SB2016101212 - SUSE Linux update for xen

Description

This security bulletin contains information about 10 secuirty vulnerabilities.

1) Improper access control (CVE-ID: CVE-2016-6258)

The vulnerability allows a local authenticated user to execute arbitrary code.

The PV pagetable code in arch/x86/mm.c in Xen 4.7.x and earlier allows local 32-bit PV guest OS administrators to gain host OS privileges by leveraging fast-paths for updating pagetable entries.

2) Use-after-free (CVE-ID: CVE-2016-6833)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

Use-after-free vulnerability in the vmxnet3_io_bar0_write function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (QEMU instance crash) by leveraging failure to check if the device is active.

3) Resource management error (CVE-ID: CVE-2016-6834)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

The net_tx_pkt_do_sw_fragmentation function in hw/net/net_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (infinite loop and QEMU process crash) via a zero length for the current fragment length.

4) Buffer overflow (CVE-ID: CVE-2016-6835)

The vulnerability allows a local privileged user to a crash the entire system.

The vmxnet_tx_pkt_parse_headers function in hw/net/vmxnet_tx_pkt.c in QEMU (aka Quick Emulator) allows local guest OS administrators to cause a denial of service (buffer over-read) by leveraging failure to check IP header length.

5) Information disclosure (CVE-ID: CVE-2016-6836)

The vulnerability allows a local privileged user to gain access to sensitive information.

The vmxnet3_complete_packet function in hw/net/vmxnet3.c in QEMU (aka Quick Emulator) allows local guest OS administrators to obtain sensitive host memory information by leveraging failure to initialize the txcq_descr object.

6) NULL pointer dereference (CVE-ID: CVE-2016-6888)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via the maximum fragmentation count, which triggers an unchecked multiplication and NULL pointer dereference.

7) Privilege escalation (CVE-ID: CVE-2016-7092)

The vulnerability allows local administrative user to get elevated privileges on the host system.

The vulnerability exists due to entrying of L3 code in 64-bit hypervisor by administrative user of 32-bit PV that allows him to gain privileges on the target system.

Successful exploitation of this vulnerability will result in gaining elevated privileges by the guest attacker.

8) Access control error (CVE-ID: CVE-2016-7093)

The vulnerability allows local user to get elevated privileges on the host system.

The vulnerability exists due to instruction pointer truncation error that allows a local administrative user on the HVM guest system to gain priviliges on the target system.

Successful exploitation of this vulnerability will result in gaining elevated privileges by the guest attacker.

9) Buffer overflow (CVE-ID: CVE-2016-7094)

The vulnerability allows a local privileged user to perform a denial of service (DoS) attack.

Buffer overflow in Xen 4.7.x and earlier allows local x86 HVM guest OS administrators on guests running with shadow paging to cause a denial of service via a pagetable update.

10) Denial of service (CVE-ID: CVE-2016-7154)

The vulnerability allows local administrative user to gain elevated privileges and cause denial of service on the host system.

The vulnerability exists due to supplying of specially crafted frame number to the EVTCHNOP_init_control() function and allows attacker to cause use-after-free and denil of service.

Successful exploitation of this vulnerability may allow a lcal user to get privileges on the host system and trigger a target service deny.

Remediation

Install update from vendor's website.

References

• https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00023.html