Introduction

Within a few weeks of VENOM vulnerability being published, we have 3 more similar vulnerabilities - related to QEMU:

CVE-2015-4103

Administrator of an untrusted VM, with direct/passthrough access granted to physical PCI devices, can use this vulnerability to cause lost device interrupts, or spurious interrupts directed at other VMs sharing the hardware. So one guest VM can cause DoS or other harmful effects on other guest VMs on the same hardware.

Xen advisory is at http://xenbits.xen.org/xsa/advisory-128.html

The code changes for XEN 4.4/4.5 is athttp://xenbits.xen.org/xsa/xsa128-qemut.patch

CVE-2015-4106

Another PCI passthrough vulnerability, with hardware logic not properly understood/implemented in this feature. Extensive code changes are required in the fix, as can be seen by the number of files touched by the patch.

Xen advisory is athttp://xenbits.xen.org/xsa/advisory-131.html

CVE-2015-3209

Emulated PCNET controller, when configured to allow processing of split frames, has a bug that causes an arbitrary large heap overflow. The split frame emulation is supported through use of 3 flags - packet start (TXSTATUS_STARTPACKET), packet end (TXSTATUS_ENDPACKET), and a flag indicating device should transmit the packet (TXSTATUS_DEVICEOWNS). Split frames require initial buffers to have packet start flag set and the other two reset, while the last buffer needs to have packet end and transmit flag set. In this scenario, it is possible to overflow the 4096-byte frame buffer with arbitrary size (< 4096-byte) overflow. This wouldn't be very scary, except that within 24 bytes of the frame buffer there is a function pointer that is used to flush the memory during the PCNET transmit operation (which is in action) thus reliably causing host system compromise.

Xen advisory is at http://xenbits.xen.org/xsa/advisory-135.html