Stack-based buffer overflow in hw/scsi/scsi-bus.c in QEMU, when built with SCSI-device emulation support, allows guest OS users with CAP_SYS_RAWIO permissions to cause a denial of service (instance crash) via an invalid opcode in a SCSI command descriptor block.

Prasad J Pandit, Red Hat Product Security Team, reports :

Qemu emulator built with the SCSI device emulation support is vulnerable to a stack-based buffer overflow issue. It could occur while parsing SCSI command descriptor block with an invalid operation code.

A privileged(CAP_SYS_RAWIO) user inside guest could use this flaw to crash the Qemu instance resulting in DoS.

The remote host is affected by the vulnerability described in GLSA-201510-02 (QEMU: Arbitrary code execution)

    Heap-based buffer overflow has been found in QEMU&rsquo;s PCNET controller.
  Impact :

    A remote attacker could execute arbitrary code via a specially crafted       packets.
  Workaround :

    There is no known workaround at this time.

- Rebased to version 2.4.0 * Support for virtio-gpu, 2D     only * Support for virtio-based keyboard/mouse/tablet     emulation * x86 support for memory hot-unplug

  - ACPI v5.1 table support for 'virt' board *     CVE-2015-3209: pcnet: multi-tmd buffer overflow in the     tx path (bz #1230536) * CVE-2015-3214: i8254: out-of-     bounds memory access (bz #1243728) * CVE-2015-5158: scsi     stack-based buffer overflow (bz #1246025) *     CVE-2015-5154: ide: atapi: heap overflow during I/O     buffer memory access (bz #1247141) * CVE-2015-5165:
    rtl8139 uninitialized heap memory information leakage to     guest (bz #1249755) * CVE-2015-5166: BlockBackend object     use after free issue (bz #1249758) * CVE-2015-5745:
    buffer overflow in virtio- serial (bz #1251160)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Rebased to version 2.3.1

    - Fix crash in qemu_spice_create_display (bz #1163047)

    - Fix qemu-img map crash for unaligned image (bz       #1229394)

    - CVE-2015-3209: pcnet: multi-tmd buffer overflow in the       tx path (bz #1230536)

    - CVE-2015-3214: i8254: out-of-bounds memory access (bz       #1243728)

    - CVE-2015-5158: scsi stack-based buffer overflow (bz       #1246025)

    - CVE-2015-5154: ide: atapi: heap overflow during I/O       buffer memory access (bz #1247141)

    - CVE-2015-5166: BlockBackend object use after free       issue (bz #1249758)

    - CVE-2015-5745: buffer overflow in virtio-serial (bz       #1251160)

    - CVE-2015-5165: rtl8139 uninitialized heap memory       information leakage to guest (bz #1249755)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2692-1 advisory.

    Matt Tait discovered that QEMU incorrectly handled PIT emulation. In a non-default configuration, a     malicious guest could use this issue to cause a denial of service, or possibly execute arbitrary code on     the host as the user running the QEMU process. In the default installation, when QEMU is used with     libvirt, attackers would be isolated by the libvirt AppArmor profile. (CVE-2015-3214)

    Kevin Wolf discovered that QEMU incorrectly handled processing ATAPI commands. A malicious guest could use     this issue to cause a denial of service, or possibly execute arbitrary code on the host as the user     running the QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be     isolated by the libvirt AppArmor profile. (CVE-2015-5154)

    Zhu Donghai discovered that QEMU incorrectly handled the SCSI driver. A malicious guest could use this     issue to cause a denial of service, or possibly execute arbitrary code on the host as the user running the     QEMU process. In the default installation, when QEMU is used with libvirt, attackers would be isolated by     the libvirt AppArmor profile. This issue only affected Ubuntu 15.04. (CVE-2015-5158)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
87701	FreeBSD : qemu -- stack buffer overflow while parsing SCSI commands (a267cd6c-b0c4-11e5-8d13-bc5ff45d0f28)	Nessus	FreeBSD Local Security Checks	medium
86687	GLSA-201510-02 : QEMU: Arbitrary code execution	Nessus	Gentoo Local Security Checks	medium
85592	Fedora 23 : qemu-2.4.0-1.fc23 (2015-13358)	Nessus	Fedora Local Security Checks	medium
85480	Fedora 22 : qemu-2.3.1-1.fc22 (2015-13402)	Nessus	Fedora Local Security Checks	medium
85080	Ubuntu 14.04 LTS : QEMU vulnerabilities (USN-2692-1)	Nessus	Ubuntu Local Security Checks	medium

Detections

Analytics

CVE-2015-5158

medium

Tenable Plugins

medium

medium

medium

medium

medium