Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.1022 QEMU vulnerabilities 21 April 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: qemu-system Publisher: Ubuntu Operating System: Ubuntu Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Increased Privileges -- Existing Account Denial of Service -- Existing Account Access Confidential Data -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2017-6505 CVE-2017-5987 CVE-2017-5973 CVE-2017-5898 CVE-2017-5857 CVE-2017-5856 CVE-2017-5667 CVE-2017-5579 CVE-2017-5578 CVE-2017-5552 CVE-2017-5526 CVE-2017-5525 CVE-2017-2633 CVE-2017-2620 CVE-2017-2615 CVE-2016-10155 CVE-2016-10029 CVE-2016-10028 CVE-2016-9922 CVE-2016-9921 CVE-2016-9916 CVE-2016-9915 CVE-2016-9914 CVE-2016-9913 CVE-2016-9912 CVE-2016-9911 CVE-2016-9908 CVE-2016-9907 CVE-2016-9846 CVE-2016-9845 CVE-2016-9776 CVE-2016-9603 CVE-2016-9602 CVE-2016-9381 CVE-2016-8669 CVE-2016-8667 CVE-2016-7907 Reference: ESB-2017.0637 ESB-2017.0606 Original Bulletin: http://www.ubuntu.com/usn/usn-3261-1 - --------------------------BEGIN INCLUDED TEXT-------------------- ========================================================================== Ubuntu Security Notice USN-3261-1 April 20, 2017 qemu vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - - Ubuntu 16.10 - - Ubuntu 16.04 LTS - - Ubuntu 14.04 LTS Summary: Several security issues were fixed in QEMU. Software Description: - - qemu: Machine emulator and virtualizer Details: Zhenhao Hong discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-10028, CVE-2016-10029) Li Qiang discovered that QEMU incorrectly handled the 6300esb watchdog. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-10155) Li Qiang discovered that QEMU incorrectly handled the i.MX Fast Ethernet Controller. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7907) It was discovered that QEMU incorrectly handled the JAZZ RC4030 device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8667) It was discovered that QEMU incorrectly handled the 16550A UART device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-8669) It was discovered that QEMU incorrectly handled the shared rings when used with Xen. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. (CVE-2016-9381) Jann Horn discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to access files on the host file system outside of the shared directory and possibly escalate their privileges. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9602) Gerd Hoffmann discovered that QEMU incorrectly handled the Cirrus VGA device when being used with a VNC connection. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2016-9603) It was discovered that QEMU incorrectly handled the ColdFire Fast Ethernet Controller. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9776) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to leak contents of host memory. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9845, CVE-2016-9908) Li Qiang discovered that QEMU incorrectly handled the Virtio GPU device. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9846, CVE-2016-9912, CVE-2017-5552, CVE-2017-5578, CVE-2017-5857) Li Qiang discovered that QEMU incorrectly handled the USB redirector. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9907) Li Qiang discovered that QEMU incorrectly handled USB EHCI emulation. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9911) Li Qiang discovered that QEMU incorrectly handled VirtFS directory sharing. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9913, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916) Qinghao Tang, Li Qiang, and Jiangxin discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2016-9921, CVE-2016-9922) Wjjzhang and Li Qiang discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-2615) It was discovered that QEMU incorrectly handled the Cirrus VGA device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-2620) It was discovered that QEMU incorrectly handled VNC connections. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-2633) Li Qiang discovered that QEMU incorrectly handled the ac97 audio device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5525) Li Qiang discovered that QEMU incorrectly handled the es1370 audio device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5526) Li Qiang discovered that QEMU incorrectly handled the 16550A UART device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5579) Jiang Xin discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service, or possibly execute arbitrary code on the host. In the default installation, when QEMU is used with libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2017-5667) Li Qiang discovered that QEMU incorrectly handled the MegaRAID SAS device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5856) Li Qiang discovered that QEMU incorrectly handled the CCID Card device. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5898) Li Qiang discovered that QEMU incorrectly handled USB xHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5973) Jiang Xin and Wjjzhang discovered that QEMU incorrectly handled SDHCI device emulation. A privileged attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. (CVE-2017-5987) Li Qiang discovered that QEMU incorrectly handled USB OHCI controller emulation. A privileged attacker inside the guest could use this issue to cause QEMU to hang, resulting in a denial of service. (CVE-2017-6505) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.10: qemu-system 1:2.6.1+dfsg-0ubuntu5.4 qemu-system-aarch64 1:2.6.1+dfsg-0ubuntu5.4 qemu-system-arm 1:2.6.1+dfsg-0ubuntu5.4 qemu-system-mips 1:2.6.1+dfsg-0ubuntu5.4 qemu-system-misc 1:2.6.1+dfsg-0ubuntu5.4 qemu-system-ppc 1:2.6.1+dfsg-0ubuntu5.4 qemu-system-s390x 1:2.6.1+dfsg-0ubuntu5.4 qemu-system-sparc 1:2.6.1+dfsg-0ubuntu5.4 qemu-system-x86 1:2.6.1+dfsg-0ubuntu5.4 Ubuntu 16.04 LTS: qemu-system 1:2.5+dfsg-5ubuntu10.11 qemu-system-aarch64 1:2.5+dfsg-5ubuntu10.11 qemu-system-arm 1:2.5+dfsg-5ubuntu10.11 qemu-system-mips 1:2.5+dfsg-5ubuntu10.11 qemu-system-misc 1:2.5+dfsg-5ubuntu10.11 qemu-system-ppc 1:2.5+dfsg-5ubuntu10.11 qemu-system-s390x 1:2.5+dfsg-5ubuntu10.11 qemu-system-sparc 1:2.5+dfsg-5ubuntu10.11 qemu-system-x86 1:2.5+dfsg-5ubuntu10.11 Ubuntu 14.04 LTS: qemu-system 2.0.0+dfsg-2ubuntu1.33 qemu-system-aarch64 2.0.0+dfsg-2ubuntu1.33 qemu-system-arm 2.0.0+dfsg-2ubuntu1.33 qemu-system-mips 2.0.0+dfsg-2ubuntu1.33 qemu-system-misc 2.0.0+dfsg-2ubuntu1.33 qemu-system-ppc 2.0.0+dfsg-2ubuntu1.33 qemu-system-sparc 2.0.0+dfsg-2ubuntu1.33 qemu-system-x86 2.0.0+dfsg-2ubuntu1.33 After a standard system update you need to restart all QEMU virtual machines to make all the necessary changes. References: http://www.ubuntu.com/usn/usn-3261-1 CVE-2016-10028, CVE-2016-10029, CVE-2016-10155, CVE-2016-7907, CVE-2016-8667, CVE-2016-8669, CVE-2016-9381, CVE-2016-9602, CVE-2016-9603, CVE-2016-9776, CVE-2016-9845, CVE-2016-9846, CVE-2016-9907, CVE-2016-9908, CVE-2016-9911, CVE-2016-9912, CVE-2016-9913, CVE-2016-9914, CVE-2016-9915, CVE-2016-9916, CVE-2016-9921, CVE-2016-9922, CVE-2017-2615, CVE-2017-2620, CVE-2017-2633, CVE-2017-5525, CVE-2017-5526, CVE-2017-5552, CVE-2017-5578, CVE-2017-5579, CVE-2017-5667, CVE-2017-5856, CVE-2017-5857, CVE-2017-5898, CVE-2017-5973, CVE-2017-5987, CVE-2017-6505 Package Information: https://launchpad.net/ubuntu/+source/qemu/1:2.6.1+dfsg-0ubuntu5.4 https://launchpad.net/ubuntu/+source/qemu/1:2.5+dfsg-5ubuntu10.11 https://launchpad.net/ubuntu/+source/qemu/2.0.0+dfsg-2ubuntu1.33 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWPmTDYx+lLeg9Ub1AQioWhAAqKYbEZE4kgwHBCwhW2+oZJ3anIYfEHx4 eYA9PuxFvFcbWXtZT+fqt4IaR41tI87lvKBsdC/lNkmYJXY/rwX6yMACdlkKzkDB QoXqFzbJrIqEwm46QoG0oC7V5gdasQmJGSM0GQ10DBzVGM321njpTLssC/8fI5Jh LIwshXXy1yFLbXKsuSDgbIiUnSN2bOFuSp7GtFYKcWhv1ujemAUyAAZERuM4nTkm n9ZbgGQR42RUNszB+6T/jui4feky7e2ByQeui94vNmkKkVG7A2YlVdRItMlmiFUf gdvR63D0GJIzkdm0oz8n5WRpeaRxTAOeC8gZm7bl2xHknTTJncggGFUNXotRjQwn PgwQEXac00mtpCbdfHkPsYOJqBhJzb92ZkR2Dih6+dR8dxdwk3RJURgeoWY18zmk zEkHv+5H8hovOJohpJK44BGalyIy8K6PAY61HCB/w7p58H/RZZqHWeUGj0eHBir/ pqxPQ0n2kf3MghXe4DEcR+199sfqO5Fdjw+cxBfTwcNER6PsVyczmGj/b/koK2L+ 5d2m9mAg2q1WmXNeM0oCg6XEgW5P8A4cA2Vww57hRoJsCrdjbK2R0tYpCp3W4gLp Pls6Xp21aDiXb6nQgAiQsN9oeaA4T1OprN1kaNxECc5HrjbJp0iBO6Nrvvk5Phyq WVAuk1AzaD8= =psfF -----END PGP SIGNATURE-----