Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.1022
QEMU vulnerabilities
21 April 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: qemu-system
Publisher: Ubuntu
Operating System: Ubuntu
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Increased Privileges -- Existing Account
Denial of Service -- Existing Account
Access Confidential Data -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2017-6505 CVE-2017-5987 CVE-2017-5973
CVE-2017-5898 CVE-2017-5857 CVE-2017-5856
CVE-2017-5667 CVE-2017-5579 CVE-2017-5578
CVE-2017-5552 CVE-2017-5526 CVE-2017-5525
CVE-2017-2633 CVE-2017-2620 CVE-2017-2615
CVE-2016-10155 CVE-2016-10029 CVE-2016-10028
CVE-2016-9922 CVE-2016-9921 CVE-2016-9916
CVE-2016-9915 CVE-2016-9914 CVE-2016-9913
CVE-2016-9912 CVE-2016-9911 CVE-2016-9908
CVE-2016-9907 CVE-2016-9846 CVE-2016-9845
CVE-2016-9776 CVE-2016-9603 CVE-2016-9602
CVE-2016-9381 CVE-2016-8669 CVE-2016-8667
CVE-2016-7907
Reference: ESB-2017.0637
ESB-2017.0606
Original Bulletin:
http://www.ubuntu.com/usn/usn-3261-1
- --------------------------BEGIN INCLUDED TEXT--------------------
==========================================================================
Ubuntu Security Notice USN-3261-1
April 20, 2017
qemu vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- - Ubuntu 16.10
- - Ubuntu 16.04 LTS
- - Ubuntu 14.04 LTS
Summary:
Several security issues were fixed in QEMU.
Software Description:
- - qemu: Machine emulator and virtualizer
Details:
Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU
device. An attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 16.10. (CVE-2016-10028, CVE-2016-10029)
Li Qiang discovered that QEMU incorrectly handled the 6300esb watchdog. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2016-10155)
Li Qiang discovered that QEMU incorrectly handled the i.MX Fast Ethernet
Controller. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. This issue only
affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7907)
It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2016-8667)
It was discovered that QEMU incorrectly handled the 16550A UART device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2016-8669)
It was discovered that QEMU incorrectly handled the shared rings when used
with Xen. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service, or possibly execute
arbitrary code on the host. (CVE-2016-9381)
Jann Horn discovered that QEMU incorrectly handled VirtFS directory
sharing. A privileged attacker inside the guest could use this issue to
access files on the host file system outside of the shared directory and
possibly escalate their privileges. In the default installation, when QEMU
is used with libvirt, attackers would be isolated by the libvirt AppArmor
profile. (CVE-2016-9602)
Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA
device when being used with a VNC connection. A privileged attacker inside
the guest could use this issue to cause QEMU to crash, resulting in a
denial of service, or possibly execute arbitrary code on the host. In the
default installation, when QEMU is used with libvirt, attackers would be
isolated by the libvirt AppArmor profile. (CVE-2016-9603)
It was discovered that QEMU incorrectly handled the ColdFire Fast Ethernet
Controller. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2016-9776)
Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An
attacker inside the guest could use this issue to cause QEMU to leak
contents of host memory. This issue only affected Ubuntu 16.04 LTS and
Ubuntu 16.10. (CVE-2016-9845, CVE-2016-9908)
Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS
and Ubuntu 16.10. (CVE-2016-9846, CVE-2016-9912, CVE-2017-5552,
CVE-2017-5578, CVE-2017-5857)
Li Qiang discovered that QEMU incorrectly handled the USB redirector. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS
and Ubuntu 16.10. (CVE-2016-9907)
Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. (CVE-2016-9911)
Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing.
A privileged attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service. (CVE-2016-9913, CVE-2016-9914,
CVE-2016-9915, CVE-2016-9916)
Qinghao Tang, Li Qiang, and Jiangxin discovered that QEMU incorrectly
handled the Cirrus VGA device. A privileged attacker inside the guest could
use this issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2016-9921, CVE-2016-9922)
Wjjzhang and Li Qiang discovered that QEMU incorrectly handled the Cirrus
VGA device. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service, or possibly execute
arbitrary code on the host. In the default installation, when QEMU is used
with libvirt, attackers would be isolated by the libvirt AppArmor profile.
(CVE-2017-2615)
It was discovered that QEMU incorrectly handled the Cirrus VGA device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service, or possibly execute arbitrary code
on the host. In the default installation, when QEMU is used with libvirt,
attackers would be isolated by the libvirt AppArmor profile.
(CVE-2017-2620)
It was discovered that QEMU incorrectly handled VNC connections. An
attacker inside the guest could use this issue to cause QEMU to crash,
resulting in a denial of service. (CVE-2017-2633)
Li Qiang discovered that QEMU incorrectly handled the ac97 audio device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2017-5525)
Li Qiang discovered that QEMU incorrectly handled the es1370 audio device.
A privileged attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service. (CVE-2017-5526)
Li Qiang discovered that QEMU incorrectly handled the 16550A UART device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2017-5579)
Jiang Xin discovered that QEMU incorrectly handled SDHCI device emulation.
A privileged attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service, or possibly execute arbitrary
code on the host. In the default installation, when QEMU is used with
libvirt, attackers would be isolated by the libvirt AppArmor profile.
(CVE-2017-5667)
Li Qiang discovered that QEMU incorrectly handled the MegaRAID SAS device.
A privileged attacker inside the guest could use this issue to cause QEMU
to crash, resulting in a denial of service. (CVE-2017-5856)
Li Qiang discovered that QEMU incorrectly handled the CCID Card device. A
privileged attacker inside the guest could use this issue to cause QEMU to
crash, resulting in a denial of service. (CVE-2017-5898)
Li Qiang discovered that QEMU incorrectly handled USB xHCI controller
emulation. A privileged attacker inside the guest could use this issue to
cause QEMU to crash, resulting in a denial of service. (CVE-2017-5973)
Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI
device emulation. A privileged attacker inside the guest could use this
issue to cause QEMU to crash, resulting in a denial of service.
(CVE-2017-5987)
Li Qiang discovered that QEMU incorrectly handled USB OHCI controller
emulation. A privileged attacker inside the guest could use this issue to
cause QEMU to hang, resulting in a denial of service. (CVE-2017-6505)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 16.10:
qemu-system 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-aarch64 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-arm 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-mips 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-misc 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-ppc 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-s390x 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-sparc 1:2.6.1+dfsg-0ubuntu5.4
qemu-system-x86 1:2.6.1+dfsg-0ubuntu5.4
Ubuntu 16.04 LTS:
qemu-system 1:2.5+dfsg-5ubuntu10.11
qemu-system-aarch64 1:2.5+dfsg-5ubuntu10.11
qemu-system-arm 1:2.5+dfsg-5ubuntu10.11
qemu-system-mips 1:2.5+dfsg-5ubuntu10.11
qemu-system-misc 1:2.5+dfsg-5ubuntu10.11
qemu-system-ppc 1:2.5+dfsg-5ubuntu10.11
qemu-system-s390x 1:2.5+dfsg-5ubuntu10.11
qemu-system-sparc 1:2.5+dfsg-5ubuntu10.11
qemu-system-x86 1:2.5+dfsg-5ubuntu10.11
Ubuntu 14.04 LTS:
qemu-system 2.0.0+dfsg-2ubuntu1.33
qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.33
qemu-system-arm 2.0.0+dfsg-2ubuntu1.33
qemu-system-mips 2.0.0+dfsg-2ubuntu1.33
qemu-system-misc 2.0.0+dfsg-2ubuntu1.33
qemu-system-ppc 2.0.0+dfsg-2ubuntu1.33
qemu-system-sparc 2.0.0+dfsg-2ubuntu1.33
qemu-system-x86 2.0.0+dfsg-2ubuntu1.33
After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.
References:
http://www.ubuntu.com/usn/usn-3261-1
CVE-2016-10028, CVE-2016-10029, CVE-2016-10155, CVE-2016-7907,
CVE-2016-8667, CVE-2016-8669, CVE-2016-9381, CVE-2016-9602,
CVE-2016-9603, CVE-2016-9776, CVE-2016-9845, CVE-2016-9846,
CVE-2016-9907, CVE-2016-9908, CVE-2016-9911, CVE-2016-9912,
CVE-2016-9913, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916,
CVE-2016-9921, CVE-2016-9922, CVE-2017-2615, CVE-2017-2620,
CVE-2017-2633, CVE-2017-5525, CVE-2017-5526, CVE-2017-5552,
CVE-2017-5578, CVE-2017-5579, CVE-2017-5667, CVE-2017-5856,
CVE-2017-5857, CVE-2017-5898, CVE-2017-5973, CVE-2017-5987,
CVE-2017-6505
Package Information:
https://launchpad.net/ubuntu/+source/qemu/1:2.6.1+dfsg-0ubuntu5.4
https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.11
https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.33
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWPmTDYx+lLeg9Ub1AQioWhAAqKYbEZE4kgwHBCwhW2+oZJ3anIYfEHx4
eYA9PuxFvFcbWXtZT+fqt4IaR41tI87lvKBsdC/lNkmYJXY/rwX6yMACdlkKzkDB
QoXqFzbJrIqEwm46QoG0oC7V5gdasQmJGSM0GQ10DBzVGM321njpTLssC/8fI5Jh
LIwshXXy1yFLbXKsuSDgbIiUnSN2bOFuSp7GtFYKcWhv1ujemAUyAAZERuM4nTkm
n9ZbgGQR42RUNszB+6T/jui4feky7e2ByQeui94vNmkKkVG7A2YlVdRItMlmiFUf
gdvR63D0GJIzkdm0oz8n5WRpeaRxTAOeC8gZm7bl2xHknTTJncggGFUNXotRjQwn
PgwQEXac00mtpCbdfHkPsYOJqBhJzb92ZkR2Dih6+dR8dxdwk3RJURgeoWY18zmk
zEkHv+5H8hovOJohpJK44BGalyIy8K6PAY61HCB/w7p58H/RZZqHWeUGj0eHBir/
pqxPQ0n2kf3MghXe4DEcR+199sfqO5Fdjw+cxBfTwcNER6PsVyczmGj/b/koK2L+
5d2m9mAg2q1WmXNeM0oCg6XEgW5P8A4cA2Vww57hRoJsCrdjbK2R0tYpCp3W4gLp
Pls6Xp21aDiXb6nQgAiQsN9oeaA4T1OprN1kaNxECc5HrjbJp0iBO6Nrvvk5Phyq
WVAuk1AzaD8=
=psfF
-----END PGP SIGNATURE-----