Ubuntu 14.04 LTS / 16.04 LTS : QEMU regression (USN-3575-2)

2018-03-0600:00:00

www.tenable.com

143

CVSS2

7.8

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:H

AI Score

8.6

Confidence

High

EPSS

0.022

Percentile

89.7%

JSON

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3575-2 advisory.

USN-3575-1 fixed vulnerabilities in QEMU. The fix for CVE-2017-11334 caused a regression in Xen     environments. This update removes the problematic fix pending further investigation.

We apologize for the inconvenience.

Original advisory details:

It was discovered that QEMU incorrectly handled guest ram. A privileged

attacker inside the guest could use this issue to cause QEMU to crash,

resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS

and Ubuntu 16.04 LTS. (CVE-2017-11334)

David Buchanan discovered that QEMU incorrectly handled the VGA device. A

privileged attacker inside the guest could use this issue to cause QEMU to

crash, resulting in a denial of service. This issue was only addressed in

Ubuntu 17.10. (CVE-2017-13672)

Thomas Garnier discovered that QEMU incorrectly handled multiboot. An

attacker could use this issue to cause QEMU to crash, resulting in a denial

of service, or possibly execute arbitrary code on the host. In the default

installation, when QEMU is used with libvirt, attackers would be isolated

by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS

and Ubuntu 16.04 LTS. (CVE-2017-14167)

Tuomas Tynkkynen discovered that QEMU incorrectly handled VirtFS directory

sharing. An attacker could use this issue to obtain sensitive information

from host memory. (CVE-2017-15038)

Eric Blake discovered that QEMU incorrectly handled memory in the

NBD server. An attacker could use this issue to cause the NBD server to

crash, resulting in a denial of service. This issue only affected Ubuntu

17.10. (CVE-2017-15118)

Eric Blake discovered that QEMU incorrectly handled certain options to the

NBD server. An attacker could use this issue to cause the NBD server to

crash, resulting in a denial of service. This issue only affected Ubuntu

14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15119)

Daniel Berrange discovered that QEMU incorrectly handled the VNC server. A

remote attacker could possibly use this issue to consume memory, resulting

in a denial of service. This issue was only addressed in Ubuntu 17.10.

(CVE-2017-15124)

Carl Brassey discovered that QEMU incorrectly handled certain websockets. A

remote attacker could possibly use this issue to consume memory, resulting

in a denial of service. This issue only affected Ubuntu 17.10.

(CVE-2017-15268)

Guoxiang Niu discovered that QEMU incorrectly handled the Cirrus VGA

device. A privileged attacker inside the guest could use this issue to

cause QEMU to crash, resulting in a denial of service. (CVE-2017-15289)

Cyrille Chatras discovered that QEMU incorrectly handled certain PS2 values

during migration. An attacker could possibly use this issue to cause QEMU

to crash, resulting in a denial of service, or possibly execute arbitrary

code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10.

(CVE-2017-16845)

It was discovered that QEMU incorrectly handled the Virtio Vring

implementation. An attacker could possibly use this issue to cause QEMU to

crash, resulting in a denial of service. This issue only affected Ubuntu

16.04 LTS and Ubuntu 17.10. (CVE-2017-17381)

Eric Blake discovered that QEMU incorrectly handled certain rounding

operations. An attacker could possibly use this issue to cause QEMU to

crash, resulting in a denial of service. This issue only affected Ubuntu

14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-18043)

Jiang Xin and Lin ZheCheng discovered that QEMU incorrectly handled the

VGA device. A privileged attacker inside the guest could use this issue to

cause QEMU to crash, resulting in a denial of service. (CVE-2018-5683)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-3575-2. The text 
# itself is copyright (C) Canonical, Inc. See 
# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
# trademark of Canonical, Inc.
#

include('compat.inc');

if (description)
{
  script_id(107145);
  script_version("3.12");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/08/27");
  script_xref(name:"USN", value:"3575-2");

  script_name(english:"Ubuntu 14.04 LTS / 16.04 LTS : QEMU regression (USN-3575-2)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by a vulnerability as referenced
in the USN-3575-2 advisory.

    USN-3575-1 fixed vulnerabilities in QEMU. The fix for CVE-2017-11334 caused a regression in Xen
    environments. This update removes the problematic fix pending further investigation.

    We apologize for the inconvenience.

    Original advisory details:

    It was discovered that QEMU incorrectly handled guest ram. A privileged

    attacker inside the guest could use this issue to cause QEMU to crash,

    resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS

    and Ubuntu 16.04 LTS. (CVE-2017-11334)

    David Buchanan discovered that QEMU incorrectly handled the VGA device. A

    privileged attacker inside the guest could use this issue to cause QEMU to

    crash, resulting in a denial of service. This issue was only addressed in

    Ubuntu 17.10. (CVE-2017-13672)

    Thomas Garnier discovered that QEMU incorrectly handled multiboot. An

    attacker could use this issue to cause QEMU to crash, resulting in a denial

    of service, or possibly execute arbitrary code on the host. In the default

    installation, when QEMU is used with libvirt, attackers would be isolated

    by the libvirt AppArmor profile. This issue only affected Ubuntu 14.04 LTS

    and Ubuntu 16.04 LTS. (CVE-2017-14167)

    Tuomas Tynkkynen discovered that QEMU incorrectly handled VirtFS directory

    sharing. An attacker could use this issue to obtain sensitive information

    from host memory. (CVE-2017-15038)

    Eric Blake discovered that QEMU incorrectly handled memory in the

    NBD server. An attacker could use this issue to cause the NBD server to

    crash, resulting in a denial of service. This issue only affected Ubuntu

    17.10. (CVE-2017-15118)

    Eric Blake discovered that QEMU incorrectly handled certain options to the

    NBD server. An attacker could use this issue to cause the NBD server to

    crash, resulting in a denial of service. This issue only affected Ubuntu

    14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-15119)

    Daniel Berrange discovered that QEMU incorrectly handled the VNC server. A

    remote attacker could possibly use this issue to consume memory, resulting

    in a denial of service. This issue was only addressed in Ubuntu 17.10.

    (CVE-2017-15124)

    Carl Brassey discovered that QEMU incorrectly handled certain websockets. A

    remote attacker could possibly use this issue to consume memory, resulting

    in a denial of service. This issue only affected Ubuntu 17.10.

    (CVE-2017-15268)

    Guoxiang Niu discovered that QEMU incorrectly handled the Cirrus VGA

    device. A privileged attacker inside the guest could use this issue to

    cause QEMU to crash, resulting in a denial of service. (CVE-2017-15289)

    Cyrille Chatras discovered that QEMU incorrectly handled certain PS2 values

    during migration. An attacker could possibly use this issue to cause QEMU

    to crash, resulting in a denial of service, or possibly execute arbitrary

    code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 17.10.

    (CVE-2017-16845)

    It was discovered that QEMU incorrectly handled the Virtio Vring

    implementation. An attacker could possibly use this issue to cause QEMU to

    crash, resulting in a denial of service. This issue only affected Ubuntu

    16.04 LTS and Ubuntu 17.10. (CVE-2017-17381)

    Eric Blake discovered that QEMU incorrectly handled certain rounding

    operations. An attacker could possibly use this issue to cause QEMU to

    crash, resulting in a denial of service. This issue only affected Ubuntu

    14.04 LTS and Ubuntu 16.04 LTS. (CVE-2017-18043)

    Jiang Xin and Lin ZheCheng discovered that QEMU incorrectly handled the

    VGA device. A privileged attacker inside the guest could use this issue to

    cause QEMU to crash, resulting in a denial of service. (CVE-2018-5683)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-3575-2");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_attribute(attribute:"risk_factor", value:"High");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/03/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/03/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-block-extra");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-guest-agent");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-keymaps");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-kvm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-aarch64");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-arm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-mips");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-misc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-ppc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-s390x");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-sparc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-system-x86");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-user");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-user-binfmt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-user-static");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:qemu-utils");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:lts");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2018-2024 Canonical, Inc. / NASL script (C) 2018-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('14.04' >< os_release || '16.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04 / 16.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '14.04', 'pkgname': 'qemu', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-common', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-guest-agent', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-keymaps', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-kvm', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-system', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-system-aarch64', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-system-arm', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-system-common', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-system-mips', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-system-misc', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-system-ppc', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-system-sparc', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-system-x86', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-user', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-user-static', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '14.04', 'pkgname': 'qemu-utils', 'pkgver': '2.0.0+dfsg-2ubuntu1.40'},
    {'osver': '16.04', 'pkgname': 'qemu', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-block-extra', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-guest-agent', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-kvm', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-system', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-system-aarch64', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-system-arm', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-system-common', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-system-mips', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-system-misc', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-system-ppc', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-system-s390x', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-system-sparc', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-system-x86', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-user', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-user-binfmt', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-user-static', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'},
    {'osver': '16.04', 'pkgname': 'qemu-utils', 'pkgver': '1:2.5+dfsg-5ubuntu10.24'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  var extra = '';
  extra += ubuntu_report_get();
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : extra
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'qemu / qemu-block-extra / qemu-common / qemu-guest-agent / etc');
}