Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 544
Alerts This Week
Warning Icon 1 544

Ubuntu 14.04 LTS: USN-2409-1 Critical: Multiple QEMU Security Issues

ubuntu
Calendar Grey November 13, 2014
Scroller Ubuntu Esm H88
A range of vulnerabilities discovered in QEMU pose significant risks across various Ubuntu releases and require immediate action.
Several security issues were fixed in QEMU.

Summary

Several security issues were fixed in QEMU.

Software Description:

- qemu: Machine emulator and virtualizer

- qemu-kvm: Machine emulator and virtualizer

Details:

Laszlo Ersek discovered that QEMU incorrectly handled memory in the vga

device. A malicious guest could possibly use this issue to read arbitrary

host memory. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.

(CVE-2014-3615)

Xavier Mehrenberger and Stephane Duverger discovered that QEMU incorrectly

handled certain udp packets when using guest networking. A malicious guest

could possibly use this issue to cause a denial of service. (CVE-2014-3640)

It was discovered that QEMU incorrectly handled parameter validation in

the vmware_vga device. A malicious guest could possibly use this issue to

write into memory of the host, leading to privilege escalation.

(CVE-2014-3689)

It was discovered that QEMU incorrectly handled USB xHCI controller live

migration. An attacker could possibly use thi...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
  qemu-system                     2.1+dfsg-4ubuntu6.1
  qemu-system-aarch64             2.1+dfsg-4ubuntu6.1
  qemu-system-arm                 2.1+dfsg-4ubuntu6.1
  qemu-system-mips                2.1+dfsg-4ubuntu6.1
  qemu-system-misc                2.1+dfsg-4ubuntu6.1
  qemu-system-ppc                 2.1+dfsg-4ubuntu6.1
  qemu-system-sparc               2.1+dfsg-4ubuntu6.1
  qemu-system-x86                 2.1+dfsg-4ubuntu6.1

Ubuntu 14.04 LTS:
  qemu-system                     2.0.0+dfsg-2ubuntu1.7
  qemu-system-aarch64             2.0.0+dfsg-2ubuntu1.7
  qemu-system-arm                 2.0.0+dfsg-2ubuntu1.7
  qemu-system-mips                2.0.0+dfsg-2ubuntu1.7
  qemu-system-misc                2.0.0+dfsg-2ubuntu1.7
  qemu-system-ppc                 2.0.0+dfsg-2ubuntu1.7
  qemu-system-sparc               2.0.0+dfsg-2ubuntu1.7
  qemu-system-x86                 2.0.0+dfsg-2ubuntu1.7

Ubuntu 12.04 LTS:
  qemu-kvm                        1.0+noroms-0ubuntu14.19

Ubuntu 10.04 LTS:
  qemu-kvm                        0.12.3+noroms-0ubuntu9.25

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

https://ubuntu.com/security/notices/USN-2409-1

CVE-2014-3615, CVE-2014-3640, CVE-2014-3689, CVE-2014-5263,

CVE-2014-5388, CVE-2014-7815

Severity
critical
Lowest
Low
Medium
High
Critical

November 13, 2014

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.