8\u4f7f\u7528\u4e86irq->handler\u4f5c\u4e3a\u51fd\u6570\u6307\u9488\uff01\uff01\uff01\u800c\u8be5irq\u7684\u7ed3\u6784\u4f53\u6307\u9488\u6211\u4eec\u53ef\u4ee5\u5bf9\u5176\u8fdb\u884c\u63a7\u5236\uff0c\u56e0\u6b64\u5c31\u5b8c\u6210\u4e86\u5bf9\u4ee3\u7801\u903b\u8f91\u7684\u52ab\u6301\u3002\r\n\r\n\r\n\r\n", "modified": "2015-12-10T00:00:00", "published": "2015-12-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-90067", "id": "SSV:90067", "type": "seebug", "title": "QEMU pcnet_receive \u5806\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e(CVE-2015-7504)", "sourceData": "", "cvss": {"score": 4.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "centos": [{"lastseen": "2017-10-03T18:25:49", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2015:2694\n\n\nKVM (Kernel-based Virtual Machine) is a full virtualization solution for\nLinux on AMD64 and Intel 64 systems. The qemu-kvm package provides the\nuser-space component for running virtual machines using KVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD\nPC-Net II Ethernet Controller emulation received certain packets in\nloopback mode. A privileged user (with the CAP_SYS_RAWIO capability) inside\na guest could use this flaw to crash the host QEMU process (resulting in\ndenial of service) or, potentially, execute arbitrary code with privileges\nof the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II emulation\nvalidated certain received packets from a remote host in non-loopback mode.\nA remote, unprivileged attacker could potentially use this flaw to execute\narbitrary code on the host with the privileges of the QEMU process.\nNote that to exploit this flaw, the guest network interface must have a\nlarge MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and Ling\nLiu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and Ling Liu\nof Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The CVE-2015-7512\nissue was independently discovered by Jason Wang of Red Hat.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, shut down all running virtual machines. Once all virtual machines\nhave shut down, start them again for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-December/021581.html\n\n**Affected packages:**\nqemu-guest-agent\nqemu-img\nqemu-kvm\nqemu-kvm-tools\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-2694.html", "modified": "2015-12-22T17:18:03", "published": "2015-12-22T17:18:03", "href": "http://lists.centos.org/pipermail/centos-announce/2015-December/021581.html", "id": "CESA-2015:2694", "title": "qemu security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:47:46", "bulletinFamily": "unix", "description": "[0.12.1.2-2.479.el6_7.3]\n- kvm-net-pcnet-add-check-to-validate-receive-data-size-CV.patch [bz#1287950]\n- kvm-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch [bz#1287950]\n- Resolves: bz#1287950\n (CVE-2015-7504 CVE-2015-7512 qemu-kvm: various flaws [rhel-6.7.z])", "modified": "2015-12-22T00:00:00", "published": "2015-12-22T00:00:00", "id": "ELSA-2015-2694", "href": "http://linux.oracle.com/errata/ELSA-2015-2694.html", "title": "qemu-kvm security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T01:41:31", "bulletinFamily": "unix", "description": "[0.12.1.2-2.491.el6_8.1]\n- kvm-Add-vga.h-unmodified-from-Linux.patch [bz#1331407]\n- kvm-vga.h-remove-unused-stuff-and-reformat.patch [bz#1331407]\n- kvm-vga-use-constants-from-vga.h.patch [bz#1331407]\n- kvm-vga-Remove-some-should-be-done-in-BIOS-comments.patch [bz#1331407]\n- kvm-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch [bz#1331407]\n- kvm-vga-add-vbe_enabled-helper.patch [bz#1331407]\n- kvm-vga-factor-out-vga-register-setup.patch [bz#1331407]\n- kvm-vga-update-vga-register-setup-on-vbe-changes.patch [bz#1331407]\n- kvm-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch [bz#1331407]\n- Resolves: bz#1331407\n (EMBARGOED CVE-2016-3710 qemu-kvm: qemu: incorrect banked access bounds checking in vga module [rhel-6.8.z])\n[0.12.1.2-2.491.el6]\n- Revert 'warning when CPU threads>1 for non-Intel CPUs' fix\n[0.12.1.2-2.490.el6]\n- kvm-qemu-ga-implement-win32-guest-set-user-password.patch [bz#1174181]\n- kvm-util-add-base64-decoding-function.patch [bz#1174181]\n- kvm-qga-convert-to-use-error-checked-base64-decode.patch [bz#1174181]\n- kvm-qga-use-more-idiomatic-qemu-style-eol-operators.patch [bz#1174181]\n- kvm-qga-use-size_t-for-wcslen-return-value.patch [bz#1174181]\n- kvm-qga-use-wide-chars-constants-for-wchar_t-comparisons.patch [bz#1174181]\n- kvm-qga-fix-off-by-one-length-check.patch [bz#1174181]\n- kvm-qga-check-utf8-to-utf16-conversion.patch [bz#1174181]\n- Resolves: bz#1174181\n (RFE: provide QEMU guest agent command for setting root account password (Linux guest))\n[0.12.1.2-2.489.el6]\n- kvm-hw-qxl-qxl_send_events-nop-if-stopped.patch [bz#1290743]\n- kvm-block-mirror-fix-full-sync-mode-when-target-does-not.patch [bz#971312]\n- Resolves: bz#1290743\n (qemu-kvm core dumped when repeat system_reset 20 times during guest boot)\n- Resolves: bz#971312\n (block: Mirroring to raw block device doesnt zero out unused blocks)\n* Mon Feb 08 2016 Miroslav Rezanina \n- Fixed qemu-ga path configuration [bz#1213233]\n- Resolves: bz#1213233\n ([virtagent] The default path '/etc/qemu/fsfreeze-hook' for 'fsfreeze-hook' script doesnt exist)\n[0.12.1.2-2.487.el6]\n- kvm-virtio-scsi-use-virtqueue_map_sg-when-loading-reques.patch [bz#1249740]\n- kvm-scsi-disk-fix-cmd.mode-field-typo.patch [bz#1249740]\n- Resolves: bz#1249740\n (Segfault occurred at Dst VM while completed migration upon ENOSPC)\n[0.12.1.2-2.486.el6]\n- kvm-blockdev-Error-out-on-negative-throttling-option-val.patch [bz#1294619]\n- kvm-fw_cfg-add-check-to-validate-current-entry-value-CVE.patch [bz#1298046]\n- Resolves: bz#1294619\n (Guest should failed to boot if set iops,bps to negative number)\n- Resolves: bz#1298046\n (CVE-2016-1714 qemu-kvm: Qemu: nvram: OOB r/w access in processing firmware configurations [rhel-6.8])\n[0.12.1.2-2.485.el6]\n- kvm-Change-fsfreeze-hook-default-location.patch [bz#1213233]\n- kvm-qxl-replace-pipe-signaling-with-bottom-half.patch [bz#1290743]\n- Resolves: bz#1213233\n ([virtagent] The default path '/etc/qemu/fsfreeze-hook' for 'fsfreeze-hook' script doesnt exist)\n- Resolves: bz#1290743\n (qemu-kvm core dumped when repeat system_reset 20 times during guest boot)\n[0.12.1.2-2.484.el6]\n- kvm-qga-flush-explicitly-when-needed.patch [bz#1210246]\n- kvm-qga-add-guest-set-user-password-command.patch [bz#1174181]\n- kvm-qcow2-Zero-initialise-first-cluster-for-new-images.patch [bz#1223216]\n- kvm-Documentation-Warn-against-qemu-img-on-active-image.patch [bz#1297424]\n- kvm-target-i386-warns-users-when-CPU-threads-1-for-non-I.patch [bz#1292678]\n- kvm-qemu-options-Fix-texinfo-markup.patch [bz#1250442]\n- kvm-qga-Fix-memory-allocation-pasto.patch []\n- kvm-block-raw-posix-Open-file-descriptor-O_RDWR-to-work-.patch [bz#1268347]\n- Resolves: bz#1174181\n (RFE: provide QEMU guest agent command for setting root/administrator account password)\n- Resolves: bz#1210246\n ([virtagent]The 'write' content is lost if 'read' it before flush through guest agent)\n- Resolves: bz#1223216\n (qemu-img can not create qcow2 image when backend is block device)\n- Resolves: bz#1250442\n (qemu-doc.html bad markup in section 3.3 Invocation)\n- Resolves: bz#1268347\n (posix_fallocate emulation on NFS fails with Bad file descriptor if fd is opened O_WRONLY)\n- Resolves: bz#1292678\n (Qemu should report error when cmdline set threads=2 in amd host)\n- Resolves: bz#1297424\n (Add warning about running qemu-img on active VMs to its manpage)\n[0.12.1.2-2.483.el6]\n- kvm-rtl8139-Fix-receive-buffer-overflow-check.patch [bz#1262866]\n- kvm-rtl8139-Do-not-consume-the-packet-during-overflow-in.patch [bz#1262866]\n- Resolves: bz#1262866\n ([RHEL6] Package is 100% lost when ping from host to Win2012r2 guest with 64000 size)\n[0.12.1.2-2.482.el6]\n- kvm-qemu-kvm-get-put-MSR_TSC_AUX-across-reset-and-migrat.patch [bz#1265428]\n- kvm-qcow2-Discard-VM-state-in-active-L1-after-creating-s.patch [bz#1219908]\n- kvm-net-pcnet-add-check-to-validate-receive-data-size-CV.patch [bz#1286597]\n- kvm-pcnet-fix-rx-buffer-overflow-CVE-2015-7512.patch [bz#1286567]\n- Resolves: bz#1219908\n (Writing snapshots with 'virsh snapshot-create-as' command slows as more snapshots are created)\n- Resolves: bz#1265428\n (contents of MSR_TSC_AUX are not migrated)\n- Resolves: bz#1286567\n (CVE-2015-7512 qemu-kvm: Qemu: net: pcnet: buffer overflow in non-loopback mode [rhel-6.8])\n[0.12.1.2-2.481.el6]\n- kvm-net-add-checks-to-validate-ring-buffer-pointers-CVE-.patch [bz#1263275]\n- Resolves: bz#1263275\n (CVE-2015-5279 qemu-kvm: qemu: Heap overflow vulnerability in ne2000_receive() function [rhel-6.8])\n[0.12.1.2-2.480.el6]\n- kvm-virtio-rng-fix-segfault-when-adding-a-virtio-pci-rng.patch [bz#1230068]\n- kvm-qga-commands-posix-Fix-bug-in-guest-fstrim.patch [bz#1213236]\n- kvm-rtl8139-avoid-nested-ifs-in-IP-header-parsing-CVE-20.patch [bz#1248763]\n- kvm-rtl8139-drop-tautologous-if-ip-.-statement-CVE-2015-.patch [bz#1248763]\n- kvm-rtl8139-skip-offload-on-short-Ethernet-IP-header-CVE.patch [bz#1248763]\n- kvm-rtl8139-check-IP-Header-Length-field-CVE-2015-5165.patch [bz#1248763]\n- kvm-rtl8139-check-IP-Total-Length-field-CVE-2015-5165.patch [bz#1248763]\n- kvm-rtl8139-skip-offload-on-short-TCP-header-CVE-2015-51.patch [bz#1248763]\n- kvm-rtl8139-check-TCP-Data-Offset-field-CVE-2015-5165.patch [bz#1248763]\n- Resolves: bz#1213236\n ([virtagent] 'guest-fstrim' failed for guest with os on spapr-vscsi disk)\n- Resolves: bz#1230068\n (Segmentation fault when re-adding virtio-rng-pci device)\n- Resolves: bz#1248763\n (CVE-2015-5165 qemu-kvm: Qemu: rtl8139 uninitialized heap memory information leakage to guest [rhel-6.8])", "modified": "2016-05-16T00:00:00", "published": "2016-05-16T00:00:00", "id": "ELSA-2016-0997", "href": "http://linux.oracle.com/errata/ELSA-2016-0997.html", "title": "qemu-kvm security update", "type": "oraclelinux", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:26", "bulletinFamily": "unix", "description": "\nPrasad J Pandit, Red Hat Product Security Team, reports:\n\nQemu emulator built with the AMD PC-Net II Ethernet Controller\n\t support is vulnerable to a heap buffer overflow flaw. While\n\t receiving packets in the loopback mode, it appends CRC code to the\n\t receive buffer. If the data size given is same as the receive buffer\n\t size, the appended CRC code overwrites 4 bytes beyond this\n\t 's->buffer' array.\nA privileged(CAP_SYS_RAWIO) user inside guest could use this flaw\n\t to crash the Qemu instance resulting in DoS or potentially execute\n\t arbitrary code with privileges of the Qemu process on the host.\n\n\nThe AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets\n\t from a remote host(non-loopback mode), fails to validate the\n\t received data size, thus resulting in a buffer overflow issue. It\n\t could potentially lead to arbitrary code execution on the host, with\n\t privileges of the Qemu process. It requires the guest NIC to have\n\t larger MTU limit.\nA remote user could use this flaw to crash the guest instance\n\t resulting in DoS or potentially execute arbitrary code on a remote\n\t host with privileges of the Qemu process.\n\n", "modified": "2016-01-06T00:00:00", "published": "2015-11-30T00:00:00", "id": "405446F4-B1B3-11E5-9728-002590263BF5", "href": "https://vuxml.freebsd.org/freebsd/405446f4-b1b3-11e5-9728-002590263bf5.html", "title": "qemu and xen-tools -- denial of service vulnerabilities in AMD PC-Net II NIC support", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-09-28T18:24:24", "bulletinFamily": "scanner", "description": "Oracle Linux Local Security Checks ELSA-2015-2694", "modified": "2018-09-28T00:00:00", "published": "2015-12-23T00:00:00", "id": "OPENVAS:1361412562310122811", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122811", "title": "Oracle Linux Local Check: ELSA-2015-2694", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: ELSA-2015-2694.nasl 11688 2018-09-28 13:36:28Z cfischer $\n#\n# Oracle Linux Local Check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.122811\");\n script_version(\"$Revision: 11688 $\");\n script_tag(name:\"creation_date\", value:\"2015-12-23 07:56:46 +0200 (Wed, 23 Dec 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 15:36:28 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Oracle Linux Local Check: ELSA-2015-2694\");\n script_tag(name:\"insight\", value:\"ELSA-2015-2694 - qemu-kvm security update. Please see the references for more insight.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"Oracle Linux Local Security Checks ELSA-2015-2694\");\n script_xref(name:\"URL\", value:\"http://linux.oracle.com/errata/ELSA-2015-2694.html\");\n script_cve_id(\"CVE-2015-7504\", \"CVE-2015-7512\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/oracle_linux\", \"ssh/login/release\", re:\"ssh/login/release=OracleLinux6\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Eero Volotinen\");\n script_family(\"Oracle Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"OracleLinux6\")\n{\n if ((res = isrpmvuln(pkg:\"qemu-guest-agent\", rpm:\"qemu-guest-agent~0.12.1.2~2.479.el6_7.3\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"qemu-img\", rpm:\"qemu-img~0.12.1.2~2.479.el6_7.3\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"qemu-kvm\", rpm:\"qemu-kvm~0.12.1.2~2.479.el6_7.3\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n if ((res = isrpmvuln(pkg:\"qemu-kvm-tools\", rpm:\"qemu-kvm-tools~0.12.1.2~2.479.el6_7.3\", rls:\"OracleLinux6\")) != NULL) {\n security_message(data:res);\n exit(0);\n }\n\n}\nif (__pkg_match) exit(99);\n exit(0);\n\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-23T15:12:17", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2015-12-23T00:00:00", "id": "OPENVAS:1361412562310871530", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871530", "title": "RedHat Update for qemu-kvm RHSA-2015:2694-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for qemu-kvm RHSA-2015:2694-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871530\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-12-23 05:39:00 +0100 (Wed, 23 Dec 2015)\");\n script_cve_id(\"CVE-2015-7504\", \"CVE-2015-7512\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for qemu-kvm RHSA-2015:2694-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qemu-kvm'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"KVM (Kernel-based Virtual Machine) is a full\nvirtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm\npackage provides the user-space component for running virtual machines using KVM.\n\nA heap-based buffer overflow flaw was discovered in the way QEMU's AMD\nPC-Net II Ethernet Controller emulation received certain packets in\nloopback mode. A privileged user (with the CAP_SYS_RAWIO capability) inside\na guest could use this flaw to crash the host QEMU process (resulting in\ndenial of service) or, potentially, execute arbitrary code with privileges\nof the host QEMU process. (CVE-2015-7504)\n\nA buffer overflow flaw was found in the way QEMU's AMD PC-Net II emulation\nvalidated certain received packets from a remote host in non-loopback mode.\nA remote, unprivileged attacker could potentially use this flaw to execute\narbitrary code on the host with the privileges of the QEMU process.\nNote that to exploit this flaw, the guest network interface must have a\nlarge MTU limit. (CVE-2015-7512)\n\nRed Hat would like to thank Qinghao Tang of QIHU 360 Marvel Team and Ling\nLiu of Qihoo 360 Inc. for reporting the CVE-2015-7504 issue, and Ling Liu\nof Qihoo 360 Inc. for reporting the CVE-2015-7512 issue. The CVE-2015-7512\nissue was independently discovered by Jason Wang of Red Hat.\n\nAll qemu-kvm users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, shut down all running virtual machines. Once all virtual machines\nhave shut down, start them again for this update to take effect.\");\n script_tag(name:\"affected\", value:\"qemu-kvm on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"RHSA\", value:\"2015:2694-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2015-December/msg00057.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"qemu-guest-agent\", rpm:\"qemu-guest-agent~0.12.1.2~2.479.el6_7.3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm-debuginfo\", rpm:\"qemu-kvm-debuginfo~0.12.1.2~2.479.el6_7.3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-img\", rpm:\"qemu-img~0.12.1.2~2.479.el6_7.3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm\", rpm:\"qemu-kvm~0.12.1.2~2.479.el6_7.3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm-tools\", rpm:\"qemu-kvm-tools~0.12.1.2~2.479.el6_7.3\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-19T13:01:55", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2015-12-04T00:00:00", "id": "OPENVAS:1361412562310842547", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842547", "title": "Ubuntu Update for qemu USN-2828-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for qemu USN-2828-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842547\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-12-04 06:12:52 +0100 (Fri, 04 Dec 2015)\");\n script_cve_id(\"CVE-2015-7295\", \"CVE-2015-7504\", \"CVE-2015-7512\", \"CVE-2015-8345\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for qemu USN-2828-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qemu'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Jason Wang discovered that QEMU incorrectly\nhandled the virtio-net device. A remote attacker could use this issue to cause\nguest network consumption, resulting in a denial of service. (CVE-2015-7295)\n\nQinghao Tang and Ling Liu discovered that QEMU incorrectly handled the\npcnet driver when used in loopback mode. A malicious guest could use this\nissue to cause a denial of service, or possibly execute arbitrary code on\nthe host as the user running the QEMU process. In the default installation,\nwhen QEMU is used with libvirt, attackers would be isolated by the libvirt\nAppArmor profile. (CVE-2015-7504)\n\nLing Liu and Jason Wang discovered that QEMU incorrectly handled the\npcnet driver. A remote attacker could use this issue to cause a denial of\nservice, or possibly execute arbitrary code on the host as the user running\nthe QEMU process. In the default installation, when QEMU is used with\nlibvirt, attackers would be isolated by the libvirt AppArmor profile.\n(CVE-2015-7512)\n\nQinghao Tang discovered that QEMU incorrectly handled the eepro100 driver.\nA malicious guest could use this issue to cause an infinite loop, leading\nto a denial of service. (CVE-2015-8345)\");\n script_tag(name:\"affected\", value:\"qemu on Ubuntu 15.10,\n Ubuntu 15.04,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"USN\", value:\"2828-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2828-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(15\\.04|14\\.04 LTS|12\\.04 LTS|15\\.10)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU15.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"qemu-system\", ver:\"1:2.2+dfsg-5expubuntu9.7\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-aarch64\", ver:\"1:2.2+dfsg-5expubuntu9.7\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-arm\", ver:\"1:2.2+dfsg-5expubuntu9.7\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-mips\", ver:\"1:2.2+dfsg-5expubuntu9.7\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-misc\", ver:\"1:2.2+dfsg-5expubuntu9.7\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-ppc\", ver:\"1:2.2+dfsg-5expubuntu9.7\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-sparc\", ver:\"1:2.2+dfsg-5expubuntu9.7\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-x86\", ver:\"1:2.2+dfsg-5expubuntu9.7\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"qemu-system\", ver:\"2.0.0+dfsg-2ubuntu1.21\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-aarch64\", ver:\"2.0.0+dfsg-2ubuntu1.21\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-arm\", ver:\"2.0.0+dfsg-2ubuntu1.21\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-mips\", ver:\"2.0.0+dfsg-2ubuntu1.21\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-misc\", ver:\"2.0.0+dfsg-2ubuntu1.21\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-ppc\", ver:\"2.0.0+dfsg-2ubuntu1.21\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-sparc\", ver:\"2.0.0+dfsg-2ubuntu1.21\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-x86\", ver:\"2.0.0+dfsg-2ubuntu1.21\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"qemu-kvm\", ver:\"1.0+noroms-0ubuntu14.26\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU15.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"qemu-system\", ver:\"1:2.3+dfsg-5ubuntu9.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-aarch64\", ver:\"1:2.3+dfsg-5ubuntu9.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-arm\", ver:\"1:2.3+dfsg-5ubuntu9.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-mips\", ver:\"1:2.3+dfsg-5ubuntu9.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-misc\", ver:\"1:2.3+dfsg-5ubuntu9.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-ppc\", ver:\"1:2.3+dfsg-5ubuntu9.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-sparc\", ver:\"1:2.3+dfsg-5ubuntu9.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"qemu-system-x86\", ver:\"1:2.3+dfsg-5ubuntu9.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:53:05", "bulletinFamily": "scanner", "description": "Check the version of xen", "modified": "2017-07-10T00:00:00", "published": "2015-12-20T00:00:00", "id": "OPENVAS:1361412562310806909", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806909", "title": "Fedora Update for xen FEDORA-2015-08", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for xen FEDORA-2015-08\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806909\");\n script_version(\"$Revision: 6632 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:48:18 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-12-20 05:39:04 +0100 (Sun, 20 Dec 2015)\");\n script_cve_id(\"CVE-2015-8345\", \"CVE-2015-7512\", \"CVE-2015-8504\", \"CVE-2015-8338\",\n \"CVE-2015-8339\", \"CVE-2015-8340\", \"CVE-2015-8341\", \"CVE-2015-7504\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for xen FEDORA-2015-08\");\n script_tag(name: \"summary\", value: \"Check the version of xen\");\n\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\n of detect NVT and check if the version is vulnerable or not.\");\n\n script_tag(name: \"insight\", value: \"This package contains the XenD daemon and\n xm command line tools, needed to manage virtual machines running under the\n Xen hypervisor.\");\n\n script_tag(name: \"affected\", value: \"xen on Fedora 22\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-08\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-December/174187.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC22\")\n{\n if ((res = isrpmvuln(pkg:\"xen\", rpm:\"xen~4.5.2~5.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-11-19T12:59:30", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2016-03-01T00:00:00", "id": "OPENVAS:1361412562310851213", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851213", "title": "SuSE Update for qemu openSUSE-SU-2016:0536-1 (qemu)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2016_0536_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for qemu openSUSE-SU-2016:0536-1 (qemu)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851213\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-03-01 11:09:00 +0530 (Tue, 01 Mar 2016)\");\n script_cve_id(\"CVE-2015-7512\", \"CVE-2015-8345\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for qemu openSUSE-SU-2016:0536-1 (qemu)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'qemu'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"This update fixes the following security issues:\n\n - Enforce receive packet size, thus eliminating buffer overflow and\n potential security issue. (bsc#957162 CVE-2015-7512)\n\n - Infinite loop in processing command block list. CVE-2015-8345\n (bsc#956829):\n\n This update also fixes a non-security bug:\n\n - Due to space restrictions in limited bios data areas, don't create\n mptable if vcpu count is 'high' (ie more than ~19). (bsc#954864) (No\n supported guests are negatively impacted by this change, which is taken\n from upstream seabios)\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\");\n script_tag(name:\"affected\", value:\"qemu on openSUSE Leap 42.1\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:0536_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSELeap42.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"qemu\", rpm:\"qemu~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-arm\", rpm:\"qemu-arm~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-arm-debuginfo\", rpm:\"qemu-arm-debuginfo~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-block-curl\", rpm:\"qemu-block-curl~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-block-curl-debuginfo\", rpm:\"qemu-block-curl-debuginfo~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-debugsource\", rpm:\"qemu-debugsource~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-extra\", rpm:\"qemu-extra~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-extra-debuginfo\", rpm:\"qemu-extra-debuginfo~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-guest-agent\", rpm:\"qemu-guest-agent~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-guest-agent-debuginfo\", rpm:\"qemu-guest-agent-debuginfo~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-kvm\", rpm:\"qemu-kvm~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-lang\", rpm:\"qemu-lang~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-linux-user\", rpm:\"qemu-linux-user~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-linux-user-debuginfo\", rpm:\"qemu-linux-user-debuginfo~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-linux-user-debugsource\", rpm:\"qemu-linux-user-debugsource~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-ppc\", rpm:\"qemu-ppc~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-ppc-debuginfo\", rpm:\"qemu-ppc-debuginfo~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-s390\", rpm:\"qemu-s390~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-s390-debuginfo\", rpm:\"qemu-s390-debuginfo~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-tools\", rpm:\"qemu-tools~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-tools-debuginfo\", rpm:\"qemu-tools-debuginfo~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-x86\", rpm:\"qemu-x86~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-x86-debuginfo\", rpm:\"qemu-x86-debuginfo~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-block-rbd\", rpm:\"qemu-block-rbd~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-block-rbd-debuginfo\", rpm:\"qemu-block-rbd-debuginfo~2.3.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-testsuite\", rpm:\"qemu-testsuite~2.3.1~12.2\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-ipxe\", rpm:\"qemu-ipxe~1.0.0~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-seabios\", rpm:\"qemu-seabios~1.8.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-sgabios-8\", rpm:\"qemu-sgabios-8~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"qemu-vgabios\", rpm:\"qemu-vgabios~1.8.1~12.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-30T10:52:27", "bulletinFamily": "scanner", "description": "Several vulnerabilities were discovered\nin qemu, a full virtualization solution on x86 hardware.\n\nCVE-2015-7295\nJason Wang of Red Hat Inc. discovered that the Virtual Network\nDevice support is vulnerable to denial-of-service (via resource\nexhaustion), that could occur when receiving large packets.\n\nCVE-2015-7504\nQinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na heap-based buffer overflow that could result in\ndenial-of-service (via application crash) or arbitrary code\nexecution.\n\nCVE-2015-7512\nLing Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na buffer overflow that could result in denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2015-8345\nQinghao Tang of Qihoo 360 Inc. discovered that the eepro100\nemulator contains a flaw that could lead to an infinite loop when\nprocessing Command Blocks, eventually resulting in\ndenial-of-service (via application crash).\n\nCVE-2015-8504\nLian Yihan of Qihoo 360 Inc. discovered that the VNC display\ndriver support is vulnerable to an arithmetic exception flaw that\ncould lead to denial-of-service (via application crash).\n\nCVE-2015-8558\nQinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI\nemulation support contains a flaw that could lead to an infinite\nloop during communication between the host controller and a device\ndriver. This could lead to denial-of-service (via resource\nexhaustion).\n\nCVE-2015-8743\nLing Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is\nvulnerable to an out-of-bound read/write access issue, potentially\nresulting in information leak or memory corruption.\n\nCVE-2016-1568\nQinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI\nemulation support is vulnerable to a use-after-free issue, that\ncould lead to denial-of-service (via application crash) or\narbitrary code execution.\n\nCVE-2016-1714\nDonghai Zhu of Alibaba discovered that the Firmware Configuration\nemulation support is vulnerable to an out-of-bound read/write\naccess issue, that could lead to denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2016-1922\nLing Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests\nsupport is vulnerable to a null pointer dereference issue, that\ncould lead to denial-of-service (via application crash).", "modified": "2017-10-27T00:00:00", "published": "2016-02-08T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703469", "id": "OPENVAS:703469", "title": "Debian Security Advisory DSA 3469-1 (qemu - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3469.nasl 7597 2017-10-27 12:23:39Z asteins $\n# Auto-generated from advisory DSA 3469-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703469);\n script_version(\"$Revision: 7597 $\");\n script_cve_id(\"CVE-2015-7295\", \"CVE-2015-7504\", \"CVE-2015-7512\", \"CVE-2015-8345\",\n \"CVE-2015-8504\", \"CVE-2015-8558\", \"CVE-2015-8743\", \"CVE-2016-1568\",\n \"CVE-2016-1714\", \"CVE-2016-1922\");\n script_name(\"Debian Security Advisory DSA 3469-1 (qemu - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-10-27 14:23:39 +0200 (Fri, 27 Oct 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-02-08 00:00:00 +0100 (Mon, 08 Feb 2016)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3469.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"qemu on Debian Linux\");\n script_tag(name: \"insight\", value: \"QEMU is a fast processor emulator:\ncurrently the package supports ARM, CRIS, i386, M68k (ColdFire), MicroBlaze,\nMIPS, PowerPC, SH4, SPARC and x86-64 emulation. By using dynamic translation\nit achieves reasonable speed while being easy to port on new host CPUs. QEMU\nhas two operating modes:\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthese problems have been fixed in version 1.1.2+dfsg-6a+deb7u12.\n\nWe recommend that you upgrade your qemu packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered\nin qemu, a full virtualization solution on x86 hardware.\n\nCVE-2015-7295\nJason Wang of Red Hat Inc. discovered that the Virtual Network\nDevice support is vulnerable to denial-of-service (via resource\nexhaustion), that could occur when receiving large packets.\n\nCVE-2015-7504\nQinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na heap-based buffer overflow that could result in\ndenial-of-service (via application crash) or arbitrary code\nexecution.\n\nCVE-2015-7512\nLing Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na buffer overflow that could result in denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2015-8345\nQinghao Tang of Qihoo 360 Inc. discovered that the eepro100\nemulator contains a flaw that could lead to an infinite loop when\nprocessing Command Blocks, eventually resulting in\ndenial-of-service (via application crash).\n\nCVE-2015-8504\nLian Yihan of Qihoo 360 Inc. discovered that the VNC display\ndriver support is vulnerable to an arithmetic exception flaw that\ncould lead to denial-of-service (via application crash).\n\nCVE-2015-8558\nQinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI\nemulation support contains a flaw that could lead to an infinite\nloop during communication between the host controller and a device\ndriver. This could lead to denial-of-service (via resource\nexhaustion).\n\nCVE-2015-8743\nLing Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is\nvulnerable to an out-of-bound read/write access issue, potentially\nresulting in information leak or memory corruption.\n\nCVE-2016-1568\nQinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI\nemulation support is vulnerable to a use-after-free issue, that\ncould lead to denial-of-service (via application crash) or\narbitrary code execution.\n\nCVE-2016-1714\nDonghai Zhu of Alibaba discovered that the Firmware Configuration\nemulation support is vulnerable to an out-of-bound read/write\naccess issue, that could lead to denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2016-1922\nLing Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests\nsupport is vulnerable to a null pointer dereference issue, that\ncould lead to denial-of-service (via application crash).\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"qemu\", ver:\"1.1.2+dfsg-6a+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-keymaps\", ver:\"1.1.2+dfsg-6a+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-system\", ver:\"1.1.2+dfsg-6a+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-user\", ver:\"1.1.2+dfsg-6a+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-user-static\", ver:\"1.1.2+dfsg-6a+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-utils\", ver:\"1.1.2+dfsg-6a+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:48:44", "bulletinFamily": "scanner", "description": "Several vulnerabilities were discovered\nin qemu-kvm, a full virtualization solution on x86 hardware.\n\nCVE-2015-7295\nJason Wang of Red Hat Inc. discovered that the Virtual Network\nDevice support is vulnerable to denial-of-service (via resource\nexhaustion), that could occur when receiving large packets.\n\nCVE-2015-7504\nQinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na heap-based buffer overflow that could result in\ndenial-of-service (via application crash) or arbitrary code\nexecution.\n\nCVE-2015-7512\nLing Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na buffer overflow that could result in denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2015-8345\nQinghao Tang of Qihoo 360 Inc. discovered that the eepro100\nemulator contains a flaw that could lead to an infinite loop when\nprocessing Command Blocks, eventually resulting in\ndenial-of-service (via application crash).\n\nCVE-2015-8504\nLian Yihan of Qihoo 360 Inc. discovered that the VNC display\ndriver support is vulnerable to an arithmetic exception flaw that\ncould lead to denial-of-service (via application crash).\n\nCVE-2015-8558\nQinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI\nemulation support contains a flaw that could lead to an infinite\nloop during communication between the host controller and a device\ndriver. This could lead to denial-of-service (via resource\nexhaustion).\n\nCVE-2015-8743\nLing Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is\nvulnerable to an out-of-bound read/write access issue, potentially\nresulting in information leak or memory corruption.\n\nCVE-2016-1568\nQinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI\nemulation support is vulnerable to a use-after-free issue, that\ncould lead to denial-of-service (via application crash) or\narbitrary code execution.\n\nCVE-2016-1714\nDonghai Zhu of Alibaba discovered that the Firmware Configuration\nemulation support is vulnerable to an out-of-bound read/write\naccess issue, that could lead to denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2016-1922\nLing Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests\nsupport is vulnerable to a null pointer dereference issue, that\ncould lead to denial-of-service (via application crash).", "modified": "2017-12-14T00:00:00", "published": "2016-02-08T00:00:00", "id": "OPENVAS:1361412562310703470", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703470", "title": "Debian Security Advisory DSA 3470-1 (qemu-kvm - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3470.nasl 8115 2017-12-14 07:30:22Z teissa $\n# Auto-generated from advisory DSA 3470-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703470\");\n script_version(\"$Revision: 8115 $\");\n script_cve_id(\"CVE-2015-7295\", \"CVE-2015-7504\", \"CVE-2015-7512\", \"CVE-2015-8345\",\n \"CVE-2015-8504\", \"CVE-2015-8558\", \"CVE-2015-8743\", \"CVE-2016-1568\",\n \"CVE-2016-1714\", \"CVE-2016-1922\");\n script_name(\"Debian Security Advisory DSA 3470-1 (qemu-kvm - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-12-14 08:30:22 +0100 (Thu, 14 Dec 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-02-08 00:00:00 +0100 (Mon, 08 Feb 2016)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3470.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"qemu-kvm on Debian Linux\");\n script_tag(name: \"insight\", value: \"Using KVM, one can run multiple virtual\nPCs, each running unmodified Linux or Windows images. Each virtual machine has\nprivate virtualized hardware: a network card, disk, graphics adapter, etc.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthese problems have been fixed in version 1.1.2+dfsg-6+deb7u12.\n\nWe recommend that you upgrade your qemu-kvm packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered\nin qemu-kvm, a full virtualization solution on x86 hardware.\n\nCVE-2015-7295\nJason Wang of Red Hat Inc. discovered that the Virtual Network\nDevice support is vulnerable to denial-of-service (via resource\nexhaustion), that could occur when receiving large packets.\n\nCVE-2015-7504\nQinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na heap-based buffer overflow that could result in\ndenial-of-service (via application crash) or arbitrary code\nexecution.\n\nCVE-2015-7512\nLing Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na buffer overflow that could result in denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2015-8345\nQinghao Tang of Qihoo 360 Inc. discovered that the eepro100\nemulator contains a flaw that could lead to an infinite loop when\nprocessing Command Blocks, eventually resulting in\ndenial-of-service (via application crash).\n\nCVE-2015-8504\nLian Yihan of Qihoo 360 Inc. discovered that the VNC display\ndriver support is vulnerable to an arithmetic exception flaw that\ncould lead to denial-of-service (via application crash).\n\nCVE-2015-8558\nQinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI\nemulation support contains a flaw that could lead to an infinite\nloop during communication between the host controller and a device\ndriver. This could lead to denial-of-service (via resource\nexhaustion).\n\nCVE-2015-8743\nLing Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is\nvulnerable to an out-of-bound read/write access issue, potentially\nresulting in information leak or memory corruption.\n\nCVE-2016-1568\nQinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI\nemulation support is vulnerable to a use-after-free issue, that\ncould lead to denial-of-service (via application crash) or\narbitrary code execution.\n\nCVE-2016-1714\nDonghai Zhu of Alibaba discovered that the Firmware Configuration\nemulation support is vulnerable to an out-of-bound read/write\naccess issue, that could lead to denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2016-1922\nLing Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests\nsupport is vulnerable to a null pointer dereference issue, that\ncould lead to denial-of-service (via application crash).\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"kvm\", ver:\"1.1.2+dfsg-6+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-kvm\", ver:\"1.1.2+dfsg-6+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-kvm-dbg\", ver:\"1.1.2+dfsg-6+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-10-30T10:52:44", "bulletinFamily": "scanner", "description": "Several vulnerabilities were discovered\nin qemu-kvm, a full virtualization solution on x86 hardware.\n\nCVE-2015-7295\nJason Wang of Red Hat Inc. discovered that the Virtual Network\nDevice support is vulnerable to denial-of-service (via resource\nexhaustion), that could occur when receiving large packets.\n\nCVE-2015-7504\nQinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na heap-based buffer overflow that could result in\ndenial-of-service (via application crash) or arbitrary code\nexecution.\n\nCVE-2015-7512\nLing Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na buffer overflow that could result in denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2015-8345\nQinghao Tang of Qihoo 360 Inc. discovered that the eepro100\nemulator contains a flaw that could lead to an infinite loop when\nprocessing Command Blocks, eventually resulting in\ndenial-of-service (via application crash).\n\nCVE-2015-8504\nLian Yihan of Qihoo 360 Inc. discovered that the VNC display\ndriver support is vulnerable to an arithmetic exception flaw that\ncould lead to denial-of-service (via application crash).\n\nCVE-2015-8558\nQinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI\nemulation support contains a flaw that could lead to an infinite\nloop during communication between the host controller and a device\ndriver. This could lead to denial-of-service (via resource\nexhaustion).\n\nCVE-2015-8743\nLing Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is\nvulnerable to an out-of-bound read/write access issue, potentially\nresulting in information leak or memory corruption.\n\nCVE-2016-1568\nQinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI\nemulation support is vulnerable to a use-after-free issue, that\ncould lead to denial-of-service (via application crash) or\narbitrary code execution.\n\nCVE-2016-1714\nDonghai Zhu of Alibaba discovered that the Firmware Configuration\nemulation support is vulnerable to an out-of-bound read/write\naccess issue, that could lead to denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2016-1922\nLing Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests\nsupport is vulnerable to a null pointer dereference issue, that\ncould lead to denial-of-service (via application crash).", "modified": "2017-10-27T00:00:00", "published": "2016-02-08T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703470", "id": "OPENVAS:703470", "title": "Debian Security Advisory DSA 3470-1 (qemu-kvm - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3470.nasl 7597 2017-10-27 12:23:39Z asteins $\n# Auto-generated from advisory DSA 3470-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703470);\n script_version(\"$Revision: 7597 $\");\n script_cve_id(\"CVE-2015-7295\", \"CVE-2015-7504\", \"CVE-2015-7512\", \"CVE-2015-8345\",\n \"CVE-2015-8504\", \"CVE-2015-8558\", \"CVE-2015-8743\", \"CVE-2016-1568\",\n \"CVE-2016-1714\", \"CVE-2016-1922\");\n script_name(\"Debian Security Advisory DSA 3470-1 (qemu-kvm - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-10-27 14:23:39 +0200 (Fri, 27 Oct 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-02-08 00:00:00 +0100 (Mon, 08 Feb 2016)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3470.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"qemu-kvm on Debian Linux\");\n script_tag(name: \"insight\", value: \"Using KVM, one can run multiple virtual\nPCs, each running unmodified Linux or Windows images. Each virtual machine has\nprivate virtualized hardware: a network card, disk, graphics adapter, etc.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthese problems have been fixed in version 1.1.2+dfsg-6+deb7u12.\n\nWe recommend that you upgrade your qemu-kvm packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered\nin qemu-kvm, a full virtualization solution on x86 hardware.\n\nCVE-2015-7295\nJason Wang of Red Hat Inc. discovered that the Virtual Network\nDevice support is vulnerable to denial-of-service (via resource\nexhaustion), that could occur when receiving large packets.\n\nCVE-2015-7504\nQinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na heap-based buffer overflow that could result in\ndenial-of-service (via application crash) or arbitrary code\nexecution.\n\nCVE-2015-7512\nLing Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na buffer overflow that could result in denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2015-8345\nQinghao Tang of Qihoo 360 Inc. discovered that the eepro100\nemulator contains a flaw that could lead to an infinite loop when\nprocessing Command Blocks, eventually resulting in\ndenial-of-service (via application crash).\n\nCVE-2015-8504\nLian Yihan of Qihoo 360 Inc. discovered that the VNC display\ndriver support is vulnerable to an arithmetic exception flaw that\ncould lead to denial-of-service (via application crash).\n\nCVE-2015-8558\nQinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI\nemulation support contains a flaw that could lead to an infinite\nloop during communication between the host controller and a device\ndriver. This could lead to denial-of-service (via resource\nexhaustion).\n\nCVE-2015-8743\nLing Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is\nvulnerable to an out-of-bound read/write access issue, potentially\nresulting in information leak or memory corruption.\n\nCVE-2016-1568\nQinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI\nemulation support is vulnerable to a use-after-free issue, that\ncould lead to denial-of-service (via application crash) or\narbitrary code execution.\n\nCVE-2016-1714\nDonghai Zhu of Alibaba discovered that the Firmware Configuration\nemulation support is vulnerable to an out-of-bound read/write\naccess issue, that could lead to denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2016-1922\nLing Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests\nsupport is vulnerable to a null pointer dereference issue, that\ncould lead to denial-of-service (via application crash).\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"kvm\", ver:\"1.1.2+dfsg-6+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-kvm\", ver:\"1.1.2+dfsg-6+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-kvm-dbg\", ver:\"1.1.2+dfsg-6+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:46:01", "bulletinFamily": "scanner", "description": "Several vulnerabilities were discovered\nin qemu, a full virtualization solution on x86 hardware.\n\nCVE-2015-7295\nJason Wang of Red Hat Inc. discovered that the Virtual Network\nDevice support is vulnerable to denial-of-service (via resource\nexhaustion), that could occur when receiving large packets.\n\nCVE-2015-7504\nQinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na heap-based buffer overflow that could result in\ndenial-of-service (via application crash) or arbitrary code\nexecution.\n\nCVE-2015-7512\nLing Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na buffer overflow that could result in denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2015-8345\nQinghao Tang of Qihoo 360 Inc. discovered that the eepro100\nemulator contains a flaw that could lead to an infinite loop when\nprocessing Command Blocks, eventually resulting in\ndenial-of-service (via application crash).\n\nCVE-2015-8504\nLian Yihan of Qihoo 360 Inc. discovered that the VNC display\ndriver support is vulnerable to an arithmetic exception flaw that\ncould lead to denial-of-service (via application crash).\n\nCVE-2015-8558\nQinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI\nemulation support contains a flaw that could lead to an infinite\nloop during communication between the host controller and a device\ndriver. This could lead to denial-of-service (via resource\nexhaustion).\n\nCVE-2015-8743\nLing Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is\nvulnerable to an out-of-bound read/write access issue, potentially\nresulting in information leak or memory corruption.\n\nCVE-2016-1568\nQinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI\nemulation support is vulnerable to a use-after-free issue, that\ncould lead to denial-of-service (via application crash) or\narbitrary code execution.\n\nCVE-2016-1714\nDonghai Zhu of Alibaba discovered that the Firmware Configuration\nemulation support is vulnerable to an out-of-bound read/write\naccess issue, that could lead to denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2016-1922\nLing Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests\nsupport is vulnerable to a null pointer dereference issue, that\ncould lead to denial-of-service (via application crash).", "modified": "2017-12-18T00:00:00", "published": "2016-02-08T00:00:00", "id": "OPENVAS:1361412562310703469", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703469", "title": "Debian Security Advisory DSA 3469-1 (qemu - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3469.nasl 8154 2017-12-18 07:30:14Z teissa $\n# Auto-generated from advisory DSA 3469-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703469\");\n script_version(\"$Revision: 8154 $\");\n script_cve_id(\"CVE-2015-7295\", \"CVE-2015-7504\", \"CVE-2015-7512\", \"CVE-2015-8345\",\n \"CVE-2015-8504\", \"CVE-2015-8558\", \"CVE-2015-8743\", \"CVE-2016-1568\",\n \"CVE-2016-1714\", \"CVE-2016-1922\");\n script_name(\"Debian Security Advisory DSA 3469-1 (qemu - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-12-18 08:30:14 +0100 (Mon, 18 Dec 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-02-08 00:00:00 +0100 (Mon, 08 Feb 2016)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3469.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"qemu on Debian Linux\");\n script_tag(name: \"insight\", value: \"QEMU is a fast processor emulator:\ncurrently the package supports ARM, CRIS, i386, M68k (ColdFire), MicroBlaze,\nMIPS, PowerPC, SH4, SPARC and x86-64 emulation. By using dynamic translation\nit achieves reasonable speed while being easy to port on new host CPUs. QEMU\nhas two operating modes:\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthese problems have been fixed in version 1.1.2+dfsg-6a+deb7u12.\n\nWe recommend that you upgrade your qemu packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered\nin qemu, a full virtualization solution on x86 hardware.\n\nCVE-2015-7295\nJason Wang of Red Hat Inc. discovered that the Virtual Network\nDevice support is vulnerable to denial-of-service (via resource\nexhaustion), that could occur when receiving large packets.\n\nCVE-2015-7504\nQinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na heap-based buffer overflow that could result in\ndenial-of-service (via application crash) or arbitrary code\nexecution.\n\nCVE-2015-7512\nLing Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na buffer overflow that could result in denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2015-8345\nQinghao Tang of Qihoo 360 Inc. discovered that the eepro100\nemulator contains a flaw that could lead to an infinite loop when\nprocessing Command Blocks, eventually resulting in\ndenial-of-service (via application crash).\n\nCVE-2015-8504\nLian Yihan of Qihoo 360 Inc. discovered that the VNC display\ndriver support is vulnerable to an arithmetic exception flaw that\ncould lead to denial-of-service (via application crash).\n\nCVE-2015-8558\nQinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI\nemulation support contains a flaw that could lead to an infinite\nloop during communication between the host controller and a device\ndriver. This could lead to denial-of-service (via resource\nexhaustion).\n\nCVE-2015-8743\nLing Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is\nvulnerable to an out-of-bound read/write access issue, potentially\nresulting in information leak or memory corruption.\n\nCVE-2016-1568\nQinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI\nemulation support is vulnerable to a use-after-free issue, that\ncould lead to denial-of-service (via application crash) or\narbitrary code execution.\n\nCVE-2016-1714\nDonghai Zhu of Alibaba discovered that the Firmware Configuration\nemulation support is vulnerable to an out-of-bound read/write\naccess issue, that could lead to denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2016-1922\nLing Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests\nsupport is vulnerable to a null pointer dereference issue, that\ncould lead to denial-of-service (via application crash).\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"qemu\", ver:\"1.1.2+dfsg-6a+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-keymaps\", ver:\"1.1.2+dfsg-6a+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-system\", ver:\"1.1.2+dfsg-6a+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-user\", ver:\"1.1.2+dfsg-6a+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-user-static\", ver:\"1.1.2+dfsg-6a+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-utils\", ver:\"1.1.2+dfsg-6a+deb7u12\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-24T15:13:01", "bulletinFamily": "scanner", "description": "Several vulnerabilities were discovered in\nqemu, a full virtualization solution on x86 hardware.\n\nCVE-2015-7295\nJason Wang of Red Hat Inc. discovered that the Virtual Network\nDevice support is vulnerable to denial-of-service, that could\noccur when receiving large packets.\n\nCVE-2015-7504\nQinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na heap-based buffer overflow that could result in\ndenial-of-service (via application crash) or arbitrary code\nexecution.\n\nCVE-2015-7512\nLing Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na buffer overflow that could result in denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2015-7549\nQinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360\nInc. discovered that the PCI MSI-X emulator is vulnerable to a\nnull pointer dereference issue, that could lead to\ndenial-of-service (via application crash).\n\nCVE-2015-8345\nQinghao Tang of Qihoo 360 Inc. discovered that the eepro100\nemulator contains a flaw that could lead to an infinite loop when\nprocessing Command Blocks, eventually resulting in\ndenial-of-service (via application crash).\n\nCVE-2015-8504\nLian Yihan of Qihoo 360 Inc. discovered that the VNC display\ndriver support is vulnerable to an arithmetic exception flaw that\ncould lead to denial-of-service (via application crash).\n\nCVE-2015-8550\nFelix Wilhelm of ERNW Research that the PV backend drivers are\nvulnerable to double fetch vulnerabilities, possibly resulting in\narbitrary code execution.\n\nCVE-2015-8558\nQinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI\nemulation support contains a flaw that could lead to an infinite\nloop during communication between the host controller and a device\ndriver. This could lead to denial-of-service (via resource\nexhaustion).\n\nCVE-2015-8567 CVE-2015-8568\nQinghao Tang of Qihoo 360 Inc. discovered that the vmxnet3 device\nemulator could be used to intentionally leak host memory, thus\nresulting in denial-of-service.\n\nCVE-2015-8613\nQinghao Tang of Qihoo 360 Inc. discovered that the SCSI MegaRAID\nSAS HBA emulation support is vulnerable to a stack-based buffer\noverflow issue, that could lead to denial-of-service (via\napplication crash).\n\nCVE-2015-8619\nLing Liu of Qihoo 360 Inc. discovered that the Human Monitor\nInterface support is vulnerable to an out-of-bound write access\nissue that could result in denial-of-service (via application\ncrash).\n\nCVE-2015-8743\nLing Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is\nvulnerable to an out-of-bound read/write access issue, potentially\nresulting in information leak or memory corruption.\n\nCVE-2015-8744\nThe vmxnet3 driver incorrectly processes small packets, which could\nresult in denial-of-service (via application crash).\n\nCVE-2015-8745\nThe vmxnet3 driver incorrectly processes Interrupt Mask Registers,\nwhich could result in denial-of-service (via application crash).\n\nCVE-2016-1568\nQinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI\nemulation support is vulnerable to a use-after-free issue, that\ncould lead to denial-of-service (via application crash) or\narbitrary code execution.\n\nCVE-2016-1714\nDonghai Zhu of Alibaba discovered that the Firmware Configuration\nemulation support is vulnerable to an out-of-bound read/write\naccess issue, that could lead to denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2016-1922\nLing Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests\nsupport is vulnerable to a null pointer dereference issue, that\ncould lead to denial-of-service (via application crash).\n\nCVE-2016-1981\nThe e1000 driver is vulnerable to an infinite loop issue that\ncould lead to denial-of-service (via application crash).", "modified": "2017-11-24T00:00:00", "published": "2016-02-08T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703471", "id": "OPENVAS:703471", "title": "Debian Security Advisory DSA 3471-1 (qemu - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3471.nasl 7900 2017-11-24 10:35:02Z asteins $\n# Auto-generated from advisory DSA 3471-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703471);\n script_version(\"$Revision: 7900 $\");\n script_cve_id(\"CVE-2015-7295\", \"CVE-2015-7504\", \"CVE-2015-7512\", \"CVE-2015-7549\",\n \"CVE-2015-8345\", \"CVE-2015-8504\", \"CVE-2015-8550\", \"CVE-2015-8558\",\n \"CVE-2015-8567\", \"CVE-2015-8568\", \"CVE-2015-8613\", \"CVE-2015-8619\",\n \"CVE-2015-8743\", \"CVE-2015-8744\", \"CVE-2015-8745\", \"CVE-2016-1568\",\n \"CVE-2016-1714\", \"CVE-2016-1922\", \"CVE-2016-1981\");\n script_name(\"Debian Security Advisory DSA 3471-1 (qemu - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-11-24 11:35:02 +0100 (Fri, 24 Nov 2017) $\");\n script_tag(name: \"creation_date\", value: \"2016-02-08 00:00:00 +0100 (Mon, 08 Feb 2016)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3471.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"qemu on Debian Linux\");\n script_tag(name: \"insight\", value: \"QEMU is a fast processor emulator:\ncurrently the package supports ARM, CRIS, i386, M68k (ColdFire), MicroBlaze, MIPS,\nPowerPC, SH4, SPARC and x86-64 emulation. By using dynamic translation it achieves\nreasonable speed while being easy to port on new host CPUs. QEMU has\ntwo operating modes:\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthese problems have been fixed in version 1:2.1+dfsg-12+deb8u5a.\n\nWe recommend that you upgrade your qemu packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered in\nqemu, a full virtualization solution on x86 hardware.\n\nCVE-2015-7295\nJason Wang of Red Hat Inc. discovered that the Virtual Network\nDevice support is vulnerable to denial-of-service, that could\noccur when receiving large packets.\n\nCVE-2015-7504\nQinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na heap-based buffer overflow that could result in\ndenial-of-service (via application crash) or arbitrary code\nexecution.\n\nCVE-2015-7512\nLing Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.\ndiscovered that the PC-Net II ethernet controller is vulnerable to\na buffer overflow that could result in denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2015-7549\nQinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360\nInc. discovered that the PCI MSI-X emulator is vulnerable to a\nnull pointer dereference issue, that could lead to\ndenial-of-service (via application crash).\n\nCVE-2015-8345\nQinghao Tang of Qihoo 360 Inc. discovered that the eepro100\nemulator contains a flaw that could lead to an infinite loop when\nprocessing Command Blocks, eventually resulting in\ndenial-of-service (via application crash).\n\nCVE-2015-8504\nLian Yihan of Qihoo 360 Inc. discovered that the VNC display\ndriver support is vulnerable to an arithmetic exception flaw that\ncould lead to denial-of-service (via application crash).\n\nCVE-2015-8550\nFelix Wilhelm of ERNW Research that the PV backend drivers are\nvulnerable to double fetch vulnerabilities, possibly resulting in\narbitrary code execution.\n\nCVE-2015-8558\nQinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI\nemulation support contains a flaw that could lead to an infinite\nloop during communication between the host controller and a device\ndriver. This could lead to denial-of-service (via resource\nexhaustion).\n\nCVE-2015-8567 CVE-2015-8568\nQinghao Tang of Qihoo 360 Inc. discovered that the vmxnet3 device\nemulator could be used to intentionally leak host memory, thus\nresulting in denial-of-service.\n\nCVE-2015-8613\nQinghao Tang of Qihoo 360 Inc. discovered that the SCSI MegaRAID\nSAS HBA emulation support is vulnerable to a stack-based buffer\noverflow issue, that could lead to denial-of-service (via\napplication crash).\n\nCVE-2015-8619\nLing Liu of Qihoo 360 Inc. discovered that the Human Monitor\nInterface support is vulnerable to an out-of-bound write access\nissue that could result in denial-of-service (via application\ncrash).\n\nCVE-2015-8743\nLing Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is\nvulnerable to an out-of-bound read/write access issue, potentially\nresulting in information leak or memory corruption.\n\nCVE-2015-8744\nThe vmxnet3 driver incorrectly processes small packets, which could\nresult in denial-of-service (via application crash).\n\nCVE-2015-8745\nThe vmxnet3 driver incorrectly processes Interrupt Mask Registers,\nwhich could result in denial-of-service (via application crash).\n\nCVE-2016-1568\nQinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI\nemulation support is vulnerable to a use-after-free issue, that\ncould lead to denial-of-service (via application crash) or\narbitrary code execution.\n\nCVE-2016-1714\nDonghai Zhu of Alibaba discovered that the Firmware Configuration\nemulation support is vulnerable to an out-of-bound read/write\naccess issue, that could lead to denial-of-service (via\napplication crash) or arbitrary code execution.\n\nCVE-2016-1922\nLing Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests\nsupport is vulnerable to a null pointer dereference issue, that\ncould lead to denial-of-service (via application crash).\n\nCVE-2016-1981\nThe e1000 driver is vulnerable to an infinite loop issue that\ncould lead to denial-of-service (via application crash).\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"qemu\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-guest-agent\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-kvm\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-system\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-system-arm\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-system-common\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-system-mips\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-system-misc\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-system-ppc\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-system-sparc\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-system-x86\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-user\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-user-binfmt\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-user-static\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"qemu-utils\", ver:\"1:2.1+dfsg-12+deb8u5a\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:09:34", "bulletinFamily": "unix", "description": "Jason Wang discovered that QEMU incorrectly handled the virtio-net device. A remote attacker could use this issue to cause guest network consumption, resulting in a denial of service. (CVE-2015-7295)\n\nQinghao Tang and Ling Liu discovered that QEMU incorrectly handled the pcnet driver when used in loopback mode. A malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-7504)\n\nLing Liu and Jason Wang discovered that QEMU incorrectly handled the pcnet driver. A remote attacker could use this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-7512)\n\nQinghao Tang discovered that QEMU incorrectly handled the eepro100 driver. A malicious guest could use this issue to cause an infinite loop, leading to a denial of service. (CVE-2015-8345)", "modified": "2015-12-03T00:00:00", "published": "2015-12-03T00:00:00", "id": "USN-2828-1", "href": "https://usn.ubuntu.com/2828-1/", "title": "QEMU vulnerabilities", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "xen": [{"lastseen": "2016-04-01T21:57:16", "bulletinFamily": "software", "description": "#### ISSUE DESCRIPTION\nThe QEMU security team has predisclosed the following advisory:\n The AMD PC-Net II emulator(hw/net/pcnet.c), while receiving packets in loopback mode, appends CRC code to the receive buffer. If the data size given is same as the buffer size(4096), the appended CRC code overwrites 4 bytes after the s-&gt;buffer, making the adjacent &#39;s-&gt;irq&#39; object point to a new location.\n#### IMPACT\nA guest which has access to an emulated PCNET network device (e.g. with &quot;model=pcnet&quot; in their VIF configuration) can exploit this vulnerability to take over the qemu process elevating its privilege to that of the qemu process.\n#### VULNERABLE SYSTEMS\nAll Xen systems running x86 HVM guests without stubdomains which have been configured to use the PCNET emulated driver model are vulnerable.\nThe default configuration is NOT vulnerable (because it does not emulate PCNET NICs).\nSystems running only PV guests are NOT vulnerable.\nSystems using qemu-dm stubdomain device models (for example, by specifying &quot;device_model_stubdomain_override=1&quot; in xl&#39;s domain configuration files) are NOT vulnerable.\nBoth the traditional &quot;qemu-xen&quot; or upstream qemu device models are potentially vulnerable.\nARM systems are NOT vulnerable.\n", "modified": "2015-11-30T10:54:00", "published": "2015-11-30T06:00:00", "id": "XSA-162", "href": "http://xenbits.xen.org/xsa/advisory-162.html", "type": "xen", "title": "heap buffer overflow vulnerability in pcnet emulator", "cvss": {"score": 0.0, "vector": "NONE"}}], "myhack58": [{"lastseen": "2017-08-16T21:18:26", "bulletinFamily": "info", "description": "I haven't to secure guest posting, just recently the contact vulnerability discovery, and have been reading some of the classic fuzzer source code, at the same time also began to contact the virtualization escape this piece of content, at this time happened to come across two very classic exploit, I believe that many friends also have seen, phrack some time ago just update about this vulnerability in detail using the process. \nI later for this vulnerability is a dynamic debugging, and by the phrack paper cramming something about the virtual machine's working principle, the Guest OS and the Host OS between some of the knowledge. \n! [](/Article/UploadPic/2017-8/201781714010647. png? www. myhack58. com) \nIn the debugging process, I increasingly feel that the two vulnerabilities as to the dark portal Getting started again suitable however, by the two vulnerability analysis and the use of the debugging, can be familiar with this type of virtualization vulnerability of the commissioning principles. Today, I will share the QEMU virtualization escape the debugging environment to build, on CVE-2015-5165 and CVE-2015-7504 vulnerability dynamic debugging analysis, as well as the patch comparison. \nPrior to that, my default reading this article little friends have looked at phrack. org about VM Escape Case Study the article, and already understand the virtual work of the basic principles, including but not limited to, memory management mechanisms, REALTEK network card, a PCNET card of a data packet structure, Tx, Rx buffer, and so on. About phrack. org article and see the snow translated version of the analytical article of the link I will be at the end given. Below we together depart to the dark portal! \n! [](/Article/UploadPic/2017-8/201781714011693. png? www. myhack58. com) \n0x01 QEMU environment to build \nIn debugging the QEMU virtualization escape vulnerability before, we need to build virtualization escape the environment, by first git clone to download QEMU, and by the git check set branch if you want to debug the previous version. \n$ git clone git://git. qemu-project. org/qemu. git \n$ cd qemu \n$ mkdir-p bin/debug/native \n$ cd bin/debug/native \n$ ../../../configure --target-list=x86_64-softmmu --enable-debug --disable-werror \n$ make \nIn the make time, the Host OS will need some libraries installed by apt-get to download and install, such as zlib and glib-2.22, wherein glib-2.22 also need some dependencies, but need to go to the download site, the website address: http://ftp.gnome.org/pub/gnome/sources/glib/2.22/ in. \nAfter installation, in/path/to/qemu/bin/debug/native/generated under a x86_64-softmmu directory, before that, you need to install a qcow2 file system, it is needed by qemu-img to create a qcow2 system files. \n\n$ qemu-img creat-f qcow2 ubuntu. qcow2 20G \nAfter the first by qemu-system-x86_64 completion of the qcow2 file system in the system installation, the need to use the-cdrom to the iso image file is loaded. At the same time, you need to install vncviewer, so that by the vncviewer for qemu to start the vnc port for the connection. \n$ qemu-system-x86_64-enable-kvm-m 2048-hda /path/to/ubuntu. qcow2-cdrom /path/to/ubuntu.iso \n$ apt-get install xvnc4viewer \nThrough the vnc connection to qemu after, according to the image file prompt for installation, \u8fd9\u91cc\u63a8\u8350\u8fd8\u662f\u7528server.iso because installation is relatively quick, with the desktop of the words may be slightly Caton some, after the installation is complete you get a systematic qcow2 file, after which you can contain vulnerabilities rlt8139 and pcnet NIC hardware to start. \n\n$ ./ qemu-system-x86_64-enable-kvm-m 2048-display vnc=:89-netdev user,id=t0, -device rtl8139,netdev=t0,id=nic0-netdev user,id=t1, -device pcnet,netdev=t1,id=nic1-drive file=/path/to/ubuntu. qcow2,format=qcow2,if=ide,cache=writeback \nAfter the Start, and here I in order to save trouble, directly with the NAT method of sharing the host network, and then Locally by SimpleHTTPServer to build a simple HTTP Server through wget method to get the two vulnerabilities of the PoC, the two vulnerability PoC by gcc-static method in locally compiled directly after upload, and then run it. \nAfter the host computer via the ps-ef|grep qemu find qemu to start the process via gdb attach pid method additional, press c to continue to run on it, can by the b-function of the method under the breakpoint, convenient for tracking and debugging. \n! [](/Article/UploadPic/2017-8/201781714011366.jpg) \n0x02 CVE-2015-5165 vulnerability analysis \nCVE-2015-5165 is a memory leak vulnerability, since for ip-&gt;ip_len and hlen the length of size is not controlled, resulting in both phase subtraction calculation is negative, due to the ip_data_len variable is defined unsigned type, result this value will be very large, resulting in a memory leak. Vulnerability file in/path/to/qemu/hw/net/rtl8139. c. \nFirst, according to the vulnerability description, vulnerability occurs in the rtl8139_cplus_transmit_one function, by b rtl8139_cplus_transmit_one method in the function to the next breakpoint, after running the PoC, the hit function, the first function will pass in a RTL8139State structure variables. Continue to single-step tracking is performed to an if statement, it will compare the current data in the header portion whether the IPV4 header. \ngdb-peda$ si \n[----------------------------------registers-----------------------------------] \nRAX: 0x4 \n[-------------------------------------code-------------------------------------] \n0x55b25db58480 :shr al,0x4 \n0x55b25db58483 :movzx eax,al \n0x55b25db58486 :and eax,0xf \n=&gt; 0x55b25db58489 :cmp eax,0x4 \n[------------------------------------------------------------------------------] \nLegend: code, data, rodata, value \n0x000055b25db584892173 if (IP_HEADER_VERSION(ip) != IP_HEADER_VERSION_4) { \nVisible this time is indeed the IPv4 configuration, then enter the if statement of the code logic, which will call be16_to_cpu for ip-&gt;ip_len to convert, ip-&gt;ip_len length of 0x1300, the converted length is 0x13 in. \n[----------------------------------registers-----------------------------------] \nRAX: 0x1300 \nRDI: 0x1300 //ip-&gt;ip_len \nEFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) \n\n\n**[1] [[2]](<88615_2.htm>) [[3]](<88615_3.htm>) [[4]](<88615_4.htm>) [[5]](<88615_5.htm>) [[6]](<88615_6.htm>) [[7]](<88615_7.htm>) [[8]](<88615_8.htm>) [[9]](<88615_9.htm>) [[10]](<88615_10.htm>) [next](<88615_2.htm>)**\n", "modified": "2017-08-17T00:00:00", "published": "2017-08-17T00:00:00", "id": "MYHACK58:62201788615", "href": "http://www.myhack58.com/Article/html/3/62/2017/88615.htm", "title": "Travel to the dark of the door! Debugee in QEMU-vulnerability warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "f5": [{"lastseen": "2019-02-20T21:07:44", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned IDs 572590, 572592, 572596, 572597, and 572599 (BIG-IP) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H63519101 on the **Diagnostics** &gt; **Identified** &gt; **Low** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 \n10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP AAM | 12.0.0 \n11.4.0 - 11.6.1 | 12.1.0 | Low | vCMP \nBIG-IP AFM | 12.0.0 \n11.3.0 - 11.6.1 | 12.1.0 | Low | vCMP \nBIG-IP Analytics | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 | Low | vCMP \nBIG-IP APM | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 \n10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP ASM | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 \n10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP DNS | 12.0.0 | 12.1.0 | Low | vCMP \nBIG-IP Edge Gateway | 11.0.0 - 11.3.0 | 10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP GTM | 11.0.0 - 11.6.1 | 10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP Link Controller | 12.0.0 \n11.0.0 - 11.6.1 | 12.1.0 \n10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP PEM | 12.0.0 \n11.3.0 - 11.6.1 | 12.1.0 | Low | vCMP \nBIG-IP PSM | 11.0.0 - 11.4.1 | 10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 | 10.1.0 - 10.2.4 | Low | vCMP \nBIG-IP WOM | 11.0.0 - 11.3.0 | 10.1.0 - 10.2.4 | Low | vCMP \nARX | None | 6.0.0 - 6.4.0 | Not vulnerable | None \nEnterprise Manager | None | 3.0.0 - 3.1.1 | Not vulnerable | None \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Device | None | 4.2.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ Security | None | 4.0.0 - 4.5.0 | Not vulnerable | None \nBIG-IQ ADC | None | 4.5.0 | Not vulnerable | None \nBIG-IQ Centralized Management | None | 4.6.0 | Not vulnerable | None \nBIG-IQ Cloud and Orchestration | None | 1.0.0 | Not vulnerable | None \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | None | 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "modified": "2017-11-16T00:00:00", "published": "2016-02-16T19:39:00", "id": "F5:K63519101", "href": "https://support.f5.com/csp/article/K63519101", "title": "Multiple QEMU vulnerabilities", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:09:49", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "modified": "2016-05-28T00:00:00", "published": "2016-02-16T00:00:00", "id": "SOL63519101", "href": "http://support.f5.com/kb/en-us/solutions/public/k/63/sol63519101.html", "type": "f5", "title": "SOL63519101 - Multiple QEMU vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "suse": [{"lastseen": "2016-09-04T12:43:04", "bulletinFamily": "unix", "description": "This update fixes the following security issues:\n\n - Enforce receive packet size, thus eliminating buffer overflow and\n potential security issue. (bsc#957162 CVE-2015-7512)\n - Infinite loop in processing command block list. CVE-2015-8345\n (bsc#956829):\n\n This update also fixes a non-security bug:\n - Due to space restrictions in limited bios data areas, don't create\n mptable if vcpu count is &quot;high&quot; (ie more than ~19). (bsc#954864) (No\n supported guests are negatively impacted by this change, which is taken\n from upstream seabios)\n\n", "modified": "2016-02-15T19:11:21", "published": "2016-02-15T19:11:21", "id": "SUSE-SU-2016:0459-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00035.html", "type": "suse", "title": "Security update for qemu (important)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:14:44", "bulletinFamily": "unix", "description": "This update fixes the following security issues:\n\n - Enforce receive packet size, thus eliminating buffer overflow and\n potential security issue. (bsc#957162 CVE-2015-7512)\n - Infinite loop in processing command block list. CVE-2015-8345\n (bsc#956829):\n\n This update also fixes a non-security bug:\n - Due to space restrictions in limited bios data areas, don't create\n mptable if vcpu count is &quot;high&quot; (ie more than ~19). (bsc#954864) (No\n supported guests are negatively impacted by this change, which is taken\n from upstream seabios)\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "modified": "2016-02-21T11:16:37", "published": "2016-02-21T11:16:37", "id": "OPENSUSE-SU-2016:0536-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00050.html", "type": "suse", "title": "Security update for qemu (important)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:05:46", "bulletinFamily": "unix", "description": "This update for kvm fixes the following issues:\n\n Security issues fixed:\n - CVE-2015-7512: The receive packet size is now checked in the emulated\n pcnet driver, eliminating buffer overflow and potential security issue\n by malicious guest systems. (bsc#957162)\n - CVE-2015-8345: A infinite loop in processing command block list was\n fixed that could be exploit by malicious guest systems (bsc#956829).\n\n Bugs fixed:\n - Fix cases of wrong clock values in kvmclock timekeeping (bsc#947164 and\n bsc#953187)\n - Enforce pxe rom sizes to ensure migration compatibility. (bsc#950590)\n\n", "modified": "2016-01-05T15:11:08", "published": "2016-01-05T15:11:08", "id": "SUSE-SU-2016:0020-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00001.html", "title": "Security update for kvm (important)", "type": "suse", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:22:47", "bulletinFamily": "unix", "description": "This update for kvm fixes the following issues:\n\n Security issues fixed:\n - CVE-2015-7512: The receive packet size is now checked in the emulated\n pcnet driver, eliminating buffer overflow and potential security issue\n by malicious guest systems. (bsc#957162)\n - CVE-2015-8345: A infinite loop in processing command block list was\n fixed that could be exploit by malicious guest systems (bsc#956829).\n\n Other bugs fixed:\n - To assist users past the migration incompatibility discussed in\n bsc#950590 (restore migration compatibility with SLE11 SP3 and SLE12, at\n the unfortunate expense to prior SLE11 SP4 kvm release compatability\n when a virtio-net device is used), print a message which references the\n support document TID 7017048. See\n <a rel=\"nofollow\" href=\"https://www.suse.com/support/kb/doc.php?id=7017048\">https://www.suse.com/support/kb/doc.php?id=7017048</a>\n - Fix cases of wrong clock values in kvmclock timekeeping (bsc#947164 and\n bsc#953187)\n - Enforce pxe rom sizes to ensure migration compatibility. (bsc#950590)\n - Fix kvm live migration fails between sles11 sp3 and sp4 (bsc#950590)\n\n", "modified": "2016-01-04T14:11:45", "published": "2016-01-04T14:11:45", "id": "SUSE-SU-2016:0010-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00000.html", "type": "suse", "title": "Security update for kvm (important)", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:35:28", "bulletinFamily": "unix", "description": "Xen was updated to fix the following vulnerabilities:\n\n * CVE-2014-0222: Qcow1 L2 table size integer overflows (bsc#877642)\n * CVE-2015-4037: Insecure temporary file use in /net/slirp.c\n (bsc#932267)\n * CVE-2015-5239: Integer overflow in vnc_client_read() and\n protocol_client_msg() (bsc#944463)\n * CVE-2015-7504: Heap buffer overflow vulnerability in pcnet emulator\n (XSA-162, bsc#956411)\n * CVE-2015-7971: Some pmu and profiling hypercalls log without rate\n limiting (XSA-152, bsc#950706)\n * CVE-2015-8104: Guest to host DoS by triggering an infinite loop in\n microcode via #DB exception (bsc#954405)\n * CVE-2015-5307: Guest to host DOS by intercepting #AC (XSA-156,\n bsc#953527)\n * CVE-2015-8339: XENMEM_exchange error handling issues (XSA-159,\n bsc#956408)\n * CVE-2015-8340: XENMEM_exchange error handling issues (XSA-159,\n bsc#956408)\n * CVE-2015-7512: Buffer overflow in pcnet's non-loopback mode\n (bsc#962360)\n * CVE-2015-8550: Paravirtualized drivers incautious about shared\n memory contents (XSA-155, bsc#957988)\n * CVE-2015-8504: Avoid floating point exception in vnc support\n (bsc#958493)\n * CVE-2015-8555: Information leak in legacy x86 FPU/XMM initialization\n (XSA-165, bsc#958009)\n * Ioreq handling possibly susceptible to multiple read issue (XSA-166,\n bsc#958523)\n\n Security Issues:\n\n * CVE-2014-0222\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0222\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0222</a>&gt;\n * CVE-2015-4037\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4037\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4037</a>&gt;\n * CVE-2015-5239\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5239\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5239</a>&gt;\n * CVE-2015-7504\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7504\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7504</a>&gt;\n * CVE-2015-7971\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7971\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7971</a>&gt;\n * CVE-2015-8104\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8104\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8104</a>&gt;\n * CVE-2015-5307\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5307\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5307</a>&gt;\n * CVE-2015-8339\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8339\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8339</a>&gt;\n * CVE-2015-8340\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8340\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8340</a>&gt;\n * CVE-2015-7512\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7512\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7512</a>&gt;\n * CVE-2015-8550\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8550\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8550</a>&gt;\n * CVE-2015-8504\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8504\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8504</a>&gt;\n * CVE-2015-8555\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8555\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8555</a>&gt;\n\n", "modified": "2016-03-04T22:13:56", "published": "2016-03-04T22:13:56", "id": "SUSE-SU-2016:0658-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00013.html", "title": "Security update for Xen (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:28:40", "bulletinFamily": "unix", "description": "This update for xen fixes the following security issues:\n\n - CVE-2015-8568 CVE-2015-8567: xen: qemu: net: vmxnet3: host memory\n leakage (boo#959387)\n - CVE-2015-8550: xen: paravirtualized drivers incautious about shared\n memory contents (XSA-155, boo#957988)\n - CVE-2015-8558: xen: qemu: usb: infinite loop in ehci_advance_state\n results in DoS (boo#959006)\n - CVE-2015-7549: xen: qemu pci: null pointer dereference issue (boo#958918)\n - CVE-2015-8504: xen: qemu: ui: vnc: avoid floating point exception\n (boo#958493)\n - CVE-2015-8554: xen: qemu-dm buffer overrun in MSI-X handling (XSA-164,\n boo#958007)\n - CVE-2015-8555: xen: information leak in legacy x86 FPU/XMM\n initialization (XSA-165, boo#958009)\n - boo#958523: xen: ioreq handling possibly susceptible to multiple read\n issue (XSA-166)\n - CVE-2015-5307: xen: x86: CPU lockup during fault delivery (XSA-156,\n boo#954018)\n - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing\n command block list (boo#956832)\n - boo#956592: xen: virtual PMU is unsupported (XSA-163)\n - CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error handling issues\n (XSA-159, boo#956408)\n - CVE-2015-8341: xen: libxl leak of pv kernel and initrd on error\n (XSA-160, boo#956409)\n - CVE-2015-7504: xen: heap buffer overflow vulnerability in pcnet emulator\n (XSA-162, boo#956411)\n\n", "modified": "2016-01-14T22:13:24", "published": "2016-01-14T22:13:24", "id": "OPENSUSE-SU-2016:0123-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00010.html", "title": "Security update for xen (important)", "type": "suse", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:38:49", "bulletinFamily": "unix", "description": "This update for xen fixes the following security issues:\n\n - CVE-2015-8550: paravirtualized drivers incautious about shared memory\n contents (XSA-155, boo#957988)\n - CVE-2015-8558: qemu: usb: infinite loop in ehci_advance_state results in\n DoS (boo#959006)\n - CVE-2015-7549: qemu pci: null pointer dereference issue (boo#958918)\n - CVE-2015-8504: qemu: ui: vnc: avoid floating point exception (boo#958493)\n - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling (XSA-164,\n boo#958007)\n - CVE-2015-8555: information leak in legacy x86 FPU/XMM initialization\n (XSA-165, boo#958009)\n - boo#958523 xen: ioreq handling possibly susceptible to multiple read\n issue (XSA-166)\n - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing\n command block list (boo#956832)\n - boo#956592: xen: virtual PMU is unsupported (XSA-163)\n - CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error handling issues\n (XSA-159, boo#956408)\n - CVE-2015-8341: xen: libxl leak of pv kernel and initrd on error\n (XSA-160, boo#956409)\n - CVE-2015-7504: xen: heap buffer overflow vulnerability in pcnet emulator\n (XSA-162, boo#956411)\n - CVE-2015-7311: xen: libxl fails to honour readonly flag on disks with\n qemu-xen (xsa-142, boo#947165)\n - CVE-2015-8104: Xen: guest to host DoS by triggering an infinite loop in\n microcode via #DB exception (boo#954405)\n - CVE-2015-5307: xen: x86: CPU lockup during fault delivery (XSA-156,\n boo#954018)\n - CVE-2015-7970: xen: x86: Long latency populate-on-demand operation is\n not preemptible (XSA-150, boo#950704)\n\n", "modified": "2016-01-14T22:16:01", "published": "2016-01-14T22:16:01", "id": "OPENSUSE-SU-2016:0124-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00011.html", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:57:00", "bulletinFamily": "unix", "description": "This update for xen fixes the following issues:\n\n - CVE-2015-8567,CVE-2015-8568: xen: qemu: net: vmxnet3: host memory\n leakage (boo#959387)\n - CVE-2015-8550: xen: paravirtualized drivers incautious about shared\n memory contents (XSA-155, boo#957988)\n - CVE-2015-8558: xen: qemu: usb: infinite loop in ehci_advance_state\n results in DoS (boo#959006)\n - CVE-2015-7549: xen: qemu pci: null pointer dereference issue (boo#958918)\n - CVE-2015-8504: xen: qemu: ui: vnc: avoid floating point exception\n (boo#958493)\n - CVE-2015-8554: xen: qemu-dm buffer overrun in MSI-X handling (XSA-164,\n boo#958007)\n - CVE-2015-8555: xen: information leak in legacy x86 FPU/XMM\n initialization (XSA-165, boo#958009)\n - boo#958523: xen: ioreq handling possibly susceptible to multiple read\n issue (XSA-166)\n - CVE-2015-8345: xen: qemu: net: eepro100: infinite loop in processing\n command block list (boo#956832)\n - CVE-2015-5307: xen: x86: CPU lockup during fault delivery (XSA-156,\n boo#954018)\n - boo#956592: xen: virtual PMU is unsupported (XSA-163)\n - CVE-2015-8339, CVE-2015-8340: xen: XENMEM_exchange error handling issues\n (XSA-159, boo#956408)\n - CVE-2015-8341: xen: libxl leak of pv kernel and initrd on error\n (XSA-160, boo#956409)\n - CVE-2015-7504: xen: heap buffer overflow vulnerability in pcnet emulator\n (XSA-162, boo#956411)\n\n", "modified": "2016-01-14T22:19:10", "published": "2016-01-14T22:19:10", "id": "OPENSUSE-SU-2016:0126-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-01/msg00012.html", "title": "Security update for xen (important)", "type": "suse", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:17:56", "bulletinFamily": "unix", "description": "xen was updated to fix 26 security issues.\n\n These security issues were fixed:\n - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load function in\n hw/arm/pxa2xx.c allowed remote attackers to cause a denial of service or\n possibly execute arbitrary code via a crafted s-&gt;rx_level value in a\n savevm image (bsc#864655).\n - CVE-2013-4537: The ssi_sd_transfer function in hw/sd/ssi-sd.c allowed\n remote attackers to execute arbitrary code via a crafted arglen value in\n a savevm image (bsc#864391).\n - CVE-2013-4538: Multiple buffer overflows in the ssd0323_load function in\n hw/display/ssd0323.c allowed remote attackers to cause a denial of\n service (memory corruption) or possibly execute arbitrary code via\n crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and\n row_end values; or (5) col_star and col_end values in a savevm image\n (bsc#864769).\n - CVE-2013-4539: Multiple buffer overflows in the tsc210x_load function in\n hw/input/tsc210x.c might have allowed remote attackers to execute\n arbitrary code via a crafted (1) precision, (2) nextprecision, (3)\n function, or (4) nextfunction value in a savevm image (bsc#864805).\n - CVE-2014-0222: Integer overflow in the qcow_open function in\n block/qcow.c allowed remote attackers to cause a denial of service\n (crash) via a large L2 table in a QCOW version 1 image (bsc#877642).\n - CVE-2014-3689: The vmware-vga driver (hw/display/vmware_vga.c) allowed\n local guest users to write to qemu memory locations and gain privileges\n via unspecified parameters related to rectangle handling (bsc#901508).\n - CVE-2014-7815: The set_pixel_format function in ui/vnc.c allowed remote\n attackers to cause a denial of service (crash) via a small\n bytes_per_pixel value (bsc#902737).\n - CVE-2014-9718: The (1) BMDMA and (2) AHCI HBA interfaces in the IDE\n functionality had multiple interpretations of a function's return value,\n which allowed guest OS users to cause a host OS denial of service\n (memory consumption or infinite loop, and system crash) via a PRDT with\n zero complete sectors, related to the bmdma_prepare_buf and\n ahci_dma_prepare_buf functions (bsc#928393).\n - CVE-2015-1779: The VNC websocket frame decoder allowed remote attackers\n to cause a denial of service (memory and CPU consumption) via a large\n (1) websocket payload or (2) HTTP headers section (bsc#924018).\n - CVE-2015-5278: Infinite loop in ne2000_receive() function (bsc#945989).\n - CVE-2015-6855: hw/ide/core.c did not properly restrict the commands\n accepted by an ATAPI device, which allowed guest users to cause a denial\n of service or possibly have unspecified other impact via certain IDE\n commands, as demonstrated by a WIN_READ_NATIVE_MAX command to an empty\n drive, which triggers a divide-by-zero error and instance crash\n (bsc#945404).\n - CVE-2015-7512: Buffer overflow in the pcnet_receive function in\n hw/net/pcnet.c, when a guest NIC has a larger MTU, allowed remote\n attackers to cause a denial of service (guest OS crash) or execute\n arbitrary code via a large packet (bsc#957162).\n - CVE-2015-8345: eepro100: infinite loop in processing command block list\n (bsc#956829).\n - CVE-2015-8613: SCSI: stack based buffer overflow in\n megasas_ctrl_get_info (bsc#961358).\n - CVE-2015-8619: Stack based OOB write in hmp_sendkey routine (bsc#960334).\n - CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions\n (bsc#960725).\n - CVE-2015-8744: vmxnet3: Incorrect l2 header validation lead to a crash\n via assert(2) call (bsc#960835).\n - CVE-2015-8745: Reading IMR registers lead to a crash via assert(2) call\n (bsc#960707).\n - CVE-2016-1568: AHCI use-after-free vulnerability in aio port commands\n (bsc#961332).\n - CVE-2016-1570: The PV superpage functionality in arch/x86/mm.c allowed\n local PV guests to obtain sensitive information, cause a denial of\n service, gain privileges, or have unspecified other impact via a crafted\n page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2)\n MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3)\n unknown vectors related to page table updates (bsc#960861).\n - CVE-2016-1714: nvram: OOB r/w access in processing firmware\n configurations (bsc#961691).\n - CVE-2016-1981: e1000 infinite loop in start_xmit and e1000_receive_iov\n routines (bsc#963782).\n - CVE-2016-2198: EHCI NULL pointer dereference in ehci_caps_write\n (bsc#964413).\n - CVE-2016-2391: usb: multiple eof_timers in ohci module lead to NULL\n pointer dereference (bsc#967013).\n - CVE-2016-2392: NULL pointer dereference in remote NDIS control message\n handling (bsc#967012).\n - CVE-2016-2538: Integer overflow in remote NDIS control message handling\n (bsc#967969).\n\n These non-security issues were fixed:\n - bsc#954872: script block-dmmd not working as expected\n - bsc#957698: DOM0 can't bring up on Dell PC\n - bsc#963923: domain weights not honored when sched-credit tslice is\n reduced\n - bsc#959332: SLES12SP1 PV guest is unreachable when restored or migrated\n - bsc#959695: Missing docs for xen\n\n", "modified": "2016-03-30T20:07:33", "published": "2016-03-30T20:07:33", "id": "OPENSUSE-SU-2016:0914-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00096.html", "type": "suse", "title": "Security update for xen (important)", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:50:17", "bulletinFamily": "unix", "description": "xen was updated to fix 27 security issues.\n\n These security issues were fixed:\n - CVE-2013-4533: Buffer overflow in the pxa2xx_ssp_load function in\n hw/arm/pxa2xx.c allowed remote attackers to cause a denial of service or\n possibly execute arbitrary code via a crafted s-&gt;rx_level value in a\n savevm image (bsc#864655).\n - CVE-2013-4534: Buffer overflow in hw/intc/openpic.c allowed remote\n attackers to cause a denial of service or possibly execute arbitrary\n code via vectors related to IRQDest elements (bsc#864811).\n - CVE-2013-4537: The ssi_sd_transfer function in hw/sd/ssi-sd.c allowed\n remote attackers to execute arbitrary code via a crafted arglen value in\n a savevm image (bsc#864391).\n - CVE-2013-4538: Multiple buffer overflows in the ssd0323_load function in\n hw/display/ssd0323.c allowed remote attackers to cause a denial of\n service (memory corruption) or possibly execute arbitrary code via\n crafted (1) cmd_len, (2) row, or (3) col values; (4) row_start and\n row_end values; or (5) col_star and col_end values in a savevm image\n (bsc#864769).\n - CVE-2013-4539: Multiple buffer overflows in the tsc210x_load function in\n hw/input/tsc210x.c might have allowed remote attackers to execute\n arbitrary code via a crafted (1) precision, (2) nextprecision, (3)\n function, or (4) nextfunction value in a savevm image (bsc#864805).\n - CVE-2014-0222: Integer overflow in the qcow_open function in\n block/qcow.c allowed remote attackers to cause a denial of service\n (crash) via a large L2 table in a QCOW version 1 image (bsc#877642).\n - CVE-2014-3640: The sosendto function in slirp/udp.c allowed local users\n to cause a denial of service (NULL pointer dereference) by sending a udp\n packet with a value of 0 in the source port and address, which triggers\n access of an uninitialized socket (bsc#897654).\n - CVE-2014-3689: The vmware-vga driver (hw/display/vmware_vga.c) allowed\n local guest users to write to qemu memory locations and gain privileges\n via unspecified parameters related to rectangle handling (bsc#901508).\n - CVE-2014-7815: The set_pixel_format function in ui/vnc.c allowed remote\n attackers to cause a denial of service (crash) via a small\n bytes_per_pixel value (bsc#902737).\n - CVE-2015-5278: Infinite loop in ne2000_receive() function (bsc#945989).\n - CVE-2015-7512: Buffer overflow in the pcnet_receive function in\n hw/net/pcnet.c, when a guest NIC has a larger MTU, allowed remote\n attackers to cause a denial of service (guest OS crash) or execute\n arbitrary code via a large packet (bsc#957162).\n - CVE-2015-8504: VNC: floating point exception (bsc#958491).\n - CVE-2015-8550: Paravirtualized drivers were incautious about shared\n memory contents (XSA-155) (bsc#957988).\n - CVE-2015-8554: qemu-dm buffer overrun in MSI-X handling (XSA-164)\n (bsc#958007).\n - CVE-2015-8555: Information leak in legacy x86 FPU/XMM initialization\n (XSA-165) (bsc#958009).\n - CVE-2015-8558: Infinite loop in ehci_advance_state resulted in DoS\n (bsc#959005).\n - CVE-2015-8743: ne2000: OOB memory access in ioport r/w functions\n (bsc#960725).\n - CVE-2015-8745: Reading IMR registers lead to a crash via assert(2) call\n (bsc#960707).\n - CVE-2016-1570: The PV superpage functionality in arch/x86/mm.c allowed\n local PV guests to obtain sensitive information, cause a denial of\n service, gain privileges, or have unspecified other impact via a crafted\n page identifier (MFN) to the (1) MMUEXT_MARK_SUPER or (2)\n MMUEXT_UNMARK_SUPER sub-op in the HYPERVISOR_mmuext_op hypercall or (3)\n unknown vectors related to page table updates (bsc#960861).\n - CVE-2016-1571: VMX: intercept issue with INVLPG on non-canonical address\n (XSA-168) (bsc#960862).\n - CVE-2016-1714: nvram: OOB r/w access in processing firmware\n configurations (bsc#961691).\n - CVE-2016-1981: e1000 infinite loop in start_xmit and e1000_receive_iov\n routines (bsc#963782).\n - CVE-2016-2270: Xen allowed local guest administrators to cause a denial\n of service (host reboot) via vectors related to multiple mappings of\n MMIO pages with different cachability settings (bsc#965315).\n - CVE-2016-2271: VMX when using an Intel or Cyrix CPU, allowed local HVM\n guest users to cause a denial of service (guest crash) via vectors\n related to a non-canonical RIP (bsc#965317).\n - CVE-2016-2391: usb: multiple eof_timers in ohci module lead to NULL\n pointer dereference (bsc#967013).\n - CVE-2016-2841: ne2000: Infinite loop in ne2000_receive (bsc#969350).\n - XSA-166: ioreq handling possibly susceptible to multiple read issue\n (bsc#958523).\n\n This non-security issue was fixed:\n - bsc#967630: Discrepancy in reported memory size with correction XSA-153\n for xend\n\n", "modified": "2016-04-26T16:08:08", "published": "2016-04-26T16:08:08", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00054.html", "id": "SUSE-SU-2016:1154-1", "title": "Security update for xen (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2018-10-18T13:50:31", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3470-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nFebruary 08, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : qemu-kvm\nCVE ID : CVE-2015-7295 CVE-2015-7504 CVE-2015-7512 CVE-2015-8345 \n CVE-2015-8504 CVE-2015-8558 CVE-2015-8743 CVE-2016-1568 CVE-2016-1714 CVE-2016-1922\nDebian Bug : 799452 806373 806741 806742 808130 808144 810519 810527 811201\n\nSeveral vulnerabilities were discovered in qemu-kvm, a full\nvirtualization solution on x86 hardware.\n\nCVE-2015-7295\n\n Jason Wang of Red Hat Inc. discovered that the Virtual Network\n Device support is vulnerable to denial-of-service (via resource\n exhaustion), that could occur when receiving large packets.\n\nCVE-2015-7504\n\n Qinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.\n discovered that the PC-Net II ethernet controller is vulnerable to\n a heap-based buffer overflow that could result in\n denial-of-service (via application crash) or arbitrary code\n execution.\n\nCVE-2015-7512\n\n Ling Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.\n discovered that the PC-Net II ethernet controller is vulnerable to\n a buffer overflow that could result in denial-of-service (via\n application crash) or arbitrary code execution.\n\nCVE-2015-8345\n\n Qinghao Tang of Qihoo 360 Inc. discovered that the eepro100\n emulator contains a flaw that could lead to an infinite loop when\n processing Command Blocks, eventually resulting in\n denial-of-service (via application crash).\n\nCVE-2015-8504\n\n Lian Yihan of Qihoo 360 Inc. discovered that the VNC display\n driver support is vulnerable to an arithmetic exception flaw that\n could lead to denial-of-service (via application crash).\n\nCVE-2015-8558\n\n Qinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI\n emulation support contains a flaw that could lead to an infinite\n loop during communication between the host controller and a device\n driver. This could lead to denial-of-service (via resource\n exhaustion).\n\nCVE-2015-8743\n\n Ling Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is\n vulnerable to an out-of-bound read/write access issue, potentially\n resulting in information leak or memory corruption.\n\nCVE-2016-1568\n\n Qinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI\n emulation support is vulnerable to a use-after-free issue, that\n could lead to denial-of-service (via application crash) or\n arbitrary code execution.\n\nCVE-2016-1714\n\n Donghai Zhu of Alibaba discovered that the Firmware Configuration\n emulation support is vulnerable to an out-of-bound read/write\n access issue, that could lead to denial-of-service (via\n application crash) or arbitrary code execution.\n\nCVE-2016-1922\n\n Ling Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests\n support is vulnerable to a null pointer dereference issue, that\n could lead to denial-of-service (via application crash).\n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 1.1.2+dfsg-6+deb7u12.\n\nWe recommend that you upgrade your qemu-kvm packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2016-02-08T19:46:11", "published": "2016-02-08T19:46:11", "id": "DEBIAN:DSA-3470-1:E622E", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00040.html", "title": "[SECURITY] [DSA 3470-1] qemu-kvm security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-18T13:49:44", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3469-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nFebruary 08, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : qemu\nCVE ID : CVE-2015-7295 CVE-2015-7504 CVE-2015-7512 CVE-2015-8345 \n CVE-2015-8504 CVE-2015-8558 CVE-2015-8743 CVE-2016-1568 CVE-2016-1714 CVE-2016-1922\nDebian Bug : 799452 806373 806741 806742 808130 808144 810519 810527 811201\n\nSeveral vulnerabilities were discovered in qemu, a full virtualization\nsolution on x86 hardware.\n\nCVE-2015-7295\n\n Jason Wang of Red Hat Inc. discovered that the Virtual Network\n Device support is vulnerable to denial-of-service (via resource\n exhaustion), that could occur when receiving large packets.\n\nCVE-2015-7504\n\n Qinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.\n discovered that the PC-Net II ethernet controller is vulnerable to\n a heap-based buffer overflow that could result in\n denial-of-service (via application crash) or arbitrary code\n execution.\n\nCVE-2015-7512\n\n Ling Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.\n discovered that the PC-Net II ethernet controller is vulnerable to\n a buffer overflow that could result in denial-of-service (via\n application crash) or arbitrary code execution.\n\nCVE-2015-8345\n\n Qinghao Tang of Qihoo 360 Inc. discovered that the eepro100\n emulator contains a flaw that could lead to an infinite loop when\n processing Command Blocks, eventually resulting in\n denial-of-service (via application crash).\n\nCVE-2015-8504\n\n Lian Yihan of Qihoo 360 Inc. discovered that the VNC display\n driver support is vulnerable to an arithmetic exception flaw that\n could lead to denial-of-service (via application crash).\n\nCVE-2015-8558\n\n Qinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI\n emulation support contains a flaw that could lead to an infinite\n loop during communication between the host controller and a device\n driver. This could lead to denial-of-service (via resource\n exhaustion).\n\nCVE-2015-8743\n\n Ling Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is\n vulnerable to an out-of-bound read/write access issue, potentially\n resulting in information leak or memory corruption.\n\nCVE-2016-1568\n\n Qinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI\n emulation support is vulnerable to a use-after-free issue, that\n could lead to denial-of-service (via application crash) or\n arbitrary code execution.\n\nCVE-2016-1714\n\n Donghai Zhu of Alibaba discovered that the Firmware Configuration\n emulation support is vulnerable to an out-of-bound read/write\n access issue, that could lead to denial-of-service (via\n application crash) or arbitrary code execution.\n\nCVE-2016-1922\n\n Ling Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests\n support is vulnerable to a null pointer dereference issue, that\n could lead to denial-of-service (via application crash).\n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 1.1.2+dfsg-6a+deb7u12.\n\nWe recommend that you upgrade your qemu packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2016-02-08T19:46:02", "published": "2016-02-08T19:46:02", "id": "DEBIAN:DSA-3469-1:9C2F1", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00039.html", "title": "[SECURITY] [DSA 3469-1] qemu security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-16T22:13:00", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3471-1 security@debian.org\nhttps://www.debian.org/security/ Sebastien Delafond\nFebruary 08, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : qemu\nCVE ID : CVE-2015-7295 CVE-2015-7504 CVE-2015-7512 CVE-2015-7549 \n CVE-2015-8345 CVE-2015-8504 CVE-2015-8550 CVE-2015-8558 CVE-2015-8567 CVE-2015-8568 CVE-2015-8613 CVE-2015-8619 CVE-2015-8743 CVE-2015-8744 CVE-2015-8745 CVE-2016-1568 CVE-2016-1714 CVE-2016-1922 CVE-2016-1981\nDebian Bug : 799452 806373 806741 806742 808130 808131 808144 808145 809229 809232 810519 810527 811201 812307 809237 809237\n\nSeveral vulnerabilities were discovered in qemu, a full virtualization\nsolution on x86 hardware.\n\nCVE-2015-7295\n\n Jason Wang of Red Hat Inc. discovered that the Virtual Network\n Device support is vulnerable to denial-of-service, that could\n occur when receiving large packets.\n\nCVE-2015-7504\n\n Qinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360 Inc.\n discovered that the PC-Net II ethernet controller is vulnerable to\n a heap-based buffer overflow that could result in\n denial-of-service (via application crash) or arbitrary code\n execution.\n\nCVE-2015-7512\n\n Ling Liu of Qihoo 360 Inc. and Jason Wang of Red Hat Inc.\n discovered that the PC-Net II ethernet controller is vulnerable to\n a buffer overflow that could result in denial-of-service (via\n application crash) or arbitrary code execution.\n\nCVE-2015-7549\n\n Qinghao Tang of Qihoo 360 Inc. and Ling Liu of Qihoo 360\n Inc. discovered that the PCI MSI-X emulator is vulnerable to a\n null pointer dereference issue, that could lead to\n denial-of-service (via application crash).\n\nCVE-2015-8345\n\n Qinghao Tang of Qihoo 360 Inc. discovered that the eepro100\n emulator contains a flaw that could lead to an infinite loop when\n processing Command Blocks, eventually resulting in\n denial-of-service (via application crash).\n\nCVE-2015-8504\n\n Lian Yihan of Qihoo 360 Inc. discovered that the VNC display\n driver support is vulnerable to an arithmetic exception flaw that\n could lead to denial-of-service (via application crash).\n\nCVE-2015-8550\n\n Felix Wilhelm of ERNW Research that the PV backend drivers are\n vulnerable to double fetch vulnerabilities, possibly resulting in\n arbitrary code execution.\n\nCVE-2015-8558\n\n Qinghao Tang of Qihoo 360 Inc. discovered that the USB EHCI\n emulation support contains a flaw that could lead to an infinite\n loop during communication between the host controller and a device\n driver. This could lead to denial-of-service (via resource\n exhaustion).\n\nCVE-2015-8567 CVE-2015-8568\n\n Qinghao Tang of Qihoo 360 Inc. discovered that the vmxnet3 device\n emulator could be used to intentionally leak host memory, thus\n resulting in denial-of-service.\n\nCVE-2015-8613\n\n Qinghao Tang of Qihoo 360 Inc. discovered that the SCSI MegaRAID\n SAS HBA emulation support is vulnerable to a stack-based buffer\n overflow issue, that could lead to denial-of-service (via\n application crash).\n\nCVE-2015-8619\n\n Ling Liu of Qihoo 360 Inc. discovered that the Human Monitor\n Interface support is vulnerable to an out-of-bound write access\n issue that could result in denial-of-service (via application\n crash).\n\nCVE-2015-8743\n\n Ling Liu of Qihoo 360 Inc. discovered that the NE2000 emulator is\n vulnerable to an out-of-bound read/write access issue, potentially\n resulting in information leak or memory corruption.\n\nCVE-2015-8744\n\n The vmxnet3 driver incorrectly processes small packets, which could\n result in denial-of-service (via application crash).\n\nCVE-2015-8745\n\n The vmxnet3 driver incorrectly processes Interrupt Mask Registers,\n which could result in denial-of-service (via application crash).\n\nCVE-2016-1568\n\n Qinghao Tang of Qihoo 360 Inc. discovered that the IDE AHCI\n emulation support is vulnerable to a use-after-free issue, that\n could lead to denial-of-service (via application crash) or\n arbitrary code execution.\n\nCVE-2016-1714\n\n Donghai Zhu of Alibaba discovered that the Firmware Configuration\n emulation support is vulnerable to an out-of-bound read/write\n access issue, that could lead to denial-of-service (via\n application crash) or arbitrary code execution.\n\nCVE-2016-1922\n\n Ling Liu of Qihoo 360 Inc. discovered that 32-bit Windows guests\n support is vulnerable to a null pointer dereference issue, that\n could lead to denial-of-service (via application crash).\n\nCVE-2016-1981\n\n The e1000 driver is vulnerable to an infinite loop issue that\n could lead to denial-of-service (via application crash).\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1:2.1+dfsg-12+deb8u5a.\n\nWe recommend that you upgrade your qemu packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2016-02-08T19:46:19", "published": "2016-02-08T19:46:19", "id": "DEBIAN:DSA-3471-1:91F2D", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00041.html", "title": "[SECURITY] [DSA 3471-1] qemu security update", "type": "debian", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:27", "bulletinFamily": "unix", "description": "### Background\n\nQEMU is a generic and open source machine emulator and virtualizer.\n\n### Description\n\nMultiple vulnerabilities have been discovered in QEMU. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker might cause a Denial of Service or gain escalated privileges from a guest VM. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll QEMU users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/qemu-2.5.0-r1\"", "modified": "2016-02-04T00:00:00", "published": "2016-02-04T00:00:00", "id": "GLSA-201602-01", "href": "https://security.gentoo.org/glsa/201602-01", "type": "gentoo", "title": "QEMU: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-06T19:46:33", "bulletinFamily": "unix", "description": "### Background\n\nXen is a bare-metal hypervisor.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Xen. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA local attacker could possibly cause a Denial of Service condition or obtain sensitive information. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Xen 4.5 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-4.5.2-r5\"\n \n\nAll Xen 4.6 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-4.6.0-r9\"\n \n\nAll Xen tools 4.5 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-tools-4.5.2-r5\"\n \n\nAll Xen tools 4.6 users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-tools-4.6.0-r9\"\n \n\nAll Xen pvgrub users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-emulation/xen-pvgrub-4.6.0\"", "modified": "2016-04-05T00:00:00", "published": "2016-04-05T00:00:00", "id": "GLSA-201604-03", "href": "https://security.gentoo.org/glsa/201604-03", "type": "gentoo", "title": "Xen: Multiple vulnerabilities", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}]}