Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0078 Important: qemu-kvm security, bug fix, and enhancement update 24 January 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: qemu-kvm kvm Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux WS/Desktop 6 Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2012-0029 CVE-2011-4622 CVE-2011-4127 Reference: ESB-2012.0065 ESB-2011.1279 ESB-2011.1277.2 Original Bulletin: https://rhn.redhat.com/errata/RHSA-2012-0050.html https://rhn.redhat.com/errata/RHSA-2012-0051.html Comment: This bulletin contains two (2) Red Hat security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: qemu-kvm security, bug fix, and enhancement update Advisory ID: RHSA-2012:0050-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0050.html Issue date: 2012-01-23 CVE Names: CVE-2012-0029 ===================================================================== 1. Summary: Updated qemu-kvm packages that fix one security issue, one bug, and add one enhancement are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop (v. 6) - x86_64 Red Hat Enterprise Linux HPC Node (v. 6) - x86_64 Red Hat Enterprise Linux Server (v. 6) - x86_64 Red Hat Enterprise Linux Workstation (v. 6) - x86_64 3. Description: KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. qemu-kvm is the user-space component for running virtual machines using KVM. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) Red Hat would like to thank Nicolae Mogoreanu for reporting this issue. This update also fixes the following bug: * qemu-kvm has a "scsi" option, to be used, for example, with the "-device" option: "-device virtio-blk-pci,drive=[drive name],scsi=off". Previously, however, it only masked the feature bit, and did not reject SCSI commands if a malicious guest ignored the feature bit and issued a request. This update corrects this issue. The "scsi=off" option can be used to mitigate the virtualization aspect of CVE-2011-4127 before the RHSA-2011:1849 kernel update is installed on the host. This mitigation is only required if you do not have the RHSA-2011:1849 kernel update installed on the host and you are using raw format virtio disks backed by a partition or LVM volume. If you run guests by invoking /usr/libexec/qemu-kvm directly, use the "-global virtio-blk-pci.scsi=off" option to apply the mitigation. If you are using libvirt, as recommended by Red Hat, and have the RHBA-2012:0013 libvirt update installed, no manual action is required: guests will automatically use "scsi=off". (BZ#767721) Note: After installing the RHSA-2011:1849 kernel update, SCSI requests issued by guests via the SG_IO IOCTL will not be passed to the underlying block device when using raw format virtio disks backed by a partition or LVM volume, even if "scsi=on" is used. As well, this update adds the following enhancement: * Prior to this update, qemu-kvm was not built with RELRO or PIE support. qemu-kvm is now built with full RELRO and PIE support as a security enhancement. (BZ#767906) All users of qemu-kvm should upgrade to these updated packages, which correct these issues and add this enhancement. After installing this update, shut down all running virtual machines. Once all virtual machines have shut down, start them again for this update to take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 772075 - CVE-2012-0029 qemu-kvm: e1000: process_tx_desc legacy mode packets heap overflow 6. Package List: Red Hat Enterprise Linux Desktop (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Client/en/os/SRPMS/qemu-kvm-0.12.1.2-2.209.el6_2.4.src.rpm x86_64: qemu-img-0.12.1.2-2.209.el6_2.4.x86_64.rpm qemu-kvm-0.12.1.2-2.209.el6_2.4.x86_64.rpm qemu-kvm-debuginfo-0.12.1.2-2.209.el6_2.4.x86_64.rpm qemu-kvm-tools-0.12.1.2-2.209.el6_2.4.x86_64.rpm Red Hat Enterprise Linux HPC Node (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6ComputeNode/en/os/SRPMS/qemu-kvm-0.12.1.2-2.209.el6_2.4.src.rpm x86_64: qemu-img-0.12.1.2-2.209.el6_2.4.x86_64.rpm qemu-kvm-0.12.1.2-2.209.el6_2.4.x86_64.rpm qemu-kvm-debuginfo-0.12.1.2-2.209.el6_2.4.x86_64.rpm qemu-kvm-tools-0.12.1.2-2.209.el6_2.4.x86_64.rpm Red Hat Enterprise Linux Server (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/qemu-kvm-0.12.1.2-2.209.el6_2.4.src.rpm x86_64: qemu-img-0.12.1.2-2.209.el6_2.4.x86_64.rpm qemu-kvm-0.12.1.2-2.209.el6_2.4.x86_64.rpm qemu-kvm-debuginfo-0.12.1.2-2.209.el6_2.4.x86_64.rpm qemu-kvm-tools-0.12.1.2-2.209.el6_2.4.x86_64.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/6Workstation/en/os/SRPMS/qemu-kvm-0.12.1.2-2.209.el6_2.4.src.rpm x86_64: qemu-img-0.12.1.2-2.209.el6_2.4.x86_64.rpm qemu-kvm-0.12.1.2-2.209.el6_2.4.x86_64.rpm qemu-kvm-debuginfo-0.12.1.2-2.209.el6_2.4.x86_64.rpm qemu-kvm-tools-0.12.1.2-2.209.el6_2.4.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2012-0029.html https://access.redhat.com/security/updates/classification/#important https://access.redhat.com/kb/docs/DOC-67874 https://rhn.redhat.com/errata/RHSA-2011-1849.html https://rhn.redhat.com/errata/RHBA-2012-0013.html 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPHcFDXlSAg2UNWIIRAo+dAKDAAxQmxTfz5QrmEBRHDKrSExCWiQCfcQpj SKfoX2IxYRw+sCY36M4sdJ0= =3lTM - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: kvm security update Advisory ID: RHSA-2012:0051-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2012-0051.html Issue date: 2012-01-23 CVE Names: CVE-2011-4622 CVE-2012-0029 ===================================================================== 1. Summary: Updated kvm packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: RHEL Desktop Multi OS (v. 5 client) - x86_64 RHEL Virtualization (v. 5 server) - x86_64 3. Description: KVM (Kernel-based Virtual Machine) is a full virtualization solution for Linux on AMD64 and Intel 64 systems. KVM is a Linux kernel module built for the standard Red Hat Enterprise Linux kernel. A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029) A flaw was found in the way the KVM subsystem of a Linux kernel handled PIT (Programmable Interval Timer) IRQs (interrupt requests) when there was no virtual interrupt controller set up. A malicious user in the kvm group on the host could force this situation to occur, resulting in the host crashing. (CVE-2011-4622) Red Hat would like to thank Nicolae Mogoreanu for reporting CVE-2012-0029. All KVM users should upgrade to these updated packages, which contain backported patches to correct these issues. Note: The procedure in the Solution section must be performed before this update will take effect. 4. Solution: Before applying this update, make sure all previously-released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/kb/docs/DOC-11259 The following procedure must be performed before this update will take effect: 1) Stop all KVM guest virtual machines. 2) Either reboot the hypervisor machine or, as the root user, remove (using "modprobe -r [module]") and reload (using "modprobe [module]") all of the following modules which are currently running (determined using "lsmod"): kvm, ksm, kvm-intel or kvm-amd. 3) Restart the KVM guest virtual machines. 5. Bugs fixed (http://bugzilla.redhat.com/): 769721 - CVE-2011-4622 kernel: kvm: pit timer with no irqchip crashes the system 772075 - CVE-2012-0029 qemu-kvm: e1000: process_tx_desc legacy mode packets heap overflow 6. Package List: RHEL Desktop Multi OS (v. 5 client): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/kvm-83-239.el5_7.1.src.rpm x86_64: kmod-kvm-83-239.el5_7.1.x86_64.rpm kmod-kvm-debug-83-239.el5_7.1.x86_64.rpm kvm-83-239.el5_7.1.x86_64.rpm kvm-debuginfo-83-239.el5_7.1.x86_64.rpm kvm-qemu-img-83-239.el5_7.1.x86_64.rpm kvm-tools-83-239.el5_7.1.x86_64.rpm RHEL Virtualization (v. 5 server): Source: ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/kvm-83-239.el5_7.1.src.rpm x86_64: kmod-kvm-83-239.el5_7.1.x86_64.rpm kmod-kvm-debug-83-239.el5_7.1.x86_64.rpm kvm-83-239.el5_7.1.x86_64.rpm kvm-debuginfo-83-239.el5_7.1.x86_64.rpm kvm-qemu-img-83-239.el5_7.1.x86_64.rpm kvm-tools-83-239.el5_7.1.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/#package 7. References: https://www.redhat.com/security/data/cve/CVE-2011-4622.html https://www.redhat.com/security/data/cve/CVE-2012-0029.html https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2012 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFPHcFcXlSAg2UNWIIRAma+AJ4kDx59ute8037KXRv+obW/eXxtcACgvht6 74caF0mqb3d9FgyuwjdA9D4= =+cTy - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTx4Ouu4yVqjM2NGpAQLdVQ/+MDIK9y3LW4Gc5FDCqkOZj19QmB0JYtW0 uX7oIrH/AYbNVHBRu7DOr/aMODBHVBBtKyiwZdljdbviNhL1nsAuNfrFUfGoMGn8 gqjfB4iO1fRJY1dMfTqJdf93bhyygNQowvb6FFEY0GGVILetfhPCcSLZsG+eulPZ 4CmZEMhqhbBygmJB1KKzsUXQ2nQM+8ydy5t6vrLSr6V1zLp+Giu8QWwsNJ00yPo8 c2iqyTuZNkpDLAZc7csgu8dSDo/JTdrCFSlZ/v5YfukCkNlhNrhgr+uNP4wk6Msb xSf1i79EkmIfXg8Bh45Yvb64OlGjdZWylQRnyzZDMp3aZigER+dXSSO/yW2X5YKi t/PLdRClqqJqsTNl+2thAhHX+8Hi1Unyt6B2aLmVRXa7osMKBGNmeV5qOX7T1G6k IQssvtVNn1nesfqXK0BFhT+0ML6qNZmqC7qMKxeIwRqVZUV6m6LL1hsQgk9DyeUh 5TJK0FYHbK1HCrbFlqG66qeFodlopJGBJwJoeRf2FsqS47SYDoBbh4B35aq+QqtB JW/b/qyCtZHvSjYA8DFryFauwjtPUv/PPNy9dKMN/Xdk20QrULK6tcVw7EZCsKI1 W9wUq8DhnFqZxadnTb5pVb2nVi3hnx9niBJozEHqiG5KN+51OxNxvN26QabsXfL0 F3DeNJf4RYY= =1RQD -----END PGP SIGNATURE-----