Free and open-source vulnerability scanner

Mageni eases for you the vulnerability scanning, assessment, and management process. It is free and open-source.

Install Now

Available for macOS, Windows, and Linux

App screenshot

Debian LTS Advisory ([SECURITY] [DLA 842-1] qemu-kvm security update)

Information

Severity

Severity

Critical

Family

Family

Debian Local Security Checks

CVSSv2 Base

CVSSv2 Base

9.0

CVSSv2 Vector

CVSSv2 Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Solution Type

Solution Type

Vendor Patch

Created

Created

6 years ago

Modified

Modified

5 years ago

Summary

Several vulnerabilities were discovered in qemu-kvm, a full virtualization solution for Linux hosts on x86 hardware with x86 guests. CVE-2017-2615 The Cirrus CLGD 54xx VGA Emulator in qemu-kvm is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data via bitblt copy in backward mode. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on the host with privileges of qemu-kvm process on the host. CVE-2017-2620 The Cirrus CLGD 54xx VGA Emulator in qemu-kvm is vulnerable to an out-of-bounds access issue. It could occur while copying VGA data in cirrus_bitblt_cputovideo. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on the host with privileges of qemu-kvm process on the host. CVE-2017-5898 The CCID Card device emulator support is vulnerable to an integer overflow flaw. It could occur while passing message via command/responses packets to and from the host. A privileged user inside guest could use this flaw to crash the qemu-kvm process on the host resulting in a DoS. This issue does not affect the qemu-kvm binaries in Debian but we apply the patch to the sources to stay in sync with the qemu package. CVE-2017-5973 The USB xHCI controller emulator support in qemu-kvm is vulnerable to an infinite loop issue. It could occur while processing control transfer descriptors' sequence in xhci_kick_epctx. A privileged user inside guest could use this flaw to crash the qemu-kvm process resulting in a DoS. This update also updates the fix CVE-2016-9921 since it was too strict and broke certain guests.

Affected Software

Affected Software

qemu-kvm on Debian Linux

Detection Method

Detection Method

This check tests the installed software version using the apt package manager.

Solution

Solution

For Debian 7 'Wheezy', these problems have been fixed in version 1.1.2+dfsg-6+deb7u20. We recommend that you upgrade your qemu-kvm packages.

Common Vulnerabilities and Exposures (CVE)