Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title QEMU vulnerabilities
Informations
Name USN-2182-1 First vendor Publication 2014-04-28
Vendor Ubuntu Last vendor Modification 2014-04-28
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 7.2 Attack Range Local
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 3.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 14.04 LTS - Ubuntu 13.10 - Ubuntu 12.10 - Ubuntu 12.04 LTS - Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in QEMU.

Software Description: - qemu: Machine emulator and virtualizer - qemu-kvm: Machine emulator and virtualizer

Details:

Michael S. Tsirkin discovered that QEMU incorrectly handled vmxnet3 devices. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host. This issue only applied to Ubuntu 13.10 and Ubuntu 14.04 LTS. (CVE-2013-4544)

Michael S. Tsirkin discovered that QEMU incorrectly handled virtio-net MAC addresses. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host. (CVE-2014-0150)

Benoît Canet discovered that QEMU incorrectly handled SMART self-tests. A local guest could possibly use this issue to cause a denial of service, or possibly execute arbitrary code on the host. (CVE-2014-2894)

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 LTS:
qemu-system 2.0.0~rc1+dfsg-0ubuntu3.1
qemu-system-aarch64 2.0.0~rc1+dfsg-0ubuntu3.1
qemu-system-arm 2.0.0~rc1+dfsg-0ubuntu3.1
qemu-system-mips 2.0.0~rc1+dfsg-0ubuntu3.1
qemu-system-misc 2.0.0~rc1+dfsg-0ubuntu3.1
qemu-system-ppc 2.0.0~rc1+dfsg-0ubuntu3.1
qemu-system-sparc 2.0.0~rc1+dfsg-0ubuntu3.1
qemu-system-x86 2.0.0~rc1+dfsg-0ubuntu3.1

Ubuntu 13.10:
qemu-system 1.5.0+dfsg-3ubuntu5.4
qemu-system-arm 1.5.0+dfsg-3ubuntu5.4
qemu-system-mips 1.5.0+dfsg-3ubuntu5.4
qemu-system-misc 1.5.0+dfsg-3ubuntu5.4
qemu-system-ppc 1.5.0+dfsg-3ubuntu5.4
qemu-system-sparc 1.5.0+dfsg-3ubuntu5.4
qemu-system-x86 1.5.0+dfsg-3ubuntu5.4

Ubuntu 12.10:
qemu-kvm 1.2.0+noroms-0ubuntu2.12.10.7

Ubuntu 12.04 LTS:
qemu-kvm 1.0+noroms-0ubuntu14.14

Ubuntu 10.04 LTS:
qemu-kvm 0.12.3+noroms-0ubuntu9.22

After a standard system update you need to reboot your computer to make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-2182-1
CVE-2013-4544, CVE-2014-0150, CVE-2014-2894

Package Information:
https://launchpad.net/ubuntu/+source/qemu/2.0.0~rc1+dfsg-0ubuntu3.1
https://launchpad.net/ubuntu/+source/qemu/1.5.0+dfsg-3ubuntu5.4
https://launchpad.net/ubuntu/+source/qemu-kvm/1.2.0+noroms-0ubuntu2.12.10.7
https://launchpad.net/ubuntu/+source/qemu-kvm/1.0+noroms-0ubuntu14.14
https://launchpad.net/ubuntu/+source/qemu-kvm/0.12.3+noroms-0ubuntu9.22

Original Source

Url : http://www.ubuntu.com/usn/USN-2182-1

CWE : Common Weakness Enumeration

% Id Name
67 % CWE-189 Numeric Errors (CWE/SANS Top 25)
33 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:23845
 
Oval ID: oval:org.mitre.oval:def:23845
Title: ELSA-2014:0420: qemu-kvm security update (Moderate)
Description: KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147) A buffer overflow flaw was found in the way the virtio_net_handle_mac() function of QEMU processed guest requests to update the table of MAC addresses. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0150) A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0142) A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0146) It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0148) The CVE-2014-0143 issues were discovered by Kevin Wolf and Stefan Hajnoczi of Red Hat, the CVE-2014-0144 issues were discovered by Fam Zheng, Jeff Cody, Kevin Wolf, and Stefan Hajnoczi of Red Hat, the CVE-2014-0145 issues were discovered by Stefan Hajnoczi of Red Hat, the CVE-2014-0150 issue was discovered by Michael S. Tsirkin of Red Hat, the CVE-2014-0142, CVE-2014-0146, and CVE-2014-0147 issues were discovered by Kevin Wolf of Red Hat, and the CVE-2014-0148 issue was discovered by Jeff Cody of Red Hat. All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Family: unix Class: patch
Reference(s): ELSA-2014:0420-00
CVE-2014-0142
CVE-2014-0143
CVE-2014-0144
CVE-2014-0145
CVE-2014-0146
CVE-2014-0147
CVE-2014-0148
CVE-2014-0150
Version: 5
Platform(s): Oracle Linux 6
Product(s): qemu-kvm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24016
 
Oval ID: oval:org.mitre.oval:def:24016
Title: USN-2182-1 -- qemu, qemu-kvm vulnerabilities
Description: Several security issues were fixed in QEMU.
Family: unix Class: patch
Reference(s): USN-2182-1
CVE-2013-4544
CVE-2014-0150
CVE-2014-2894
Version: 5
Platform(s): Ubuntu 14.04
Ubuntu 13.10
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
Product(s): qemu
qemu-kvm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24104
 
Oval ID: oval:org.mitre.oval:def:24104
Title: RHSA-2014:0420: qemu-kvm security update (Moderate)
Description: KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm package provides the user-space component for running virtual machines using KVM. Multiple integer overflow, input validation, logic error, and buffer overflow flaws were discovered in various QEMU block drivers. An attacker able to modify a disk image file loaded by a guest could use these flaws to crash the guest, or corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0143, CVE-2014-0144, CVE-2014-0145, CVE-2014-0147) A buffer overflow flaw was found in the way the virtio_net_handle_mac() function of QEMU processed guest requests to update the table of MAC addresses. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, potentially resulting in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-0150) A divide-by-zero flaw was found in the seek_to_sector() function of the parallels block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0142) A NULL pointer dereference flaw was found in the QCOW2 block driver in QEMU. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0146) It was found that the block driver for Hyper-V VHDX images did not correctly calculate BAT (Block Allocation Table) entries due to a missing bounds check. An attacker able to modify a disk image file loaded by a guest could use this flaw to crash the guest. (CVE-2014-0148) The CVE-2014-0143 issues were discovered by Kevin Wolf and Stefan Hajnoczi of Red Hat, the CVE-2014-0144 issues were discovered by Fam Zheng, Jeff Cody, Kevin Wolf, and Stefan Hajnoczi of Red Hat, the CVE-2014-0145 issues were discovered by Stefan Hajnoczi of Red Hat, the CVE-2014-0150 issue was discovered by Michael S. Tsirkin of Red Hat, the CVE-2014-0142, CVE-2014-0146, and CVE-2014-0147 issues were discovered by Kevin Wolf of Red Hat, and the CVE-2014-0148 issue was discovered by Jeff Cody of Red Hat. All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0420-00
CESA-2014:0420
CVE-2014-0142
CVE-2014-0143
CVE-2014-0144
CVE-2014-0145
CVE-2014-0146
CVE-2014-0147
CVE-2014-0148
CVE-2014-0150
Version: 3
Platform(s): Red Hat Enterprise Linux 6
CentOS Linux 6
Product(s): qemu-kvm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24231
 
Oval ID: oval:org.mitre.oval:def:24231
Title: DSA-2909-1 qemu - security update
Description: Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest.
Family: unix Class: patch
Reference(s): DSA-2909-1
CVE-2014-0150
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/Linux 7
Debian GNU/kFreeBSD 6.0
Debian GNU/kFreeBSD 7
Product(s): qemu
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:24717
 
Oval ID: oval:org.mitre.oval:def:24717
Title: DSA-2910-1 qemu-kvm - security update
Description: Michael S. Tsirkin of Red Hat discovered a buffer overflow flaw in the way qemu processed MAC addresses table update requests from the guest.
Family: unix Class: patch
Reference(s): DSA-2910-1
CVE-2014-0150
Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/Linux 7
Debian GNU/kFreeBSD 6.0
Debian GNU/kFreeBSD 7
Product(s): qemu-kvm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25072
 
Oval ID: oval:org.mitre.oval:def:25072
Title: RHSA-2014:0704: qemu-kvm security and bug fix update (Moderate)
Description: KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. The qemu-kvm packages provide a user-space component to run virtual machines using KVM. An out-of-bounds memory access flaw was found in the way QEMU's IDE device driver handled the execution of SMART EXECUTE OFFLINE commands. A privileged guest user could use this flaw to corrupt QEMU process memory on the host, which could potentially result in arbitrary code execution on the host with the privileges of the QEMU process. (CVE-2014-2894) This update also fixes the following bugs: * Prior to this update, a bug in the migration code caused the following error on specific machine types: after a Red Hat Enterprise Linux 6.5 guest was migrated from a Red Hat Enterprise Linux 6.5 host to a Red Hat Enterprise Linux 7.0 host and then restarted, the boot failed and the guest automatically restarted. Thus, the guest entered an endless loop. With this update, the migration code has been fixed and the Red Hat Enterprise Linux 6.5 guests migrated in the aforementioned scenario now boot properly. (BZ#1091322) * Due to a regression bug in the iSCSI driver, the qemu-kvm process terminated unexpectedly with a segmentation fault when the "write same" command was executed in guest mode under the iSCSI protocol. This update fixes the regression and the "write same" command now functions in guest mode under iSCSI as intended. (BZ#1090978) * Due to a mismatch in interrupt request (IRQ) routing, migration of a Red Hat Enterprise Linux 6.5 guest from a Red Hat Enterprise Linux 6.5 host to a Red Hat Enterprise Linux 7.0 host could produce a call trace. This happened if memory ballooning and a Universal Host Control Interface (UHCI) device were used at the same time on certain machine types. With this patch, the IRQ routing mismatch has been amended and the described migration now proceeds as expected. (BZ#1090981) * Previously, an internal error prevented KVM from executing a CPU hot plug on a Red Hat Enterprise Linux 7 guest running on a Red Hat Enterprise Linux 7 host. This update addresses the internal error and CPU hot plugging in the described scenario now functions correctly. (BZ#1094820) All qemu-kvm users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0704-00
CVE-2014-2894
Version: 4
Platform(s): Red Hat Enterprise Linux 7
CentOS Linux 7
Product(s): qemu-kvm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25155
 
Oval ID: oval:org.mitre.oval:def:25155
Title: RHSA-2014:0426: qemu-kvm security update (Moderate)
Description: KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. ... All users of qemu-kvm should upgrade to these updated packages, which contain backported patches to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Family: unix Class: patch
Reference(s): RHSA-2014:0426-00
CVE-2014-0142
CVE-2014-0143
CVE-2014-0144
CVE-2014-0145
CVE-2014-0146
CVE-2014-0147
CVE-2014-0148
CVE-2014-0150
Version: 3
Platform(s): Red Hat Enterprise Linux 6
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25200
 
Oval ID: oval:org.mitre.oval:def:25200
Title: ELSA-2014:0426: qemu-kvm security update (Moderate)
Description: KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. ... All users of qemu-kvm should upgrade to these updated packages, which contain backported patches to correct this issue. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect.
Family: unix Class: patch
Reference(s): ELSA-2014:0426-00
CVE-2014-0142
CVE-2014-0143
CVE-2014-0144
CVE-2014-0145
CVE-2014-0146
CVE-2014-0147
CVE-2014-0148
CVE-2014-0150
Version: 4
Platform(s): Oracle Linux 6
Product(s): qemu
qemu-kvm
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27247
 
Oval ID: oval:org.mitre.oval:def:27247
Title: ELSA-2014-0704 -- qemu-kvm security and bug fix update (moderate)
Description: [1.5.3-60.el7_0.2] - kvm-pc-add-hot_add_cpu-callback-to-all-machine-types.patch [bz#1094820] - Resolves: bz#1094820 (Hot plug CPU not working with RHEL6 machine types running on RHEL7 host.) [1.5.3-60.el7_0.1] - kvm-iscsi-fix-indentation.patch [bz#1090978] - kvm-iscsi-correctly-propagate-errors-in-iscsi_open.patch [bz#1090978] - kvm-block-iscsi-query-for-supported-VPD-pages.patch [bz#1090978] - kvm-block-iscsi-fix-segfault-if-writesame-fails.patch [bz#1090978] - kvm-iscsi-recognize-invalid-field-ASCQ-from-WRITE-SAME-c.patch [bz#1090978] - kvm-iscsi-ignore-flushes-on-scsi-generic-devices.patch [bz#1090978] - kvm-iscsi-always-query-max-WRITE-SAME-length.patch [bz#1090978] - kvm-iscsi-Don-t-set-error-if-already-set-in-iscsi_do_inq.patch [bz#1090978] - kvm-iscsi-Remember-to-set-ret-for-iscsi_open-in-error-ca.patch [bz#1090978] - kvm-qemu_loadvm_state-shadow-SeaBIOS-for-VM-incoming-fro.patch [1091322] - kvm-uhci-UNfix-irq-routing-for-RHEL-6-machtypes-RHEL-onl.patch [bz#1090981] - kvm-ide-Correct-improper-smart-self-test-counter-reset-i.patch [bz#1093612] - Resolves: bz#1091322 (fail to reboot guest after migration from RHEL6.5 host to RHEL7.0 host) - Resolves: bz#1090981 (Guest hits call trace migrate from RHEL6.5 to RHEL7.0 host with -M 6.1 & balloon & uhci device) - Resolves: bz#1090978 (qemu-kvm: iSCSI: Failure. SENSE KEY:ILLEGAL_REQUEST(5) ASCQ:INVALID_FIELD_IN_CDB(0x2400)) - Resolves: bz#1093612 (CVE-2014-2894 qemu-kvm: QEMU: out of bounds buffer accesses, guest triggerable via IDE SMART [rhel-7.0.z])
Family: unix Class: patch
Reference(s): ELSA-2014-0704
CVE-2014-2894
Version: 5
Platform(s): Oracle Linux 7
Product(s): qemu-kvm
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 123
Os 5
Os 1

Nessus® Vulnerability Scanner

Date Description
2015-03-19 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2015-061.nasl - Type : ACT_GATHER_INFO
2014-12-15 Name : The remote Fedora host is missing a security update.
File : fedora_2014-15951.nasl - Type : ACT_GATHER_INFO
2014-12-02 Name : The remote Fedora host is missing a security update.
File : fedora_2014-15521.nasl - Type : ACT_GATHER_INFO
2014-12-02 Name : The remote Fedora host is missing a security update.
File : fedora_2014-15503.nasl - Type : ACT_GATHER_INFO
2014-11-23 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-220.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0744.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2014-0674.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0421.nasl - Type : ACT_GATHER_INFO
2014-08-30 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201408-17.nasl - Type : ACT_GATHER_INFO
2014-07-30 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0704.nasl - Type : ACT_GATHER_INFO
2014-06-19 Name : The remote SuSE 11 host is missing a security update.
File : suse_11_kvm-140528.nasl - Type : ACT_GATHER_INFO
2014-06-12 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-0743.nasl - Type : ACT_GATHER_INFO
2014-06-11 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0743.nasl - Type : ACT_GATHER_INFO
2014-05-20 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2933.nasl - Type : ACT_GATHER_INFO
2014-05-20 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2932.nasl - Type : ACT_GATHER_INFO
2014-05-02 Name : The remote Fedora host is missing a security update.
File : fedora_2014-5825.nasl - Type : ACT_GATHER_INFO
2014-04-29 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2182-1.nasl - Type : ACT_GATHER_INFO
2014-04-23 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140422_qemu_kvm_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-04-23 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0420.nasl - Type : ACT_GATHER_INFO
2014-04-23 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-0420.nasl - Type : ACT_GATHER_INFO
2014-04-23 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-0420.nasl - Type : ACT_GATHER_INFO
2014-04-21 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2909.nasl - Type : ACT_GATHER_INFO
2014-04-21 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2910.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2014-05-09 21:30:02
  • Multiple Updates
2014-04-30 13:21:31
  • Multiple Updates
2014-04-28 17:18:37
  • First insertion