Bug 978164 - VUL-0: CVE-2016-3710, CVE-2016-3712: xen: Guest escape via qemu VGA module (XSA-179)
VUL-0: CVE-2016-3710, CVE-2016-3712: xen: Guest escape via qemu VGA module (X...
Status: RESOLVED FIXED
: 978167 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/168557/
maint:running:63081:important maint:r...
:
Depends on: 978167
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-03 07:53 UTC by Johannes Segitz
Modified: 2021-01-22 08:58 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Swamp Workflow Management 2016-05-03 22:00:28 UTC
bugbot adjusting priority
Comment 5 Johannes Segitz 2016-05-09 12:35:58 UTC
      Xen Security Advisory CVE-2016-3710,CVE-2016-3712 / XSA-179
                              version 4

 QEMU: Banked access to VGA memory (VBE) uses inconsistent bounds checks

UPDATES IN VERSION 4
====================

Public release.  Also include CVE and description of both issues.
(All advisories sent have included patches for both issues, but only
the description and CVE for the first issue.)

ISSUE DESCRIPTION
=================

Qemu VGA module allows banked access to video memory using the window
at 0xa00000 and it supports different access modes with different
address calculations.  But an attacker can easily change access modes
after setting the bank register.  This is CVE-2016-3710.

Qemu VGA module allows guest to edit certain registers in 'vbe' and
'vga' modes. ie. guest could set certain 'VGA' registers while in
'VBE' mode.  This is CVE-2016-3712.


IMPACT
======

A privileged guest user could use CVE-2016-3710 to exceed the bank
address window and write beyond the said memory area, potentially
leading to arbitrary code execution with privileges of the Qemu
process.  If the system is not using stubdomains, this will be in
domain 0.

A privileged guest user could use CVE-2016-3712 to cause potential
integer overflow or OOB read access issues in Qemu, resulting in a DoS
of the guest itself.  More dangerous effect, such as data leakage or
code execution, are not known but cannot be ruled out.


VULNERABLE SYSTEMS
==================

Versions of qemu shipped with all Xen versions are vulnerable.

Xen systems running on x86 with HVM guests, with the qemu process
running in dom0 are vulnerable.

Only guests provided with the "stdvga" emulated video card can exploit
the vulnerability.  The default "cirrus" emulated video card is not
vulnerable.  (With xl the emulated video card is controlled by the
"stdvga=" and "vga=" domain configuration options.)

ARM systems are not vulnerable.  Systems using only PV guests are not
vulnerable.

For VMs whose qemu process is running in a stub domain, a successful
attacker will only gain the privileges of that stubdom, which should
be only over the guest itself.

Both upstream-based versions of qemu (device_model_version="qemu-xen")
and `traditional' qemu (device_model_version="qemu-xen-traditional")
are vulnerable.

MITIGATION
==========

Running only PV guests will avoid the issue.

Running HVM guests with the device model in a stubdomain will mitigate
the issue.

Changing the video card emulation to cirrus (stdvga=0, vga="cirrus",
in the xl domain configuraton) will avoid the vulnerability.

CREDITS
=======

CVE-2016-3710 was discovered and reported by "Wei Xiao and Qinghao
Tang of 360 Marvel Team" of 360.cn Inc.

CVE-2016-3710 was discovered and reported by Zuozhi Fzz of Alibaba
Inc.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue for
systems using upstream-based versions of qemu.  Patch 0001 addresses
CVE-2016-3710, and patches 0002-0005 address CVE-2016-3712.

qemu-upstream, xen-unstable:

xsa179-qemuu-unstable-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-unstable-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-unstable-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-unstable-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-unstable-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch

qemu-upstream, xen 4.6:

xsa179-qemuu-4.6-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-4.6-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-4.6-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-4.6-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-4.6-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch

qemu-upstream, xen 4.5:

xsa179-qemuu-4.5-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-4.5-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-4.5-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-4.5-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-4.5-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch

qemu-upstream, xen 4.4:

xsa179-qemuu-4.4-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-4.4-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-4.4-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-4.4-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-4.4-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch

qemu-upstream, xen 4.3:

xsa179-qemuu-4.3-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemuu-4.3-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemuu-4.3-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemuu-4.3-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemuu-4.3-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch

qemu-xen-traditional, unstable:

xsa179-qemut-unstable-0001-vga-fix-banked-access-bounds-checking-CVE-2016-3710.patch
xsa179-qemut-unstable-0002-vga-add-vbe_enabled-helper.patch
xsa179-qemut-unstable-0003-vga-factor-out-vga-register-setup.patch
xsa179-qemut-unstable-0004-vga-update-vga-register-setup-on-vbe-changes.patch
xsa179-qemut-unstable-0005-vga-make-sure-vga-register-setup-for-vbe-stays-intac.patch
Comment 6 Johannes Segitz 2016-05-10 08:26:06 UTC
*** Bug 978167 has been marked as a duplicate of this bug. ***
Comment 7 Johannes Segitz 2016-05-10 08:35:34 UTC
is public
Comment 8 Alexander Bergmann 2016-05-15 21:24:55 UTC
As this issues are qemu related the CVEs coming from the related bugs.

CVE-2016-3710: bug 978158
CVE-2016-3712: bug 978160
Comment 9 Swamp Workflow Management 2016-08-17 16:13:36 UTC
SUSE-SU-2016:2093-1: An update that solves 27 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 900418,949889,953339,953362,953518,954872,957986,958848,961600,963161,964427,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,988676,990843,990923
CVE References: CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6259,CVE-2016-6351
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    xen-4.5.3_08-17.1
SUSE Linux Enterprise Server 12-SP1 (src):    xen-4.5.3_08-17.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    xen-4.5.3_08-17.1
Comment 10 Swamp Workflow Management 2016-08-18 16:14:34 UTC
SUSE-SU-2016:2100-1: An update that solves 26 vulnerabilities and has 16 fixes is now available.

Category: security (important)
Bug References: 954872,955399,957986,958848,961600,963161,964427,967630,973188,974038,974912,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,985503,986586,988675,989235,990843,990923
CVE References: CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xen-4.4.4_07-37.1
SUSE Linux Enterprise Server 11-SP4 (src):    xen-4.4.4_07-37.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xen-4.4.4_07-37.1
Comment 11 Charles Arnold 2016-10-03 17:49:25 UTC
Submitted for,

SLE-11-SP1
SLE-11-SP2
SLE-11-SP3
SLE-11-SP4
SLE-12
SLE-12-SP1
Comment 12 Swamp Workflow Management 2016-10-11 17:13:30 UTC
openSUSE-SU-2016:2494-1: An update that solves 46 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 900418,949889,953339,953362,953518,954872,955104,958848,959330,959552,961100,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,988676,990500,990843,990923,990970,991934,992224,993665,994421,994625,994761,994772,994775,995785,995789,995792
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2015-7512,CVE-2015-8504,CVE-2015-8558,CVE-2015-8568,CVE-2015-8613,CVE-2015-8743,CVE-2016-1714,CVE-2016-1981,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6259,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094
Sources used:
openSUSE Leap 42.1 (src):    xen-4.5.3_10-15.2
Comment 13 Swamp Workflow Management 2016-10-11 17:24:19 UTC
openSUSE-SU-2016:2497-1: An update that solves 38 vulnerabilities and has 20 fixes is now available.

Category: security (important)
Bug References: 953339,953362,953518,954872,955399,958848,961100,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,990843,990923,990970,991934,992224,994421,994625,994761,994772,994775,995785,995789,995792,997731
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094,CVE-2016-7154
Sources used:
openSUSE 13.2 (src):    xen-4.4.4_05-49.1
Comment 14 Swamp Workflow Management 2016-10-13 18:09:27 UTC
SUSE-SU-2016:2528-1: An update that fixes 16 vulnerabilities is now available.

Category: security (important)
Bug References: 973188,974038,975130,975138,978164,978295,980716,980724,981264,982960,983984,988675,995785,995792
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4439,CVE-2016-4441,CVE-2016-4480,CVE-2016-5238,CVE-2016-5338,CVE-2016-6258,CVE-2016-7092,CVE-2016-7094
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    xen-4.1.6_08-29.1
Comment 15 Swamp Workflow Management 2016-10-13 19:13:36 UTC
SUSE-SU-2016:2533-1: An update that solves 38 vulnerabilities and has 20 fixes is now available.

Category: security (important)
Bug References: 953339,953362,953518,954872,955399,957986,958848,961600,963161,964427,970135,971949,973188,973631,974038,975130,975138,975907,976058,976111,978164,978295,978413,979035,979620,979670,980716,980724,981264,981276,982024,982025,982026,982224,982225,982286,982695,982960,983973,983984,984981,985503,986586,988675,990843,990923,990970,991934,992224,994421,994625,994761,994772,994775,995785,995789,995792,997731
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4020,CVE-2016-4037,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-4952,CVE-2016-4962,CVE-2016-4963,CVE-2016-5105,CVE-2016-5106,CVE-2016-5107,CVE-2016-5126,CVE-2016-5238,CVE-2016-5337,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-6833,CVE-2016-6834,CVE-2016-6835,CVE-2016-6836,CVE-2016-6888,CVE-2016-7092,CVE-2016-7093,CVE-2016-7094,CVE-2016-7154
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    xen-4.4.4_04-22.22.2
SUSE Linux Enterprise Server 12-LTSS (src):    xen-4.4.4_04-22.22.2
Comment 16 Swamp Workflow Management 2016-11-04 14:13:37 UTC
SUSE-SU-2016:2725-1: An update that solves 21 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 954872,961600,963161,973188,973631,974038,975130,975138,976470,978164,978295,978413,980716,980724,981264,982224,982225,982960,983984,985503,988675,990843,990923,995785,995792
CVE References: CVE-2014-3615,CVE-2014-3672,CVE-2016-3158,CVE-2016-3159,CVE-2016-3710,CVE-2016-3712,CVE-2016-3960,CVE-2016-4001,CVE-2016-4002,CVE-2016-4439,CVE-2016-4441,CVE-2016-4453,CVE-2016-4454,CVE-2016-4480,CVE-2016-5238,CVE-2016-5338,CVE-2016-5403,CVE-2016-6258,CVE-2016-6351,CVE-2016-7092,CVE-2016-7094
Sources used:
SUSE OpenStack Cloud 5 (src):    xen-4.2.5_21-27.1
SUSE Manager Proxy 2.1 (src):    xen-4.2.5_21-27.1
SUSE Manager 2.1 (src):    xen-4.2.5_21-27.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    xen-4.2.5_21-27.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    xen-4.2.5_21-27.1
Comment 17 Swamp Workflow Management 2016-11-30 13:01:15 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-12-07.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63236
Comment 18 Marcus Meissner 2016-12-22 11:53:47 UTC
released