SB2017060609 - Multiple vulnerabilities in QEMU
Published: June 6, 2017 Updated: December 9, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Heap-based buffer overflow (CVE-ID: CVE-2016-9603)
The vulnerability allows a local user to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error in Cirrus CLGD 54xx VGA emulator's VNC display driver when a VNC client attempted to update its display after a VGA operation is performed by a guest. A local user inside a guest VM can trigger a hea-based buffer overflow and execute arbitrary code with privileges of the QEMU process.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) Missing Release of Resource after Effective Lifetime (CVE-ID: CVE-2017-7377)
The vulnerability allows a malicious guest to perform a denial of service attack.
The vulnerability exists due to an error within the v9fs_create() and v9fs_lcreate functions in hw/9pfs/9p.c in QEMU. A privileged user on the guest OS can consume all available file descriptors and perform a denial of service attack against the hypervisor.
3) Improper access control (CVE-ID: CVE-2017-7471)
Quick Emulator(Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing files on a shared host directory. A privileged user inside guest could use this flaw to access host file system beyond the shared folder and potentially escalating their privileges on a host.4) Improper access control (CVE-ID: CVE-2017-7493)
Quick Emulator (Qemu) built with the VirtFS, host directory sharing via Plan 9 File System(9pfs) support, is vulnerable to an improper access control issue. It could occur while accessing virtfs metadata files in mapped-file security mode. A guest user could use this flaw to escalate their privileges inside guest.5) Out-of-bounds read (CVE-ID: CVE-2017-7718)
hw/display/cirrus_vga_rop.h in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (out-of-bounds read and QEMU process crash) via vectors related to copying VGA data via the cirrus_bitblt_rop_fwd_transp_ and cirrus_bitblt_rop_fwd_ functions.6) Out-of-bounds write (CVE-ID: CVE-2017-7980)
Quick emulator(Qemu) built with the Cirrus CLGD 54xx VGA Emulator support is vulnerable to an out-of-bounds r/w access issues. It could occur while copying VGA data via various bitblt functions. A privileged user inside guest could use this flaw to crash the Qemu process resulting in DoS OR potentially execute arbitrary code on a host with privileges of Qemu process on the host.7) Memory leak (CVE-ID: CVE-2017-8086)
The vulnerability allows a local user to perform DoS attack on the target system.
The vulnerability exists due memory leak within the v9fs_list_xattr() function in hw/9pfs/9p-xattr.c. A local user can force the application to leak memory and perform denial of service attack.
8) Infinite loop (CVE-ID: CVE-2017-8112)
hw/scsi/vmw_pvscsi.c in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (infinite loop and CPU consumption) via the message ring page count.9) Memory corruption (CVE-ID: CVE-2017-8309)
Memory leak in the audio/audio.c in QEMU (aka Quick Emulator) allows remote attackers to cause a denial of service (memory consumption) by repeatedly starting and stopping audio capture.10) Memory corruption (CVE-ID: CVE-2017-8379)
Memory leak in the keyboard input event handlers support in QEMU (aka Quick Emulator) allows local guest OS privileged users to cause a denial of service (host memory consumption) by rapidly generating large keyboard events.11) Out-of-bounds read (CVE-ID: CVE-2017-8380)
Quick Emulator(Qemu) built with the MegaRAID SAS 8708EM2 Host Bus Adapter emulation support is vulnerable to an out-of-bounds read access issue. It could occur while performing a MMIO write operation. A privileged user inside guest could use this flaw to read host memory leading to potentially crash the Qemu process on the host.12) Memory corruption (CVE-ID: CVE-2017-9060)
Memory leak in the virtio_gpu_set_scanout function in hw/display/virtio-gpu.c in QEMU (aka Quick Emulator) allows local guest OS users to cause a denial of service (memory consumption) via a large number of "VIRTIO_GPU_CMD_SET_SCANOUT:" commands.13) Infinite loop (CVE-ID: CVE-2017-9310)
Qemu emulator built with the e1000e NIC emulation support is vulnerable to an infinite loop issue. It could occur while processing data via transmit or receive descriptors, provided the initial receive/transmit descriptor head(TDH/RDH) is set outside the allocated descriptor buffer. A privileged user inside guest could use this flaw to crash the Qemu instance resulting in DoS.14) Infinite loop (CVE-ID: CVE-2017-9330)
Quick Emulator built with the USB OHCI Emulation support is vulnerable to an infinite loop issue. It could occur while processing an endpoint list descriptor in ohci_service_ed_list(). A guest user/process could use this flaw to crash Qemu process resulting in DoS.15) Stack-based buffer overflow (CVE-ID: CVE-2017-2630)
The vulnerability allows a remote authenticated attacker to execute arbitrary code on the target system.
The vulnerability exists in Quick Emulator (QEMU) configured with network block device (NBD) client support due to improper processing of an NBD server's response to an NBD_OPT_LIST request sent from an affected NBD client. A remote attacker can trick the user on an NBD client into sending an NBD_OPT_LIST request to the attacker-controlled NBD serverб trigger stack-based buffer overflow and cause the service to crash or execute arbitrary code on the targeted NBD client with elevated privileges.
Remediation
Install update from vendor's website.
References
- http://git.qemu.org/?p=qemu.git;a=commit;h=50628d3479e4f9aa97e323506856e394fe7ad7a6
- http://git.qemu.org/?p=qemu.git;a=commit;h=d63fb193e71644a073b77ff5ac6f1216f2f6cf6e
- http://git.qemu.org/?p=qemu.git;a=commitdiff;h=9c6b899f7a46893ab3b671e341a2234e9c0c060e
- https://lists.gnu.org/archive/html/qemu-devel/2017-05/msg03663.html
- http://git.qemu.org/?p=qemu.git;a=commit;h=215902d7b6fb50c6fc216fc74f770858278ed904
- http://git.qemu.org/?p=qemu.git;a=commitdiff;h=ffaf857778286ca54e3804432a2369a279e73aa7
- http://git.qemu.org/?p=qemu.git;a=commit;h=4ffcdef4277a91af15a3c09f7d16af072c29f3f2
- https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04578.html
- https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05587.html
- https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg05599.html
- https://lists.gnu.org/archive/html/qemu-devel/2017-04/msg04147.html
- http://git.qemu.org/?p=qemu.git;a=commit;h=dd248ed7e204ee8a1873914e02b8b526e8f1b80d
- http://git.qemu.org/?p=qemu.git;a=commitdiff;h=4154c7e03fa55b4cf52509a83d50d6c09d743b7
- http://git.qemu.org/?p=qemu.git;a=commitdiff;h=26f670a244982335cc08943fb1ec099a2c81e42d
- https://lists.gnu.org/archive/html/qemu-devel/2017-03/msg01455.html