Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 734
Alerts This Week
Warning Icon 1 734

Ubuntu: Critical QEMU Denial Of Service Fixes in Version 3826-1

ubuntu
Calendar Grey November 26, 2018
Dist Ubuntu Esm H88
A range of vital QEMU security updates for Ubuntu versions have been released, tackling denial of service vulnerabilities along with other significant concerns. Discover further details!
Several security issues were fixed in QEMU.

Summary

Several security issues were fixed in QEMU.

Software Description:

- qemu: Machine emulator and virtualizer

Details:

Daniel Shapira and Arash Tohidi discovered that QEMU incorrectly handled

NE2000 device emulation. An attacker inside the guest could use this issue

to cause QEMU to crash, resulting in a denial of service. (CVE-2018-10839)

It was discovered that QEMU incorrectly handled the Slirp networking

back-end. A privileged attacker inside the guest could use this issue to

cause QEMU to crash, resulting in a denial of service, or possibly execute

arbitrary code on the host. In the default installation, when QEMU is used

with libvirt, attackers would be isolated by the libvirt AppArmor profile.

This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu

18.04 LTS. (CVE-2018-11806)

Fakhri Zulkifli discovered that the QEMU guest agent incorrectly handled

certain QMP commands. An attacker could possibly use this issue to crash

the QEMU guest age...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 18.10:
  qemu-system                     1:2.12+dfsg-3ubuntu8.1
  qemu-system-arm                 1:2.12+dfsg-3ubuntu8.1
  qemu-system-mips                1:2.12+dfsg-3ubuntu8.1
  qemu-system-misc                1:2.12+dfsg-3ubuntu8.1
  qemu-system-ppc                 1:2.12+dfsg-3ubuntu8.1
  qemu-system-s390x               1:2.12+dfsg-3ubuntu8.1
  qemu-system-sparc               1:2.12+dfsg-3ubuntu8.1
  qemu-system-x86                 1:2.12+dfsg-3ubuntu8.1

Ubuntu 18.04 LTS:
  qemu-system                     1:2.11+dfsg-1ubuntu7.8
  qemu-system-arm                 1:2.11+dfsg-1ubuntu7.8
  qemu-system-mips                1:2.11+dfsg-1ubuntu7.8
  qemu-system-misc                1:2.11+dfsg-1ubuntu7.8
  qemu-system-ppc                 1:2.11+dfsg-1ubuntu7.8
  qemu-system-s390x               1:2.11+dfsg-1ubuntu7.8
  qemu-system-sparc               1:2.11+dfsg-1ubuntu7.8
  qemu-system-x86                 1:2.11+dfsg-1ubuntu7.8

Ubuntu 16.04 LTS:
  qemu-system                     1:2.5+dfsg-5ubuntu10.33
  qemu-system-aarch64             1:2.5+dfsg-5ubuntu10.33
  qemu-system-arm                 1:2.5+dfsg-5ubuntu10.33
  qemu-system-mips                1:2.5+dfsg-5ubuntu10.33
  qemu-system-misc                1:2.5+dfsg-5ubuntu10.33
  qemu-system-ppc                 1:2.5+dfsg-5ubuntu10.33
  qemu-system-s390x               1:2.5+dfsg-5ubuntu10.33
  qemu-system-sparc               1:2.5+dfsg-5ubuntu10.33
  qemu-system-x86                 1:2.5+dfsg-5ubuntu10.33

Ubuntu 14.04 LTS:
  qemu-system                     2.0.0+dfsg-2ubuntu1.44
  qemu-system-aarch64             2.0.0+dfsg-2ubuntu1.44
  qemu-system-arm                 2.0.0+dfsg-2ubuntu1.44
  qemu-system-mips                2.0.0+dfsg-2ubuntu1.44
  qemu-system-misc                2.0.0+dfsg-2ubuntu1.44
  qemu-system-ppc                 2.0.0+dfsg-2ubuntu1.44
  qemu-system-sparc               2.0.0+dfsg-2ubuntu1.44
  qemu-system-x86                 2.0.0+dfsg-2ubuntu1.44

After a standard system update you need to restart all QEMU virtual
machines to make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3826-1

CVE-2018-10839, CVE-2018-11806, CVE-2018-12617, CVE-2018-16847,

CVE-2018-17958, CVE-2018-17962, CVE-2018-17963, CVE-2018-18849,

CVE-2018-18954, CVE-2018-19364

Severity
critical
Lowest
Low
Medium
High
Critical

November 26, 2018

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.