Monthly Archives: November 2014

Security

MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python

This Metasploit module exploits a vulnerability found in Windows Object Linking and Embedding (OLE) allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability publicly known as “Sandworm”, on systems with Python for Windows installed. Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable. However, based on our testing, the most reliable setup is on Windows platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as those using Office 2010 SP1 may be less stable, and may end up with a crash due to a failure in the CPackage::CreateTempFileName function.

Ubuntu

USN-2409-1: QEMU vulnerabilities

Ubuntu Security Notice USN-2409-1

13th November, 2014

qemu, qemu-kvm vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

Several security issues were fixed in QEMU.

Software description

  • qemu
    – Machine emulator and virtualizer

  • qemu-kvm
    – Machine emulator and virtualizer

Details

Laszlo Ersek discovered that QEMU incorrectly handled memory in the vga
device. A malicious guest could possibly use this issue to read arbitrary
host memory. This issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10.
(CVE-2014-3615)

Xavier Mehrenberger and Stephane Duverger discovered that QEMU incorrectly
handled certain udp packets when using guest networking. A malicious guest
could possibly use this issue to cause a denial of service. (CVE-2014-3640)

It was discovered that QEMU incorrectly handled parameter validation in
the vmware_vga device. A malicious guest could possibly use this issue to
write into memory of the host, leading to privilege escalation.
(CVE-2014-3689)

It was discovered that QEMU incorrectly handled USB xHCI controller live
migration. An attacker could possibly use this issue to cause a denial of
service, or possibly execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS. (CVE-2014-5263)

Michael S. Tsirkin discovered that QEMU incorrectly handled memory in the
ACPI PCI hotplug interface. A malicious guest could possibly use this issue
to access memory of the host, leading to information disclosure or
privilege escalation. This issue only affected Ubuntu 14.04 LTS.
(CVE-2014-5388)

James Spadaro discovered that QEMU incorrectly handled certain VNC
bytes_per_pixel values. An attacker having access to a VNC console could
possibly use this issue to cause a guest to crash, resulting in a denial of
service. (CVE-2014-7815)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
qemu-system-misc

2.1+dfsg-4ubuntu6.1
qemu-system

2.1+dfsg-4ubuntu6.1
qemu-system-aarch64

2.1+dfsg-4ubuntu6.1
qemu-system-x86

2.1+dfsg-4ubuntu6.1
qemu-system-sparc

2.1+dfsg-4ubuntu6.1
qemu-system-arm

2.1+dfsg-4ubuntu6.1
qemu-system-ppc

2.1+dfsg-4ubuntu6.1
qemu-system-mips

2.1+dfsg-4ubuntu6.1
Ubuntu 14.04 LTS:
qemu-system-misc

2.0.0+dfsg-2ubuntu1.7
qemu-system

2.0.0+dfsg-2ubuntu1.7
qemu-system-aarch64

2.0.0+dfsg-2ubuntu1.7
qemu-system-x86

2.0.0+dfsg-2ubuntu1.7
qemu-system-sparc

2.0.0+dfsg-2ubuntu1.7
qemu-system-arm

2.0.0+dfsg-2ubuntu1.7
qemu-system-ppc

2.0.0+dfsg-2ubuntu1.7
qemu-system-mips

2.0.0+dfsg-2ubuntu1.7
Ubuntu 12.04 LTS:
qemu-kvm

1.0+noroms-0ubuntu14.19
Ubuntu 10.04 LTS:
qemu-kvm

0.12.3+noroms-0ubuntu9.25

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2014-3615,

CVE-2014-3640,

CVE-2014-3689,

CVE-2014-5263,

CVE-2014-5388,

CVE-2014-7815

NVD

CVE-2014-7823 (libvirt)

The virDomainGetXMLDesc API in Libvirt before 1.2.11 allows remote read-only users to obtain the VNC password by using the VIR_DOMAIN_XML_MIGRATABLE, which triggers the use of the VIR_DOMAIN_XML_SECURE flag.